Australian Financial Regulator Says Major Cyber Breach ‘a Case of When Rather Than If’
On Wednesday, Therese McCarthy Hockey, an executive board member of the Australian Prudential Regulation Authority, the country’s financial services watchdog, issued a stark warning about the new risks to financial institutions.
Operational risks for banks have changed. Such institutions used to worry about physical risks like fires and armed robberies. Now digital risks like cyberattacks and technology failures are far bigger concerns, she said.
Australia’s Financial Institutions Are Asleep at the Wheel
Furthermore, customers rely on digital financial services more than ever, and disruptions to these services can threaten financial stability. And yet, the Australian financial sector isn’t fully cognizant of these threats, she said. In response, APRA may impose additional capital requirements on firms that don’t meet the required cybersecurity standards.
In her August 23 speech, Hockey said:
“Twelve months ago, APRA still talked about it being a case of ‘when’ rather than ‘if’ one of our regulated entities suffered a major cyber breach. We’ve now had several. The impact of these attacks was felt by many…
The scourge of scams has dramatically worsened as it was revealed Australians lost $3.1 billion in 2022 – up 80 per cent on the previous year.”
The new digital risks to Australia’s financial system are only exacerbated by the country’s reliance on digital financial services. According to a report by Australia’s Reserve Bank, only 13 percent of transactions in 2022 were made in cash.
Somewhat surprisingly, it is older Australians who have abandoned notes and coins at the fastest rate.
In fact, FIS, a financial technology company, found in a report that cash represented just six percent of Australia’s point of sale (POS) market share in 2022. This is the lowest rate of cash usage in the Asia-Pacific region and second only to Norway (four percent) among the 40 markets the report covered.
Australia is one of the most pro-cashless societies in the world. Source: Merchant Machine.
Australian Financial Regulator Wants Tougher Stance on Cybersecurity
APRA’s information security standard CPS 234, introduced in 2019, mandates that financial institutions must actively assess and mitigate information security vulnerabilities. It includes ensuring that firms have a robust defense against cyber threats. Still, many financial institutions have yet to get the message.
But the crux is that many boards view cyber risks as just an IT issue, not a business risk, said Hockey. Boards must become more tech-savvy to provide robust oversight of cyber threats and data assets.
However, APRA’s patience is wearing thin after three years of slow progress. More entities may face stiffer capital requirements like Medibank if found significantly non-compliant.
On June 27, Australia’s banking regulator instructed Medibank to allocate an additional A$250 million ($161 million) in capital due to vulnerabilities exposed in its information security following a significant hacking breach.
Medibank revealed last year that a hacker had illicitly acquired the personal data of 9.7 million existing and past customers. The hacker subsequently released the data on the dark web, marking one of the largest-ever data breaches in Australia.
High Fines for Breaches Could Make Australia an Easy Target
As a consequence, the company now faces at least three distinct class action lawsuits in Australian courts, representing the impacted customers.
However, a tougher stance on data breaches may not always be a good thing. According to IDcare, an Australian government-backed service for victims of online data theft, it may even be counterproductive.
IDCare has said higher fines for data breaches could lead companies to pay ransoms instead of reporting attacks. This, in turn, could fuel a cybercrime wave as Australia is increasingly seen as an easy target.