The financial regulator has received 36 data breach notifications since APRA’s new prudential standard for cybersecurity, known as CPS 234, came into effect in July this year.
Most of the breaches were “relatively minor” and none threatened the “viability” of APRA regulated entities. But several did include fraud and the deliberate unauthorised manipulation of financial records.
APRA executive board member Geoff Summerhayes, delivered the update in Sydney yesterday and warned there was likely more undetected and unreported breaches in the first four months.
“With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it,” Summerhayes said at the Cyber Breach Simulation Australia Sydney event.
CPS 234 requires APRA regulated institutions – around 600 institutions – to take responsibility for their information security, including defining security related roles of boards and upper management, and to notify the regulator of material information security incidents within 72 hours.
The new standard also requires entities to gain assurance from third parties for their information security and compliance. Some entities have taken a “hands on approach”, visiting external sites and conducting their own audits of third parties. And while APRA does not specifically require that, it does encourage entities to do more than take third parties’ assurances at face value.
The regulator said this week it will have more to say on how service provider management relates to CPS 234 once it has reviewed its outsourcing prudential standard, CPS 231.
Around 70 per cent of APRA regulated entities have reported gaps in their CPS 234 compliance so far and the regulator will seek further independent assessment in “due course”.
Summerhayes said APRA is concerned about the poor cyber hygiene of some institutions, including the use of systems which no longer receive security support or updates, or lack a comprehensive security patching regime.
“Some institutions still haven’t developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties,” Summerhayes said.
“This includes both cloud based services and traditional support arrangements, all captured by CPS 234. You cannot secure what you don’t understand and you are only as strong as your weakest link.”
Summerhayes said the regulator will be increasingly challenging entities on their cyber posture and will be using to data driven insights to determine which entities receives more scrutiny. Eventually APRA wants to baseline metrics for cyber for cyber defences and Summerhayes described CPS 234 as “the floor”. He said APRA will be “constructively tough” in how it regulates entities for cyber resilience.
Room for improvement
Cyber vendors say the initial figures show there is room for improvement among Australia’s regulated financial institutions.
Kevin Vanhaelen, regional director, Asia-Pacific, of network security vendor Vectra AI said the reported 36 breaches is almost certainly an underrepresentation of the actual attacks and more breaches which have already occured will come to light in the future.
“It takes on average around 200 days before a breach is detected, the majority of which are only discovered after receiving a notification from an external party. With a cyber attack having the ability to put a bank, insurer and super fund out of business, these time frames are simply unacceptable,” Vanhaelen said.
He said it is now impossible to prevent all attacks on financial institutions and the response times need to be brought down considerably and ideally be real time.
“By stopping an attack in progress, it’s possible to limit its spread and reduce damage. A contemporary security architecture must be adaptive and integrate defence, detection, response, and learning dimensions into an iterative process.”