The Australian Prudential Regulation Authority (APRA) is “intensifying” its focus on the ability of banks but also their ecosystem of technology and other partners to be resilient in the face of increased cyber security threats.
APRA chair Wayne Byres told the 2021 AFR Banking Summit yesterday that while “no APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach yet … it’s only a matter of time until an incident occurs.”
Byres cited the recent campaign exploiting 0-days in Exchange Server as an example of the growth in cyber threats, which he said required “a continuous cycle of investment in improved practices”.
However, he also raised particular concern at the SolarWinds and Accellion breaches, and more pointedly to the “way a cyber breach can have a cascading impact through the wider system.”
The Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand were among finance sector organisations and bodies to be impacted by the Accellion hack.
During Covid-19, Byres noted, banks and their customers felt the impact of problems at third-party suppliers, such as outsourcing companies, that they relied upon for aspects of service delivery.
“Although Australians saw no material disruptions to financial services through the pandemic, there were times - particularly as countries around the world imposed widespread lockdowns which directly affected outsourced service providers - that that was only due to a lot of scrambling behind the scenes, and the relaxing of controls not previously contemplated,” Byres said.
“It was often the failure of third-party providers to meet agreed service levels, rather than failures in banks’ own operations, that created operational and processing problems.
“Covid-19 also highlighted difficulties in substituting or switching to alternate service providers in a timely manner to maintain continuity of operations.
“With an increasingly complex web of third-party relationships supporting the financial system, a key goal of ours therefore has to be to obtain better assurance as to the resilience of not just banks, but the broader ecosystem in which they operate.”
Byres said that had some flow-on impacts to the way APRA looked at cyber security, with more attention being cast to the ecosystem of partners that help banks function but that could also act as vectors or pathways for attack.
“We are intensifying our focus on cyber resilience, working very closely with other arms of the Australian government,” Byres said.
“One notable aspect of our cyber supervision strategy is a focus on third party providers, not just regulated entities themselves.”
Byres said the APRA is presently "conducting a comprehensive review of our prudential requirements for operational resilience" of the financial sector.
"This review will consider the introduction of a new prudential standard specifically focused on operational risk management, revisions to the existing prudential standards for outsourcing (CPS 231) and business continuity management (CPS 232), and additional guidance for entities to encourage better practice," he said.
"We will also be looking at our pandemic planning guidance (CPG 233).
"While it more than proved its worth in the face of Covid-19, no doubt there are further improvements possible.
"Together, this package will form part of a suite of standards covering operational resilience."