APRA tells banks to boost IT maintenance budgets

Australia’s prudential regulator has told the banks to increase IT investment, but not on new technology.

Chairman Wayne Byres told the 2018 Curious Thinkers Conference in Sydney yesterday that banks' budgets need to grow to meet the competing needs of maintaining existing system, deploying new technology and mitigating cyber security risks.

He said while keeping the lights on was “far less exciting” and “often attract[ed] less attention”, stable investment was necessary to maintain health and fit for purpose existing systems.

“A concern for APRA is that the understandable desire to invest in new technology-enabled products and services, coupled with the necessary investment in cyber security and risk mitigation, comes at the expense of ongoing maintenance of existing technology platforms,” he said.

“This is particularly problematic given the legacy infrastructure on which many institutions are currently operating, often a patchwork of systems that have been bolted together over many years.

“How should we allocate our investment’’ is an important question, but a more important precursor is: “How much do we need to invest?”

Byres pointed to a series of APRA reviews into banking sector systems hygiene that found a number of instances where critical systems were end-of-life or end-of-support and without funded remediation plans in place.

The reviews also showed “limited evidence” of such issues and associated risks being appropriately communicated to executives and board members.

“Overall, our reviews suggested the health of the systems environment and associated risks have not been as well understood by peak decision-makers as they should be,” he said.

“The issues we highlighted have not arisen overnight, and reflect persistent underinvestment over a number of years.

“Our review emphasises that, to facilitate new technology, investment budgets need to be increased, not just reprioritised.

“They will also likely need to be maintained at a higher level than has been the case in the past to allow for a catch up on the backlog of maintenance that is needed.”

The call to maintain investment in existing infrastructure follows one of the strongest warnings to date from the Reserve Bank of Australia that its tolerance for outages on payments systems by banks and payment services providers has reached its limit.

However underinvestment is not being seen in information security, a telling sign that the banks have gone to great lengths “gone to considerable effort and expense to protect themselves from cyber-attacks”.

“While that is welcome, we need to ensure it isn’t false comfort given the insidious and growing nature of the threat,” Byres said.

Changing stance on cloud

Byres' comments about the need to ensure continued investment to keep the lights on came alongside APRA’s updated 2015 guidance on outsourcing [pdf] that involved cloud computing.

“The new paper acknowledges advancements in the safety and security in using the cloud, as well as the increased appetite for doing so, especially among new and aspiring entities that want to take a cloud-first approach to data storage and management,” he said.

The new guidance reveals the agency’s “more open stance on cloud usage” in light of improvements to security.

It splits cloud risk into three categories – low, medium and high – based on the nature of usage.

He said that the agency had previously “expressed reservations about the use [sic] the cloud for initiatives with heightened or extreme inherent risk”

But he also said that cloud was “not without risk”, and that – as with all shared service arrangements – “boards and senior management of regulated entities remain ultimately accountable for the security of their data”.

“That accountability cannot be outsourced,” he said.

Applications and data stores with low criticality and sensitivity, as well as non-production environments and websites delivering public information, fall into the ‘low inherent risk’ category.

This is because if disrupted they would present a “low or negligible impact to business operations”.

However, at the extreme end of the spectrum, disruption has the potential to threaten “the ongoing ability of the APRA-regulated entity to meet its obligations”.

“Examples of extreme risk include public cloud arrangements involving systems of record which maintain information essential to determining obligations to customers and counterparties, such as current balance, benefits and transaction history,” the guidance states.