The Commonwealth Bank has called on the Federal Government to review its ageing cyber security strategy in order to protect customer information in the financial sector and ensure the local digital economy doesn’t lag behind global counterparts.
As part of several recommendations made in its submission to the federal inquiry investigating reform in the banking sector, CommBank said a review of the federal cyber security framework - last revised in 2009 - would help keep Australia up to date with not only evolving technological threats but also the pace of international peers.
“Whilst the financial system is reasonably secure, the broader and longer term view of the cyber environment is negative,” it said in the submission.
“The capability of those posing cyber threats...continues to evolve, while recent US government surveillance revelations have adversely impacted online trust. These factors could undermine development of the digital economy.
“In the meantime, the threat to Australians online has increased and Australians have become even more reliant on the internet as part of their daily lives. A re-evaluation of Australia’s cyber security strategy and program of investment would be timely.”
The then-Labor Government released its first national cyber security strategy in 2009. It commissioned a follow up cyber security white paper in mid 2011, which was abandoned a year and a half later in favour of a "broader" discussion around the digital economy.
The 2009 strategy's (pdf) objectives were to increase the nation's awareness of and reaction to cyber crime incidents, and to ensure government and local businesses operate secure and resilient IT infrastructure. It also promised ongoing reviews of Australia’s cyber security policies, programs and capabilities.
CommBank recommended the Government ensure national cyber security resilience in the banking sector by reviewing the scope, breadth and distribution of its investment in cyber security, keeping in mind the “critical role” it plays in the local digital economy; and formalise what is expected of both private sector operators and Government in the event of a cyber crisis.
“Private sector owners of critical infrastructure will be responsible for defending their own systems in the first instance, until an attack exceeds the pre-defined levels or norms,” it said.
The bank also called on the Government to promote greater public-private co-operation on cyber security, including real-time sharing of information and intelligence, and to study government incentives for the private sector to invest in cyber security, which it said would “drive a widespread lift in security standards and practices across entire industries and critical infrastructure sectors”.
More regulation for non-banks
Customer confidence in the security of the financial system would also be improved by addressing an uneven playing field with regards to the regulation of financial institutions, CommBank said.
It expressed concern over what it saw as a lack of consistent regulation for all financial system participants, specifically non-bank entities compared to authorised deposit-taking institutions (ADIs).
It said advances in technology had enabled non-bank entities to provide similar services to banks but without the same level of regulation governing customer privacy and security.
“This uneven playing field poses a risk to customers’ finances and personal information, as well as to the stability and reputation of the system. This in turn may increase costs for ADIs and customers,” CommmBank said.
“Australian customers must be offered the same protection and security by new players that they receive from traditional banks. This is especially critical as many businesses increasingly use advanced data analytics on large data sets to deliver more tailored services and products.
“The use of big data to provide insight into a customer’s preferences must be carefully balanced with a customer’s right to privacy and existing obligations businesses face in the handling and treatment of such data.”
It wants the same privacy and security regulations - including supervision and monitoring - applied to all industry participants.
Information exchange needs to be modernised
Regulations need to be updated to allow financial institutions to make relevant information disclosures to customers in a variety of technological methods, CommBank said.
Financial institutions are currently required to physically or electronically mail relevant information disclosures to customers.
“The current regulatory framework results in document-centric requirements, with allowance (more recently) for electronic disclosure. The regulations and industry codes do not accommodate the variety of methods by which customers engage with financial services providers,” the bank said in its submission.
“Such a framework does not recognise the manner in which technology can better enable customers to access required information.”
It suggested reviewing legislation to deliver a “technology-neutral” approach to disclosures, which would preserve the “sent” and “delivered” concepts but allow consumers to access and retrieve relevant information via more appropriate methods.
“Technology would allow the applicable disclosure requirements to be satisfied in non-documentary forms and in ways which will assist in improving customer engagement and understanding,” it said.
“For example, smart phone users can receive videos and voice memos and, once stored or hosted, can be accessed at any time in the future. It is also possible to provide consumers with links to content on social media platforms, with required information to consumers which can be viewed from any device.”
For disclosures such as changes to terms and conditions or product features, financial institutions could use RSS feeds, email, and system notifications to communicate the content, the bank suggested.