NAB triples annual cyber warchest to $150m

The National Australia Bank’s (NAB) cybersecurity spend has tripled to around $150 million over the past five years, with other institutions including Westpac confirming a similar price tag to beat back intruders ranging from nation state actors to amateur hackers.

The unprecedented disclosure of the bank’s growing cyber bill was made public for the first time in evidence given to the House of Representatives’ Economics Committee by NAB’s interim chief executive and chairman elect Phil Chronican last week.

Pursued over how many staff NAB employed on the cyber front at the regular parliamentary confessional for the Big Four banks on Friday last week, Chronican took a headcount question on notice.

Instead, NAB’s respected CFO, Gary Lennon, bowled-up a dollar amount in lieu of a bodycount. 

“I'm not exactly sure of the number, but I was going to give a perspective on the quantum that we spend. We spend a significant amount on cybersecurity, and it's growing because the threat is growing. Just to give the committee a sense of it, it's in the order of $100 million to $150 million.” Lennon said.

Australia’s Big Four banks have previously declined to spell out their specific security spend, preferring instead to shield themselves with blanket statements of commitment. Which works fine on investor decks … until the CEO has to take an oath and take the stand.

“We have a huge effort in terms of cybersecurity, and that takes many forms. There is obviously intrusion protection, identifying where organisations or actors, as they're called, might come from and with what purpose,” Chronican said.

“Obviously, there are different approaches taken depending on the purpose of the intrusion. If the intent is outright fraud, then in some ways that's easier to identify—where they're after financial crime,” NAB’s chairman-waiting-said.

Westpac chief executive Brian Hartzer preferred to tell the committee about his bank’s commitment to cyber through headcount and a rising annual improvement budget.

“Cyber-risk and customer privacy is a massive agenda item for us. We invest probably $50 million a year in upgrades around our various cybersecurity capabilities,” Hartzer said.

“We have extensive teams that are dedicated to that, in terms both of monitoring activity that is going on and making improvements in our systems and processes.”

Westpac’s stated cyber figure is reflective of growth of spend rather than totality. It is understood it’s total figure is at least on par with NAB.

At ANZ, chief risk officer Kevin Corbally took one for the team.

“We have over 200 people in our cybersecurity team in the cyber command centre, working together, Corbally said.