RBA says major cyber attack against the banks 'almost inevitable'

The Reserve Bank of Australia has warned that a significant cyber security attack against one of the nation’s banks is all but “inevitable” given the year-on-year growth in the number of attempted hacks.

The central bank sounded the alarm in its latest financial stability review [pdf], which said that such an event “could lead to a widespread stress in the financial system” due to a loss of public confidence.

It said that while incidents have been limited to date, and have caused only limited disruptions and financial loss, “the potential for systemic implications is at some point inevitable”.

“Large financial institutions can devote significant resources to cyber defence, and so are generally regarded as having among the best cyber defences of any companies,” the report said.

“However, given the very large number of attacks, it seems almost inevitable that at some point the defences of a significant financial institution will be breached.

“Whether such an attack could result in systemic financial instability will depend not only on the part of the financial institution or system impacted and potential network effects, but also the cyber resilience of that institution and financial system."

The bank cited the rise in ‘moderate’ and ‘substantial’ cyber security incidents reported to the Australian Cyber Security Centre (ACSC) between 2019-20 and 2020-21.

“The ACSC observed that in the 2020-21 financial year, cyber incidents affecting the Australia financial sectors had on average a greater impact compared with the prior year,” the report said.

“There were several large-scale, high-profile attacks in the financial year – including those affecting Accellion, Microsoft Exchange and SolarWinds – as well as instances of system malfunctions.”

The report said that “changes to business operations” and remote working during the pandemic had accentuated vulnerabilities, though risks have been growing organically for some time.

“The risks to IT systems from both malfunctions and cyber attacks are rated as a key concern by financial institutions, regulators and governments,” the report said.

“These risks have grown as digital platforms and service channels have become more important to economies and are increasingly interconnected and complex.”

The report added that any “compromised confidential information could lead to severe reputational damage and reluctance from market participants to extend liquidity or credit”.

The growing interconnectedness of the financial systems also means that the impact of a cyber attack could “rapidly transit… from one institution to another”.