APRA and the Council of Financial Regulators will lift the intensity of cyber stress-testing this year, including ordering banks to attack themselves and report weaknesses, as Western governments fret about cyber operations by countries including China and Russia, and cyber crime gangs seeking to exploit vulnerabilities created by the coronavirus crisis.
The rising threat level comes as the federal government pushes forward with its “open banking” policy that will see banks share customer data with accredited outside parties; Mr Byres said this requires new skills and focus from regulators to limit risks.
“It is the way the world is moving and we can’t be King Canute and hold back the tide here,” he said. “It is going that way, so you have to think how you adapt. Everything is going towards digital being the primary way business is done and there has got to be a lift in focus.”
During COVID-19, Australians have had a lot to worry about – but financial services not being available was not one of them.
“That is a great credit to the industry, to keep the system running,” he said. “But it might have been different if there was a sufficient outage. If you can’t get money, the whole dynamic would be completely different.”
While payments system outages happen occasionally at all banks, they are typically quickly restored. But amid a sharp shift to electronic payments and with many consumers no longer carrying cash in their wallets, Mr Byres said he worries about the payments system being disabled for several days.
“This would be tremendously disruptive and undermine confidence in the system. So there is a big cost if that happens.”
No APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach to date, but that is no excuse for complacency: the regulator believes it is only a matter of time until a major incident occurs.
“It is not a matter of planning for if somebody gets into your system, it’s a matter of when someone gets in – and how quickly you can shut down their activity and restore it,” Mr Byres said.
Despite the looming risk of cyber attack, the Australian financial system finished 2020 in good shape and APRA wants to ensure this continues in 2021.
As coronavirus cases reappear in Sydney and Melbourne, forcing new border closures, and spiral out of control in many countries including the US and Britain, APRA is acutely aware that any volatility in global markets will reverberate in Australia regardless of the strength of the local health response.
“We are an island, but we are not completely disconnected from the financial markets and the rest of the world, and if there is a setback in the global economy, we have to be conscious of that here,” Mr Byres said.
Banks remain unquestionably strong – but big buffers will remain necessary to buttress the economy from expected shocks.
“Eventually there will be a pick-up in bad debts and that is just the natural credit cycle. When these start to hit and erode the provisioning levels, there will be a hit to capital,” he said.
While COVID-19 has created challenges for APRA’s core business of safeguarding bank balance sheets, it is also having to respond to the rapid transformation of financial services as the crisis accelerates the shift to e-commerce and digital payments.
‘It’s not like the old days’
“Increasingly, one of the challenges we have is the law, and every framework we operate in is built on the concept of a financial institution as a big, stone building, with a safe in the back and a computer in the basement,” he said.
“But it’s not like that these days. In the old days, all the key activity a bank did was done by that licensed entity. It was self-sufficient. But increasingly, we are in a world where all of those end-to-end processes are being broken down. Increasingly, things are more efficiently done at scale by partners.”
Those partners include the likes of Amazon and Google, which are pushing to store and process more banking data in their computer clouds – a shift APRA has been cautious about. It recognises banks are under pressure to cut costs in a low rate environment, but wants to ensure they understand new risks emerging.
We don’t intend to be a meteorologist but it is inevitable [climate change] is going to impact asset values.
— Wayne Byres
This is a much more complex environment for regulators. An attack on one weakly defended institution could be used by bad actors to attack other institutions via back doors. There are 17,000 interconnected financial entities, markets and financial market infrastructure in Australia; APRA directly supervises only about 680 of them.
“You can put up strong walls but you have to assume that strong walls on their own will not be enough, and you have to know what will happen when an attacker breaches those walls: how quickly you will find out about it, and frameworks for a fast response.”
APRA’s cyber security strategy for 2020-24, released on November 26, was developed in close consultation with the Department of Home Affairs, Treasury, ASIC and the Reserve Bank, complementing the government’s strategy. APRA is seeking to influence non-banks including third-party IT suppliers, fund managers and payments companies, lifting individual accountability when gaps are found.
While the first challenge is the individual entity’s individual resilience, “ultimately you build up a picture of the capacity of the industry to deal with a co-ordinated attack”.
APRA wants bank boards to get an external audit firm to review compliance with its prudential standard on cyber security, known as CPS 234 and Mr Byres said “the time for concessions in this area is probably over”.
With APRA board member Geoff Summerhayes, who has spoken many times on the importance of cyber security and climate change, standing down after expiry of his five-year term, Mr Byres said APRA will maintain an intense focus on climate risk this year.
It plans to release a new prudential practice guide on managing climate-related financial risks soon and will require entities undertake vulnerability assessments.
With the CSIRO and Bureau of Meteorology’s State of the Climate 2020 report pointing to warming temperatures, a drier continent in areas of the greatest population density, more intense heavy rainfall events, rising sea levels and increasing acidification of the oceans, Mr Byres said: “Climate risks will have financial implications.”
“For us there is a risk it will have implications for the value of assets, the creditworthiness of customers, the insurability of assets and the value of long-term investments,” he said.
“We don’t intend to be a meteorologist but it is inevitable [climate change] is going to impact asset values.”
The major banks faced intense questioning from climate activists on lending policies to coal and gas producers during annual meetings in December. APRA expects banks to be pricing loans for climate risk, and the regulator recognises there is a weight of money held by institutional investors connected to banks’ response to growing public pressure to shift to a zero carbon economy.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944