Rock IT

APRA says that financial institutions are making basic cyber security errors

APRA says that financial institutions are making basic cyber security errors

Basic ‘cyber hygiene’ is an ongoing area of concern in the financial services sector.

Since issuing their latest Cyber Security guidelines in July 2019, the Australian Prudential Regulation Authority has received 36 data breach notifications

Executive board member Geoff Summerhayes warns that local financial services providers were still making basic errors.

“With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it,” he said at the CyBSA 2019 Cyber Breach Simulation event.

While the 36 breaches disclosed were relatively minor, Mr Summerhayes warned that they are just the tip of the iceberg.

“To date, no APRA-regulated entity has experienced a breach material enough to threaten its viability, but I can assure you it’s not for want of trying. We’ve warned repeatedly that it’s only a matter of time until an Australian bank, insurer or superannuation licensee suffers a significant breach that, in a worst case scenario, could force it out of business,”

“It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded – and that we know about.”

And as it turns out, it’s the absolute basics of cyber security hygiene that has many in the sector tripping themselves up.

Lack of updates

One of the key areas of concern is running systems that are no longer supported by the vendor. This means vendors are no longer providing support and/or security updates.

Having a security patching regime is more than just selecting “automatic updates” – someone needs to be looking to see if these patches are actually occurring.

Access management is another area companies are falling short, which is fundamentally asking “who has access to what, for how long and why?”.

Breach notifications

APRA’s information security prudential standard, CPS 234 Information Security, also points out that breach notification is an important feature. The nature of breaches in 2019 shows that small mistakes in cyber hygiene can result in devastating consequences for an organisation.

“Many of those were data breaches involving the disclosure of personal information as a result of human error (such as ‘accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information).

“Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud.”

Regulated organisations are required to assess and gain assurance regarding the security capabilities of third parties that manage information assets for them.

Mr Summerhayes said that while some organisations have taken a hands-on approach, there was little room for complacency.

“We’ll leave it to organisations to determine what approach is commensurate with the impact of a security compromise.”

“However, it is not good enough to rely solely on certifications or other forms of assurance provided by third parties without considering the sufficiency of the assurance these provide in satisfying the requirements of CPS 234.”

Third-parties are the targets

Hackers are now routinely targeting third-party service providers. APRA is currently reviewing guidelines of outsourcing IT services.

Practice makes perfect

“War gaming” is seen as a crucial exercise to help the financial services sector get more prepared for a cyber attack.

With many Australian businesses never experiencing a major cyber attack this creates a serious vulnerability. Are Aussie businesses actually able to respond in the event of an attack?

Without proper planning and developing a type of “muscle memory”, many organisations may find themselves left in the dark in the event of an attack.