On Wednesday, Therese McCarthy Hockey, an executive board member at the Australian Prudential Regulation Authority (APRA), which oversees the nation’s financial services, sounded stern about the novel threats facing financial institutions.
The landscape of operational risks for banks has undergone a transformation. Where these establishments once primarily concerned themselves with physical hazards such as fires and armed robberies, the focus has shifted dramatically. Hockey remarked that cyberattacks and technological failures have become significantly more formidable apprehensions.
Awakening Australia’s Financial Institutions to Digital Perils
Moreover, the modern reliance of customers on digital financial services has reached unprecedented heights, rendering disruptions to these services a potent menace to financial stability. Astonishingly, the Australian economic realm needs to be fully attuned to these dangers, she asserted. In response, APRA is contemplating the imposition of supplementary capital requisites upon firms that fall short of the requisite cybersecurity benchmarks.
During her address on August 23rd, Hockey stated:
“Twelve months ago, APRA still talked about it being a case of ‘when’ rather than ‘if’ one of our regulated entities suffered a major cyber breach. We’ve now had several. The impact of these attacks was felt by many.
The scourge of scams has dramatically worsened as it was revealed Australians lost $3.1 billion in 2022 – up 80 per cent on the previous year.”
The novel digital hazards confronting Australia’s financial structure are further magnified by the nation’s heavy reliance on digital financial services. Australia’s Reserve Bank report reveals that merely 13% of transactions in 2022 were conducted with physical currency.
Notably, the most rapid abandonment of banknotes and coins has been observed among older Australians.
Indeed, a study conducted by financial technology firm FIS divulged that cash accounted for a mere 6% of Australia’s point-of-sale (POS) market share in 2022. This constitutes the lowest cash usage rate in the Asia-Pacific region, second only to Norway’s 4%, among the 40 markets scrutinised in the report.
Elevating Cybersecurity: APRA’s Insistence and Challenges
APRA’s information security standard, CPS 234, established in 2019, mandates that financial institutions proactively assess and mitigate vulnerabilities in information security. This encompasses the establishment of robust defences against cyber threats. Despite this, many financial institutions have yet to internalise this directive fully.
However, the crux of the matter is that several boards perceive cyber risks as an issue relegated solely to information technology rather than a broader business concern, Hockey noted. Boards must acquire greater technological acumen to comprehensively oversee cyber threats and data assets.
Nevertheless, APRA’s patience has worn thin after three years of sluggish progress. More entities could face heightened capital requirements similar to Medibank’s fate if deemed substantially non-compliant.
On June 27, the Australian banking regulator instructed Medibank to allocate an additional $161 million in capital due to vulnerabilities exposed by a major hacking breach that impacted its information security.
In the preceding year, Medibank disclosed that a hacker illicitly acquired the personal data of 9.7 million present and past customers. Subsequently, the hacker released this data on the dark web, constituting one of Australia’s largest-ever data breaches.
Balancing the Consequences: Stricter Fines and Unintended Outcomes
Adopting a more stringent stance on data breaches might only sometimes yield favourable outcomes. According to IDcare, an Australian government-supported service for victims of online data theft, this approach could potentially backfire.
IDCare contends that escalated fines for data breaches might prompt companies to opt for paying ransoms instead of reporting attacks. This unintended consequence could fuel a wave of cybercrime as Australia increasingly becomes perceived as an easy target.