“Many of those were data breaches involving the disclosure of personal information as a result of human error (such as ‘accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information),” Mr Summerhayes told attendees of the CyBSA 2019 Cyber Breach Simulation Australia.
“Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud.”
APRA regulated institutions would have been subject to “vastly more attempted cyber-attacks”, he said. It’s just that those uncovered were “the ones that succeeded – and that we know about”.
“With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it,” he said.
Perhaps more concerning was the fact over 70 per cent of regulated entities self-reported to APRA “compliance gaps” with the new regulation, meaning the regulator would need to “monitor progress in this area closely, seeking an independent assessment of CPS 234 compliance in due course”.
While the number of breaches — from almost 600 entities APRA regulates — wasn’t “cause for undue alarm”, Mr Summerhayes said it did reveal “areas of common weakness” among financial institutions, many of which APRA had “called out repeatedly”.
“For example, we have identified basic cyber hygiene as an ongoing area of concern,” he said, referring to financial institutions leaving themselves vulnerable to hacking.
In September, computers at major superannuation funds were allegedly accessed by a fraud ring as it siphoned off people’s super, court documents showed then. The country’s biggest retail sharebroker, CommSec, was also allegedly hacked by the ring and customers’ data accessed.
The super funds targeted included Club Plus Superannuation, HESTA, Hostplus, AustralianSuper and LUCRF Superannuation, although not all attempts were successful as some funds thwarted the attempts.
‘Keys to the kingdom’
How some financial institutions control privileged access to their systems was “troubling”, Mr Summerhayes said.
“Handing over the ‘keys to the kingdom’ and allowing access to information and systems without tight controls around who exactly has them can only increase an organisation’s exposure to attack.”
As a result of the insights learned from the new regulation, Mr Summerhayes said APRA would be “increasingly challenging entities” in the cyber security space by “utilising data driven insights to prioritise and tailor our supervisory activities”.
“In the longer term, we’ll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences. We’ve set the floor with CPS 234 and will be enforcing these legally-binding minimum standards in a ‘constructively tough’ manner.”
‘Still room for improvement’
Kevin Vanhaelen, Asia-Pacific regional director for cyber security company Vectra AI, said that 36 breaches in four months indicated that there was “still room for improvement”.
“I would bet my bottom dollar that there are more that are yet to be discovered,” Mr Vanhaelen said.
“It takes on average around 200 days before a breach is detected, the majority of which are only discovered after receiving a notification from an external party. With a cyber attack having the ability to put a bank, insurer and super fund out of business, these time frames are simply unacceptable.
“Reducing threat notification and response processes needs to move from weeks or days to minutes.”
with Sarah Danckert and Yan Zhuang
Ben Grubb is a Desk Editor/Locum Homepage Editor for The Sydney Morning Herald.