The new regulations come after recent ransomware attacks significantly impacted media monitoring organisation iSentia and freight company Toll. According to Scamwatch, business email compromise scams have netted crooks a total of $132 million in Australia, while recently Sydney hedge fund Levitas Capital folded after mistakenly paying out $8.7 million to attackers.
Mr Summerhayes said a major attack on a bank was only a matter of time, while Home Affairs Minister Peter Dutton has said cyber attacks on critical infrastructure were on the rise.
He added that the once-off audits were being mandated because while many organisations were reporting positively on their compliance, subsequent reviews almost always uncovered significant weaknesses.
“At one level this exercise is about identifying compliance issues and ensuring they are rectified in the shortest period of time to protect companies and the wider system,” he said. “At another level, it’s sending a message about the seriousness of this issue, and the need for greater accountability.”
APRA’s CPS 234 standards require companies to maintain security capabilities and evaluate the security of third parties, have policies and management plans in place, conduct regular tests, and have mechanisms to notify the regulator and other relevant bodies of incidents as they occur.
Independent security researcher Troy Hunt said phishing and social engineering attacks meant industry-wide changes may be required to keep consumers and investors safe, such as giving more insight into who owns accounts and where money is going.
“How accountable should a financial institution be, if someone is defrauded largely due to being socially engineered? If they say ‘yes I’m going to pay money to this bank account number’, [and it goes to criminals], where’s the accountability lie?”
“All banks get targeted with this, and all banks have customers that are impacted by this, and particularly if we get to the point of intrabank transfers, that fraud cost even on second parties would have to mount up over the course of many different incidents.”
Daniel Lai, chief executive of Canberra-based security tech company archTIS said lax cyber preparedness was a perennial problem for the financial services industry
“There must be a concerted effort to both increase cyber awareness in staff training and practices, as well as ensure that critical systems and disaster recovery protocols are in place, to help ensure Australia’s financial services sector can remain resilient in the face of a persistent, hostile threat.”