Australian financial institutions are among the top global cyberattack targets, according to an APRA board member.
Geoff Summerhayes, APRA executive board member, said that APRA-regulated entities are a major prospect for cyber criminals thanks to their wealth and technology take-up.
“Australian financial institutions are among the top global targets for cyber criminals,” Summerhayes said. “Australia is targeted due to its relative wealth and take-up of digital technologies, while financial institutions are attractive to criminals seeking money or personally identifiable information on customers – something insurers hold in spades.
“Taking all of this into account, APRA views cyber risk as an increasingly serious prudential threat to Australian financial institutions. To put it bluntly, it is easy to envisage a scenario in which a cyber breach could potentially damage an entity so badly that it is forced out of business.”
Summerhayes, speaking at the Insurance Council of Australia Annual Forum, told attendees that APRA considers the chance of a financial institution being put out of business due to a cyberattack “remote” but “it is no longer beyond the realms of possibility.”
“Despite this, APRA believes cyber security is generally well-handled by the entities we regulate,” Summerhayes continued. “The prudential risk is less due to a lack of preparation by industry than the pervasive nature of the threat.”
While Summerhayes noted that most businesses are prepared, he warned that complacency on cyber security could be fatal for businesses. Summerhayes said firms should look to adopt an “assumed breach posture” to help stay alert to ever-changing threats.
“Adopting an assumed breach mentality will create a sharper focus on incident detection and response capabilities and planning,” Summerhayes said. “This accelerating risk requires a rapid response, but also recognition that your stamina will be sorely tested. The challenge requires ongoing vigilance, improvement, investment and oversight because, though this race has no finish line, it’s not a contest you can afford to lose.”
Summerhayes also announced that APRA would launch its first prudential standard on information security.