With more companies reporting cyber breaches, banks have started focusing more on addressing cyber risks, according to S&P Global Ratings' (S&P) latest report.
The report warned that banks – especially the big four banks of Commonwealth Bank of Australia (CBA), National Australia Bank (NAB), Westpac, and Australia and New Zealand Banking Group, which dominate the industry with around 76% of banking system assets – are attractive targets because many participate in direct payments. Therefore, a successful cyberattack on even one lender could affect the Australian financial system.
“An attack on a third-party service provider could also cripple banking operations. Many smaller banks use the same content delivery networks (e.g., Akamai, which saw a major outage in 2021), cloud-based service providers (such as AWS), or providers of software as a service for core banking systems (e.g., Temenos or Data Action, which is especially relevant for smaller and regional banks),” the report added.
Another factor intensifying concerns about cyberattacks is cyber-skill shortages, with the cyber-skilled workforce gap totalling around 2.7 million people globally due to the rise in cyber incidents and new cyber security and data privacy laws forcing organisations to protect their data more closely. Banks also compete with the information technology sector experiencing an increasing demand for these skills.
Despite increased concerns about cyber risks, the report deemed the overall risk for the Australian banking system low.
“This is because of early steps taken to strengthen cyber risk management, strong industry collaboration, and the strong capitalization of the banking system,” the report said.
For example, in March 2019, the Australian Council of Financial Regulators – composed of the Australian Prudential Regulation Authority (APRA), the Reserve Bank of Australia (RBA), the Australian Securities and Investment Commission (ASIC), and the Federal Treasury – established a cyber security working group to design a framework improving cyber resilience in the Australian financial services industry.
The Australian Department of Home Affairs also encourages critical infrastructure asset owners, including banks, to voluntarily report cyber security incidents to the Australian Cyber Security Centre (ACSC) even if the threshold for mandatory reporting is not met.