While taking significant strides to modernise technology, the financial services sector faces new challenges in managing its cyber risk due to increased regulatory attention. Our report, Perspectives on Cyber Risk 2021, explores the state of cyber risk in 2021, looks at upcoming regulation and trends, and identifies what institutions can do to manage the risk.
The financial services sector has a high reliance on digital products and the collection and storage of client sensitive data. As a result of this, internal IT platforms are subject to an increasing number of sophisticated cyber attacks. Now more than ever, the sector needs to increase its focus on cyber security risk.
According to the OAIC’s Notifiable Data Breaches Report for July to December 2020, the financial services sector recorded the second highest number of data breaches across all industry sectors. Unlike other industries though, malicious or criminal attacks were the most common source of data breaches, accounting for 66% of reported incidents. For other sectors, human error was the largest cause of incidents.
[Cyber attacks are] the biggest single issue … or threat if you like, in banking today.”
Regulatory focus on cyber security
Regulators are paying closer attention, with increased scrutiny and enforcement action regarding cyber security.
ASIC took its first action in 2020 against an Australian financial services licensee (AFSL) after various cyber breaches in the company’s authorised representative networks.
We expect to see a heightened degree of focus on cyber security and resilience policies, governance and documentation developed by AFSL holders, including those with an authorised representative network.”
APRA prudential standards aim to ensure that FSIs implement appropriate security measures to mitigate against data security incidents. In particular, APRA Prudential Standard CPS 234 applies to all APRA-regulated entities and requires FSIs to develop and maintain security protections that are appropriate, having regard to the importance of the data they hold and the seriousness of the threats that they face.
In November 2020, APRA announced that, commencing in 2021, it would be requesting one-off tripartite independent cyber security reviews across all of its regulated industries. APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.
Legal exposure and personal liability for directors
Cyber security is a material risk and governance matter for boards and executives. For directors and accountable persons under the Banking Executive Accountability Regime (BEAR) and the Financial Accountability Regime (FAR), the risk is compounded.
Directors face personal liability for breach of their obligations under section 180 of the Corporations Act to exercise their powers and discharge their duties in ensuring an appropriate standard of cyber security and cyber resilience.
In order to discharge their obligations, directors need to understand the institution's cyber risk profile and the threats that it faces, and satisfy themselves that the protections and risk mitigations in place are adequate.
What FSIs should be doing to mitigate cyber risk
There are a number of actions that institutions in the financial services industry can take to help manage cyber risk. These include:
- Testing and verification. FSIs should regularly test and verify their internal security measures, as well as monitor external sources for information about newly discovered security vulnerabilities.
- Review of third party security practices. FSIs should exercise care and conduct security due diligence before integrating their systems with those of third parties.
- Supply chain protection. FSIs should take steps to ensure that their supply chains do not expose them to systemic vulnerabilities.
- Internet of Things preparedness. FSIs should maintain adequate security baselines, implement effective perimeter defences, and be cognisant of consumer privacy requirements when implementing mobile technologies.
- Mitigation tools. FSIs should consider the use of data analytics and other tools to mitigate against cyber and other risks to their organisations.
- Cyber risk governance. Institutions need to ensure that cyber risk is a priority for their Boards and that they understand and are meeting their regulatory obligations.
Our report, Perspectives on Cyber Risk 2021, explores these issues and more, analysing data and trends from our research, surveying the changes and regulatory landscape, and considering some of the key steps organisations can take to manage the risk.