Cyberattack on Australia's banks is inevitable – APRA

Regulator's chair tells Parliament that an attack "will happen" at some point in the future

Cyberattack on Australia's banks is inevitable – APRA

An eventual cyberattack on one of Australia’s financial institutions is inevitable, according to the prudential regulator.

Speaking before a parliamentary committee on Tuesday, Australian Prudential Regulation Authority chairman Wayne Byres said cyber and climate risks were among the largest challenges facing the financial system, according to a report by The Australian. Byres said the financial sector had made “huge amounts of investment” in cybersecurity.

Despite that investment, Byres warned that a cyberattack on one of the nation’s financial institutions “will happen” at some point in the future.

“Financial institutions, at least in a broader context, are quite advanced [in cybersecurity], but what we also know is that, at some point, some sort of event will happen,” Byres said. “It doesn’t matter what sort of defences you put in place. As much as we focus on the defences that have been built and making sure defences and controls are as robust as they can be, it’s equally important to be investing in response capabilities so that you can identify any breaches quickly, limit the damage and work out how you will respond as efficiently and as promptly as you can.”

Byres, who will step down as APRA chair at the end of this month, said cyber risk was a “constant challenge,” The Australian reported.

Read next: Australia’s banking apps targeted by malware – report

“Unlike many risks that financial institutions deal with, you’ve got an active adversary that is constantly trying to defeat your improved defences,” he said. “Our observation would be that across the financial system this is taken very seriously. It’s high on the priority of all boards of all executive teams; there’s a huge amount being put into investment in improving defences, improving detection capabilities, and improving response capacity.”

Last week, S&P Global Ratings warned that data breaches remained a major risk for Australian banks, especially some regional financial institutions, The Australian reported.

Cyber criminals have hit Australia’s banks before. Three years ago, an attack on Westpac’s payments platform exposed the private information of 100,000 of its customers. Last year, ANZ said it was fighting 10 million cyberattacks each month, including phishing attempts.

In a report last week, S&P analyst Nico DeLange said the frequency and sophistication of cyberattacks on the banking sector were on the rise. DeLange said the industry “needs to collectively face the challenge and combine efforts to manage the risk.”