As one of the most critical sectors in any modern economy, it should be unsurprising that the banking sector is the proving ground for successfully navigating cyber security threats. According to the OAIC, it’s the second-most targeted sector, with 10% of all attacks targeting finance.
It is also of intense interest to the regulators for this reason.
Earlier this year, the Australian Prudential Regulation Authority (APRA) highlighted cyber security as a key area of focus, emphasising the need for robust operational resilience and governance. The key priorities for APRA, according to its most recent guidance, is:
- Operational and cyber resilience for all regulated entities, reflecting the growing reliance on digital technologies by entities and the community;
- Embedding lessons from last year’s global banking turmoil through targeted changes to the prudential framework for authorised deposit-taking institutions;
- Lifting superannuation trustees’ practices on retirement incomes, implementing recommendations from the Financial Regulator Assessment Authority (FRAA) review, enhancing transparency and aligning APRA’s heatmaps with the performance test; and
- Across insurance, continuing to balance financial sustainability with the need to enhance affordability and availability.
Meanwhile, the Reserve Bank of Australia has made it clear that cyber security is becoming more difficult in the sector. Cloud and AI, in particular, are creating “operational risks” with potential “systemic implications,” according to the organisation.
Some banks are working on addressing these challenges by partnering closely with the industry. For example, the CBA recently announced that it was deepening its relationship with Microsoft to both boost the customer experience and tackle issues around cyber security and sovereign capabilities in AI.
There is also deeper industry partnerships. Banks are actively working with telcos, major national retailers and others as part of a National Cyber Intel Partnership. This is part of the Australian government’s broader Cybersecurity Strategy 2023 – 2030 and works on the idea that the pooled resources and efforts will result in a national standard for cyber security.
But while the work being done to build a national response to cyber threats is admirable, it’s also important for every organisation to understand where the threats are coming from to the banking sector and what their own risk profile is.
Here are the top cybersecurity risks and threats that the banking sector must prepare for:
- Mobile Banking Vulnerabilities: With the rise of mobile banking, ensuring the security of mobile platforms is paramount. Banks must safeguard against malware, data leakage, and unauthorised access to customer information.
- API and Third-Party Integration Risks: The integration of third-party services via APIs can introduce new vulnerabilities. Banks need to enforce strict security protocols and continuous monitoring to prevent breaches.
- Phishing: It seems incredible, but phishing is still one of the most effective approaches for cyber criminals. In a bank with a few thousand employees, often distributed across many branches, it only takes one to click on the wrong attachment in an official-looking email for the network to become compromised. Ongoing education and, critically, real-time monitoring for emerging threats is key.
- Cloud-Specific Threats: As banks transition to cloud services, they must address cloud-specific vulnerabilities, including data breaches, insecure interfaces, and account hijacking. This will involve a move to zero trust for authorisations, and a change management programme to ensure that the staff are comfortable with the use of multiple-form authentication.
- Security response: With the expectation that “an attack is not a matter of if, but when,” the response to those attacks is more critical than ever. Financial services organisations need to maintain an updated response plan, and ensure that their backup environment is properly managed, including an air gap to the backups, with the tested ability to restore an environment quickly.
While the security threats that face the banking sector are proliferating, and boards and executives are even more fixated on the cyber security risk than in other sectors, banking is also one of the sectors that is most challenged by disruption. Non-banking competitors and fintech applications are challenging the incumbents in the way that they provide excellent customer service built on digital capabilities.
For banks, embracing the capabilities of a digital, connected world is not optional. The banks do have an advantage in that they have the resources and capabilities to invest in true innovation, and this is why cyber security is an opportunity, rather than an obstacle for them. The banks can move to build resilience against the existing and emerging threats in 2024, while staying compliant with Australia’s shifting regulatory environment and keen interest from the government agencies.
