Financial-services firms face “constructively tough” crackdown after breaches from “basic cyber hygiene” deficiencies: APRA

Credit: ID 32715004 © Skypixel |

Loss of investor confidence from cyber attacks could hit the share prices of Australia’s financial-services giants, one analysis has suggested as an update on APRA’s newest cybersecurity regulation revealed the sector is suffering at least nine data breaches per month.

As the regulator of Australia’s financial-services industry, APRA has been monitoring compliance with the new CPS 234 regulation, which came into effect on 1 July – and has, according to executive board member Geoff Summerhayes, already surfaced 36 separate data breaches in that time.

None had resulted in “a breach material enough to threaten its viability, but I can assure you it’s not for want of trying,” Summerhayes said during a speech opening the recent CyBSA 2019 Cyber Breach Simulation Australia event co-organised by Optus Macquarie University Cyber Hub and the Trans-Tasman Business Circle.

The cybersecurity situation had evolved to the point where APRA now expects regulated entities to adopt an “assumed breach” mentality, Summerhayes said, noting that the regulator had bolstered its cybersecurity capabilities and positioned improvement of cyber resilience as one of its top four strategic priorities in its recently updated 2019-2023 Corporate Plan.

With nearly 600 entities under APRA’s watch, Summerhayes said the reported number of breaches – many of which are “relatively minor” and involved human error – “isn’t cause for undue alarm” and commended a sector that “broadly handles information security incidents well”.