Australia’s financial system needs strong data governance to buttress against cybersecurity threats
It has escaped nobody’s notice that banking — for individuals as well as businesses — is increasingly digital.
Most transactions in Australia have been digital for a long time. The use of cash was declining even before the pandemic arrived and truly sounded the death knell. But well before our pandemic-fuelled enthusiasm for contact-free payment methods, digital transformation was already well underway across the financial system. Neobanks — that is, exclusively digital banks — first opened their (entirely metaphorical) doors in Australia in 2019.
Reports, analytics, records, audit trails, transactions and authorisations have all been taken digital. In terms of efficiency, effective oversight, business intelligence, and reporting, this is a good thing, and the sector usually acknowledges that. For example, in their Financial System Stability Assessment of Australia released in 2019, the International Monetary Fund stresses the growing value of robust data and analytics in systemic risk oversight.
However, the increasingly digitised nature of banking in Australia, and globally, means that the financial system has entered a new era of risk as well as reward. Although the cybersecurity of financial systems is currently an area of international interest and national concern, it is a relatively new area of legislation in Australia. The Council of Financial Regulators tells us that cyber-attacks are a key area of vulnerability, only growing in frequency and severity as time goes on. Despite rising awareness of the inevitability that a cyber incident will destabilise the global financial system throughout the 2010s, contributors to the IMF blog tell us that responsibility for the digital technologies upon which we rely is poorly defined.
In part, this is because the technological landscape is subject to rapid development and in part it’s because there has not been a clear delineation of who is responsible for systems of national financial significance.
In Australia, the Security of Critical Infrastructure Act 2018 attempts to provide regulatory guidelines to address this within our own financial system, among other areas of critical infrastructure. Organisations so obligated by this legislation are now required to have created and implemented their critical infrastructure risk management program (CIRMP), including the cybersecurity components. Payment system resilience is also a key driver behind Australia’s recently-proposed cash acceptance mandate, which is slated to commence in January 2026, should it pass into law.
As the IMF stated in its 2019 paper, robust data and analytics can help us understand risks and improve oversight. But with responsibility for cybersecurity falling upon not just regulatory agencies, but also business, it’s important for more than just regulators to achieve a holistic and broad understanding of the emerging landscape of risk.
