Cybersecurity and Risk in the Banking Sector
Australia’s financial system needs strong data governance to buttress against cybersecurity threats
It has escaped nobody’s notice that banking—for businesses as well as individuals—is increasingly digital.
Commentators have been quick to point out that most transactions have been digital long time. The use of cash was declining in Australia, even before the pandemic arrived and truly sounded the death knell for the days when cash was king. But well before our pandemic-fuelled enthusiasm for contact-free payment methods, digital transformation was already well underway across the financial system. Neobanks—that is, exclusively digital banks—first opened their (entirely metaphorical) doors in Australia in 2019.
Reports, analytics, records, audit trails, transactions and authorisations have all been taken digital. In terms of efficiency, effective oversight, business intelligence, and reporting, this is a good thing, and the sector usually acknowledges that. For example, in their Financial System Stability Assessment of Australia released in 2019, the International Monetary Fund stresses the growing value of robust data and analytics in systemic risk oversight.
However, the increasingly digitised nature of banking in Australia, and globally, means that the financial system has entered a new era of risk as well as reward. Although the cybersecurity of financial systems is currently an area of international interest and national concern, it is a relatively new area of legislation in Australia. The Council of Financial Regulators tells us that cyber attacks are a key area of vulnerability, only growing in frequency and severity as time goes on. Despite rising awareness of the inevitability that a cyber incident will destabilise the global financial system throughout the 2010s, contributors to the IMF blog tell us that responsibility for the digital technologies upon which we rely is poorly defined.
In part, this is because the technological landscape is subject to rapid development and in part it’s because there has not been a clear delineation of who is responsible for systems of national financial significance. The Security of Critical Infrastructure Act 2018 is an attempt to provide regulatory guidelines to address this within the Australian financial system, among other areas of critical infrastructure. By August 2024, organisations covered by this legislation will be required to have created and implemented their critical infrastructure risk management program (CIRMP), including the cybersecurity components.
As the IMF stated in its 2019 paper, robust data and analytics can help us understand risks and improve oversight. But with responsibility for cybersecurity falling upon not just regulatory agencies, but also businesses themselves, it’s important for more than just regulators to achieve a holistic and broad understanding of their risk landscape.