APRA has reiterated the need to implement appropriate cyber protection measures across all firms in its 2017 Cyber Security Survey, which surveyed 38 regulated institutions and four non-regulated financial services providers.
“While no APRA-regulated entity has, to date, suffered a material loss due to a cyber attack, the survey results, combined with intelligence from APRA’s supervisory activities, confirm that all institutions must operate on the basis that cyber attacks remain a significant threat,” read an APRA report on the survey findings.
The attacks were also likely to become more frequent and sophisticated in nature, the report said.
“Institutions must recognise there is no ‘finish line’ for cyber risk management, which requires ongoing vigilance, improvement, investment and oversight,” it said.
Findings from the 2017 survey revealed that the most common form of cyber attack was ‘ransomware and other malware’, which involves malicious software threatening to publish the victim’s data or block access to it unless a ransom is paid.
According to APRA, this “underscores the need for effective anti-malware solutions and rehearsed incident response plans, as well as the importance of back-ups which cannot be compromised by the same attack”.
The second most prevalent attack was ‘distributed denial of service’ (DDoS), whereby digital services are swamped by fake requests and locking out legitimate users, highlighting the need for “effective DDoS mitigation strategies”, APRA said.
Other types of attacks were hack of an internet-facing platform, leakage of sensitive data, phishing attacks and website defacement.
According to the report, organised crime represented the “industry’s greatest cyber concern”, with the corporate regulator urging institutions to remain vigilant.
“In APRA’s view, entities must consider both external and internal threats, with internal threats able to more easily bypass perimeter and other controls,” the report said.
“Vigilance over access management (particularly privileged access) and effective oversight of controls at trusted third parties and offshore locations is essential.”
The findings also revealed that while a majority (90 per cent) of respondents had “formalised response plans” in place, they often went untested and “lacked integration with business continuity and disaster recovery plans”.
“In APRA’s view, cyber incidents must be planned for, and response plans validated as part of an overall approach to preparing for business disruptions,” APRA said.
“Cyber risk management requires ongoing vigilance, improvement, investment and oversight.
“There is no ‘end-state’ for cyber security, requiring a continuous cycle of investment in sound practices.”
