A new report from Deloitte has highlighted the regulatory challenges for financial institutions in the Asia-Pacific and says regulators in the region must work with institutions and across jurisdictions.
Australian cyber security regulation has been described as “scattered” and financial systems across the Asia-Pacific must develop a unified strategy to overcome “fractured and localised” regulation, according to Deloitte's Cyber regulation in Asia Pacific report released today.
According to the report, the security of one financial institution “can be heavily influenced” by that of another financial institution, such that an institution with stronger cyber risk practices could be compromised by an attack on an institution with poorer cyber procedures.
Because financial systems were interconnected, “facilitating information sharing” across the Asia-Pacific was “the core endeavour of new regulatory proposals” regarding cyber security, the report said.
Commenting on the report, Deloitte Asia-Pacific cyber risk leader James Nunn-Price told InvestorDaily, “If someone attacks the weak link in the chain, they can get access to everything.”
For Australian banks operating in the Asia-Pacific region and vice versa, being impacted by varying regulations in different jurisdictions could be a disorienting experience.
“It’s incredibly confusing and introduces not just challenges, but also the customer experience can be impacted,” Mr Nunn-Price said.
“If you have someone who moves from one country to another country for work or other reasons, the ability for all of that data to be shared or protected by the same standards will be different based on the country they’re in and where they’re going.”
To make matters more difficult for regulators, Deloitte Asia-Pacific Centre for Regulatory Strategy global leader Kevin Nixon said regulators were struggling to keep up with the fast-moving pace of change.
“Cyber is so rapidly evolving. It’s being defended by smart people, but there’s lots of smart people on the other side that are well-funded, well-resourced, very confident in thinking of new ways and looking for new loopholes,” Mr Nixon said.
“And so, it is not something that you are used to dealing with from a regulatory perspective, or from a bank risk management perspective.
“It’s a very rapidly changing environment.”
One key part of the report’s proposed Global Cyber Strategy Framework was “implementing effective governance”, starting from the top level down.
“[The framework] ensures that support for, and oversight of, risk management and key decisions on cyber security sit with senior management,” the report said.
In this respect, Mr Nunn-Price said investors also had a part to play in ensuring their financial institution had adequately considered cyber security risks.
“You should ask good, probing questions of management about: ‘what are they doing to protect against cyber risks?’” he said.
However, the consideration of cyber security was not limited to only financial institutions: regulators, too, would need to consider the strength of their cyber security system.
“Let’s say you’re a regulator in Australia. With this, I’ll include all the regulators: the government, the Reserve Bank, ASIC and APRA,” Mr Nixon said.
“You see one bank go down, and suddenly another bank go down, another bank go down, and it’s no longer the bank’s problem. It’s a major problem.
“There has to be a readiness. And just as individual companies, asset managers, insurance companies need to be resilient, the regulators need to play their role, too, and they need to be cyber-ready so they can have teams that are ready to go when this stuff happens, to calm the markets and manage the situation that needs be.
“It’s not about setting regulations and leaving it up to the institutions.”