Financial institutions and regulators must urgently strengthen their online platforms to protect their customers…
… and themselves and the entire financial system from cyber-attacks, which are increasing in frequency and sophistication.
The Reserve Bank of Australia recently warned that, given the number and severity of cyber-attacks, “it seems almost inevitable that the defences of a significant financial institution will be breached at some point”.
An attack could take the form of a ransomware-style attack, which could target back-end (server) infrastructure or have a cross-branch front-office impact. Although a back-end attack would be less “visible” to the consumer, either could badly affect banks’ operations. Alternatively, supply-chain attacks involving providers feeding into the banking system could be used as a launch point into the banks’ systems.
These threats are being driven by the expanding technological capability and sophistication of cyber criminals and state-sponsored attackers. On the other side of the battle lines, potential vulnerabilities have grown during the COVID pandemic, due to the increased use of electronic financial services and the rise in remote working by employees, whose home systems generally lack the cyber security defences of large corporations.
Poor security is like an open door to a determined hacker, who has no need for balaclavas and shotguns to steal your funds or private information. Rather than blowing open the door of a safe, a cyber-criminal can access your bank account online from another country, leaving no sign that they have been inside your account until it’s too late.
In 2019, the National Payments Platform was compromised when criminals used online bank accounts to carry out more than 600,000 lookups and match thousands of account names with email address and phone numbers. The hackers carried out the lookups over the course of six weeks, reportedly by simply entering phone numbers in sequential order.
It was the large-scale, high-profile attacks that grabbed the headlines in 2020-21, including SolarWinds and those affecting Accellion and Microsoft Exchange. There were also instances of system malfunctions leading to the release of confidential information by the cryptocurrency exchange BTC Markets and financial research firm Morningstar.
By comparison, to date, cyber incidents have caused only limited disruptions and losses for a small number of financial institutions. This is partly because the big banks and other financial institutions devote significant resources to cyber defence, and indeed banks are generally seen as having better cyber defences than most companies.
Nevertheless, the Australian Cyber Security Centre (ACSC) observed that, on average, cyber incidents affecting the Australian financial sector had a greater impact in the 2020-21 financial year than in the previous year.
The risks are growing partly because the financial system is relying more on digital platforms and service channels, which have become increasingly interconnected and complex. This interconnectedness – including through a network of third-party service providers, lenders and counterparties – could rapidly transmit a cyber attack from one institution to another.
For example, several banks may rely on real-time payments from a major participant in the wholesale settlement system which, if incapacitated for a prolonged period, could put pressure on intraday liquidity. In addition, an inability to substitute away from a key institution or service provider could cause severe operational disruptions at other institutions along the supply chain.
Such an event would ricochet through the system. A loss of public confidence could lead to widespread stress in the financial system. Compromised confidential information could lead to severe reputational damage and reluctance from market participants to extend liquidity or credit to businesses, harming economic activity.
A major outage can cause significant challenges for consumers, including lack of access to money and services. Personal finances should be safe under the Financial Claims System, but this assumes there is clear evidence of losses not being incurred by the account holder.
Whether such an attack could result in systemic financial instability would depend partly on the cyber resilience of that institution. In Australia and internationally, financial institutions and regulators are focusing on strengthening the resilience of individual institutions and the ability of financial system as a whole to withstand a substantial cyber-attack.
Cyber-security is a major focus of the Council of Financial Regulators (CFR), the coordinating body for Australia’s main financial regulators. The CFR’s Cyber Security Working Group is developing a Cyber Attack Incident Response Protocol, which will coordinate CFR members’ responses to a significant cyber-attack affecting one or more regulated entities. A draft Protocol is expected in coming months.
CFR agencies are also working closely with the Australian government to develop new cybersecurity obligations for “critical infrastructure” assets; legislation to enable the reforms is currently before Parliament. The reforms will bring financial services and markets within the scope of Australia’s critical infrastructure regime and could place additional cyber-security obligations on the most critical entities in the financial sector.
The federal government recently announced that companies with annual turnover of $10 million or more will be required to report ransomware attacks. These mandatory reporting rules will be backed up by changes to the criminal code. Such changes will help, but Australia still faces jurisdictional challenges, since most major incidents link back to global cyber-crime groups operating outside the country.
Potentially most serious would be an attack on the Reserve Bank itself. The RBA has a wide remit, plus responsibility for fiscal stability. It holds a very large volume of sensitive materials which are both essential, making ransomware a major potential risk. As well, the RBA provides services and facilities to banks and the government and is responsible for significant amounts of Australian currency. If the bank were locked out from its systems and unable to move physical cash around, this could cause significant issues for certain groups of consumers.
Clearly, the risks are real and the stakes are high. There is no room for complacency in the face of threats could cripple the nation’s business and consumer activity. Action is needed now to prepare for attacks that are, unfortunately, just a matter of time.
Paul Haskell-Dowland is Associate Dean for Computing and Security at Edith Cowan University.