Reserve Bank warns that cyber attacks risk financial stability
April 9, 2021 |
The Reserve Bank of Australia has highlighted cyber attacks as being a challenge for financial institutions. The report stated:
The Australian financial system has remained resilient through a tumultuous year for the economy and financial markets.
After a substantial decline in the first half of 2020, banks’ profitability recovered in the second half and analysts expect it to strengthen further in 2021. This has helped raise banks’ capital positions from already strong levels. Banks have abundant liquidity and funding. Measures of banks’ asset quality have deteriorated a little in recent months as loan repayment deferrals have come to an end and support for households and businesses has tapered. However, banks had increased their provision balances to absorb the impact of future defaults.
Available information also points to other financial institutions being resilient. The financial impacts of the pandemic tested the liquidity management of superannuation funds, but their systems proved effective in navigating this challenge (see ‘Box C: What did 2020 Reveal about Liquidity Challenges Facing Superannuation Funds?’). General insurers remain well capitalised and have increased their provisions for potential business interruption claims arising from the pandemic. However, the life insurance industry has to address longstanding issues that continue to result in losses. Financial market infrastructures have recently experienced some operational disruptions, underscoring the importance of continually assessing and improving their resilience.
There are a number of other longer-term challenges for financial institutions to manage. The risks posed by information technology (IT) malfunctions and malicious cyber attacks are growing and a significant event could threaten financial stability. Another challenge will be to manage the broad range of risks arising from climate change. These do not currently pose a substantial risk to financial stability, but they could over time if climate change risks to Australian financial institutions grow and are left unaddressed. And financial institutions need to continue to maintain a focus on governance and embed a healthy culture to address the misconduct that has become apparent over the past few years.
…………
Financial institutions need to carefully manage technology risks …
Risks to financial institutions’ IT systems – from both malicious attacks and malfunction – require ongoing attention and robust management, both globally (see ‘Chapter 1: The Global Financial Environment’) and domestically. These risks have grown as digital platforms and service channels become more ingrained and more complex and as a result of the increased incidence of remote working arrangements. They have recently been highlighted by a data breach involving a legacy file sharing service run by Accellion, a third-party technology provider, which affected a wide range of entities including ASIC and the Reserve Bank of New Zealand. The operational disruptions experienced by ASX in November (discussed above) also demonstrate the risks associated with technology malfunction. The constantly evolving nature of cyber risks means it is critical that financial institutions regularly update and upgrade their defences. In recognition of this, Australian regulators have a number of initiatives to support financial institutions’ efforts to strengthen cyber resilience (see ‘Chapter 4: Domestic Regulatory Developments’).
Cyber attacks and incidents are most likely to involve manageable financial losses for specific institutions, but they could have systemic implications in certain circumstances. To be systemic, the impact of cyber attacks and incidents would have to affect multiple institutions, either directly or indirectly. This could occur if they affect third-party providers or software used widely across the financial system. Similarly, if such an incident affected critical nodes, such as an FMI (including payment systems or CCPs) for a prolonged period it could directly impact the ability of firms and households to engage in economic activity and manage risk. The integrity of data is particularly important since it dictates the ability of banks to disburse funds or collect on monies due and, in the extreme, if violated it could raise questions about the institution’s solvency. More generally, any data breaches that cause consumers and creditors to lose confidence in the security of the financial system could see banks face liquidity challenges.
(Emphasis added)
What the RBA is saying is of course true. It has been said before. What is lacking is effective response to the threat. Unfortunately the RBA may suffer the fate of Casandra, speaking the truth and predicting the future but being ignored. It won’t be alone. Law Reform Commissions and Civil Society groups have spoken long and long about proper data security and laws that can be readily enforced by an effective regulator. Successive Federal Governments have taken but tentative steps in this regard and many businesses continue to have a poor privacy and data security culture. Both failings result in inadequate protections.
Aenemic regulation by the Australian regulators, primarily the Information Commissioner’s Office is a significant problem. The reality is that with no regulatory stick many businesses will avoid spending what is required to establish adequate protections and impose the discipline to avoid a cyber attack, especially in the area of training. The vast majority of data breaches are caused by human error.
The RBA Review has been reported in the Australian which provides:
The Reserve Bank has fired a fresh warning to banks on cyber security, with a spate of recent high-profile attacks risking financial stability both domestically and globally.
In its latest Financial Stability Review, the RBA said that a data breach involving Accellion, a third-party technology provider, which affected ASIC and the Reserve Bank of New Zealand, was a wake-up call to financial institutions about the potential wide-reaching consequences of cyber attacks.
“Cyber attacks and incidents are most likely to involve manageable financial losses for specific institutions, but they could have systemic implications in certain circumstances,” the RBA said in its report.
“To be systemic, the impact of cyber attacks and incidents would have to affect multiple institutions, either directly or indirectly. This could occur if they affect third-party providers or software used widely across the financial system. Similarly, if such an incident affected critical nodes, such as an FMI (including payment systems or CCPs) for a prolonged period it could directly impact the ability of firms and households to engage in economic activity and manage risk.
“The integrity of data is particularly important since it dictates the ability of banks to disburse funds or collect on monies due and, in the extreme, if violated it could raise questions about the institution’s solvency.
“More generally, any data breaches that cause consumers and creditors to lose confidence in the security of the financial system could see banks face liquidity challenges.”
The RBA also revealed that it and ASIC have expressed significant concern regarding a recent ASX outage, due to technical glitches, and have asked ASX to have an independent review of the incidents conducted in the first half of 2021.
It added that the constantly evolving nature of cyber risks means it is critical that financial institutions regularly update and upgrade their defences.