Cybersecurity breach of Australian banks is ‘inevitable’, Reserve Bank warns

A potentially destabilising attack on Australia’s financial system is “inevitable”, the country’s most senior banking institution has warned as a growing torrent of cyberattacks exacerbates the pressure on a sector that is already bracing for a surge in activity as Australians emerge from sustained COVID-19 lockdowns.

Although well-resourced large banking institutions “are generally regarded as having among the best cyber defences of any companies”, the Reserve Bank of Australia (RBA) noted in its newly released Financial Stability Review, “given the very large number of attacks, it seems almost inevitable that at some point the defences of a significant financial institution will be breached.”

The impact of such an attack would depend on the cybersecurity resilience of the institution and of Australia’s financial system, the RBA said, warning of the “systemic implications” of a breach and noting that “it is possible that a significant disruption could threaten financial stability.”

Loss of public confidence, for example, could drive “widespread stress” in the financial system while compromised confidential information could foster “severe reputational damage and reluctance from market participants to extend liquidity or credit”.

The RBA also warned that increasing interconnectedness in Australia’s financial system—which relies on a supply chain that links third-party service providers, critical financial market infrastructure operators, lenders, and counterparties—“could rapidly transmit the impact of a cyber incident from one institution to another”.

Financial services companies were the second most frequently compromised and reported 57 data breaches during the first half of this year—13% of all incidents reported—according to a recent report by the Office of the Australian Information Commissioner (OAIC).

Pawns in a global game

Just which threat actors might be targeting Australia’s banking sector, however, remains the subject of speculation—but one cybersecurity academic believes that the combination of growing awareness of financial networks as critical infrastructure, new exposure in increasingly real-time payment systems, and even the desire for cash mean that “well-equipped, well-resourced, and financially supported” nation-state actors are at the front of the queue.

“Money is the main motivator, and the real threat is coming either from organised crime groups or from ‘legitimate’ international incidents from a particular country,” said associate professor Paul Haskell-Dowling, a cybersecurity expert and associate dean at the Edith Cowan University School of Science.

“It is inevitable that, as part of their government intelligence gathering, or part of a fundraising activity, they would make an all-out attack against infrastructure that would be a really big challenge for the banking sector to defend against,” he said.

Outside attacks are only one part of the problem, however: With the recent introduction of faster payments and clearance platforms like the New Payments Platform (NPP)—and the increasing exchange of financial and personal data through third parties enabled by Consumer Data Right (CDR) legislation—Haskell-Dowling said modernisation and transformation had introduced a broad range of new points of failure.

“We’ve got so many platforms connecting into the banking system, and you’re only as strong as your weakest link,” he said. “By repeatedly requesting data from systems that provide mechanisms for extracting semipersonal information, cybercriminals will keep on looking for these opportunities or coercing or gaining access through employees into the corporate environment.”

Such incursions may already be happening on a regular basis, if the OAIC figures are any indication. Whether due to the complexity of the attacks or inadequate monitoring and detection, the OAIC noted that finance companies were the slowest of five monitored industries to identify their breaches: Just 61% of breaches on financial institutions were identified within 30 days of their occurring, compared to 92% of health service providers and 91% of legal, accounting, management, and insurance firms.

By contrast, 14% of finance-industry breaches were not identified until at least four months after they had occurred and 11% took more than a year to detect. This was longer than any other industry, suggesting that cybercriminals may be regularly embedding themselves in financial institutions that have no idea they are there.

“If you’re a criminal who is doing this kind of activity, especially if it’s a state-sponsored attack, you work very hard to keep yourself hidden from view,” Haskell-Dowling said, adding that “it certainly adds a level of gravitas when you’ve got a major organisation telling the world that there is a significant risk in the Australian market.”

Staying afloat on a rising tide

Although banks have invested heavily in cybersecurity defences to counter attackers—the NAB, for one, confirmed last year that it was blocking tens of millions of cyberattacks per month—the threat is unlikely to do anything but intensify over time.

A recent Check Point Software Technologies analysis found that Asia-Pacific countries were the second most-attacked in the world in September 2021—with 1,299 weekly attacks per organisation, a 20% increase over 2020. Australian organisations in particular are being hit, with 445 attacks per week between January 2021 and September 2021. That was a 37% increase year-on-year, with finance and banking organisations well above the average with an average of 655 attacks per week, up 39%.

“There’s a lot more interest in attacking major organisations to get maximum return,” Haskell-Dowling said, “and if you could get a ransomware attack hitting a major financial organisation now, the impact would be very dramatic and that could spread rapidly.”

That level of exposure is a key reason the Commonwealth government last year moved to add financial-services companies to its list of 11 critical infrastructure sectors—a designation that will eventually impose even stricter cybersecurity monitoring and reporting requirements on finance organisations, once hotly debated legislation is finally passed after industry consultation.

Given the mission-critical nature of the new environment, Haskell-Dowling said, “the RBA has done the right thing” in warning of likely major attacks on Australia’s financial infrastructure. “They have to highlight that there is a big increase in detected incidents—because you really can’t get along without banking, just as you can’t get along without electricity.”