APRA says it is “only a matter of time” before a major Australian bank goes down in a cyber attack. 

Australian Prudential Regulation Authority (APRA) chair Wayne Byres says hackers have not yet inflicted lasting damage on Australia’s banks.

“No APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach yet, but it’s only a matter of time until an incident occurs,” Mr Byres said at a business summit last week. 

Mr Byres said banks needed to monitor suppliers carefully.

“Moves by state-sponsored hackers and criminals to exploit a vulnerability in Microsoft Exchange are a timely reminder that cyber threats continue to grow, requiring a continuous cycle of investment,” Mr Byres said.

Australian Banking Association chief Anna Bligh says the COVID-19 pandemic created a perfect storm for banks, with employees and customers spending more time online.

“During the last 12 months, every bank has had an escalation in cyber attacks, and in hacking and in scams on customers. You know, this has been a smorgasbord,” Ms Bligh said.

“For all of those elements, whether it’s the nation-state actors, or just bad guys sitting in a bedroom somewhere, it’s been very rich pickings throughout on a global scale.”

APRA deputy chair John Lonsdale says cyber matters are among the regulator’s top priorities.

“There is a lot more to do, it is the sort of thing where the job is never done,” Mr Lonsdale said.

He said APRA is working with the Council of Financial Regulators (whose members include the Reserve Bank and the Australian Securities and Investments Commission), to conduct “penetrative testing” of regulated entities.

“We think the risks have escalated since COVID, the economy has moved to the cloud, much more digitation, changes in the way people are working with working from home,” Mr Lonsdale said.