Australia's A$2.1-trillion (US$1.6 trillion) pool of retirement savings is being targeted disproportionately in serious cyber attacks on the financial sector, official figures suggest.
Banks, insurance companies, and wealth managers all face an increasingly elaborate array of cyber attacks, but a recent survey by the financial regulator shows the superannuation industry was attacked most frequently within the sector, reported the Sydney Morning Herald citing APRA.
While financial institutions have not yet suffered a "material" loss from these incidents, APRA plans to take a tougher line in making sure the sector can fend off cyber attacks.
APRA last month released the results of a survey looking into cyber security incidents at 37 financial institutions (with the exception of private health insurers) and how they were managed. APRA undertook the survey between last October and this March.
The findings showed that more than half of the businesses had been hit with an attack serious enough to warrant involvement from executive managers in the 12 months before the survey.
The superannuation industry was the most likely to have been hit by such an attack, with 75% of funds experiencing a cyber security "incident" that was serious enough to report to executive managers. In comparison, 44% of banks and 46% of insurers suffered incidents that were elevated to such a level.
APRA said it was possible that superannuation was more attractive to perpetrators because of the high account balances, though it also said that super funds may have a different threshold for reporting cyber breaches up the management tree than banks.
The APRA report also noted that many of its regulated entities are also adopting strategies that will see more data stored and/or processed outside the perimeters of the regulated entity itself. In addition, entities are increasingly granting service providers access to their environments to perform business and technology processes. Inherently, these trends expand the attack surface for cyber adversaries to exploit, suggesting that the frequency and potential impact of cyber security incidents will continue to increase.
The survey results (in conjunction with other supervisory information) confirm that all APRA-regulated entities, and not only the largest of these entities, need to operate on the assumption that cyber attacks will occur, and that such attacks will remain a constant challenge.
Furthermore, it would be prudent for these entities to operate on the assumption that cyber attacks will become both more frequent and more sophisticated over time.
APRA said: “There is no ‘finish line’ for cyber security risk management: it is a necessary discipline with no room for complacency, and will require on-going vigilance, improvement, investment and oversight.”
APRA said boards and top managers must be well prepared for handling cyber attacks. "APRA intends to lift the supervisory and regulatory expectations for regulated entities to not only secure themselves against cyber attacks, but also to implement improved mechanisms to quickly identify and remediate successful attacks when they occur," it said.