APRA is working closely with a division of the ASD known as the Australian Cyber Security Centre which includes ASIO, the Federal Police and Defence. The US Department of Homeland Security's Cyber Security and Infrastructure Security Agency or CISA is an example of a comparable peer body.

The relationship between ACSC and APRA has deepened as it implements a set of new standards that came into effect six months ago and include mandatory breach reporting. APRA has indicated that it is keen to see regulated entities follow it to the letter as it works out the kinks.

“Thus far there hasn’t been an attack here that has created a material risk or severely threatened the viability of an organisation but this is an area that is rapidly evolving. We can’t be complacent,” Mr Byres said.

“Inevitably, there are breaches but thus far they haven’t been of a nature that has been particularly problematic or threatened the operation of institutions.”

After a busy year responding to the findings of the Hayne royal commission APRA’s decision to zero in on cyber risk places it on equal footing with financial system resilience, member outcomes in superannuation and the massive governance, culture, remuneration and accountability project.

Focus on cyber risk

APRA already works closely with members of the Financial Council of Regulators including the Reserve Bank to protect infrastructure vital to the Australian economy such as the payments system.


The focus on cyber risk sees the regulator which has typically been focused on the stability of the financial system square off against nimble cyber criminals, rogue states and common crooks who are all probing the defences of our banks in search of a quick pay-off or something even more sinister.

“Unlike traditional sorts of financial risk that APRA monitors such as credit risk, market risk and interest rate risk, in this case you have an active adversary trying to circumvent the controls so you have to be continually on your game,” Mr Byres said.

KPMG’s national lead partners for cyber practice Gordon Archibald said Australia lagged its peers by about three to four years. He said the regulatory approach was not as strict as in the US for instance where laws were tightened after a series of well publicised breaches including the hacking of 40 million credit card details from retailer Target.

“From a security point of view we have very robust controls but it’s also right to say there is more of a focus at the board and at the executive level in the UK and the US because of the bigger penalties,” Mr Archibald said.

New standards

The prudential regulator introduced a new prudential standard known as CPS 234 Information Security on July 1 2019. Under the new rules financial institutions are required to notify the regulator in the case of any material cyber-security breach.

In November 2019 APRA said it had received just 36 breach reports in the first four months of the regime. APRA executive board member Geoff Sumerhayes said then he expected institutions to take some time to acclimatise however it would be less accommodating as time passed.

In July 2019 only the health sector topped the finance sector for quantum of breaches over the previous 12 months. The data also revealed that although six out of every 10 were perpetrated by those with criminal intent, the other four were the result of human error.

Mr Byres said sometimes it was as simple as a bank employee clicking on an email they should not have and the new standard made it clear the bank should assume its defences had been breached and act quickly to neutralise the threat.

“You just have to assume that your defences will fail at some point. In the end it may be human error that is the trigger so the question is how quickly can you detect that it has happened and how quickly do you respond.”