APRA has released the results from their 2016 Cyber Security Survey which ran from October 2015 to March 2016 to gather information on cyber security incidents and their management within APRA-regulated sectors. Respondents to the survey included 37 regulated entities and four significant service providers, covering all APRA-regulated industries, with the exception of private health insurance.
Just over half of all survey respondents – 20 regulated entities and one service provider – experienced at least one cyber security incident in the 12 months leading up to the survey that was sufficiently material to warrant executive management involvement.
Superannuation industry respondents reported a higher occurrence of incidents that warranted reporting to executive management as compared to other industries. While the underlying cause of this was not apparent in the survey results, possible explanations are that the superannuation industry is a more attractive target to perpetrators due to the relatively high customer account balances, and/or variances in reporting thresholds between the industries.
Incidents reported by survey respondents included:
- potentially high impact incidents such as advanced persistent threats (APTs), distributed denial of service (DDoS) attacks and compromises of highly privileged access. These were experienced by a number of respondents (21 per cent) and reinforce the value of preparedness (prevention, detection and response controls) in the face of sophisticated
attacks which cannot always be prevented; - ransomware attacks, which represent an increasing threat. The reported incidence of these attacks (14 per cent of respondents) reinforces the importance of frequent system and data back-ups as a last resort mitigation;
- potentially reputation damaging incidents such as website defacement and social media account misuse, which were experienced by approximately 1 in 8 entities (12 per cent of respondents). Whilst these incidents have had a low impact and frequency to date, the potential reputational impact necessitates continued vigilance with respect to the management of public facing channels and services; and
- other incidents with low impact such as compromise of client accounts, internet banking fraud, phishing and malware attacks. These were experienced by almost 1 in 4 respondents (24 per cent).
They conclude:
To date, no APRA regulated entity has suffered material losses from a cyber incident, and security controls have held up against past attacks. However, this should not provide grounds for complacency. As a result of the expanding sophistication, frequency and impact of cyber attacks, APRA-regulated entities should expect to experience significant cyber security incidents and be prepared for an evolving range of threats. APRA intends to lift the supervisory and regulatory expectations for regulated entities to not only secure themselves against cyber attacks, but to implement improved mechanisms to quickly identify and remediate successful attacks when they occur.
They rightly highlight the cultural dimensions to effective Cyber Security as we discussed recently.
