Finally! Regulators Are Flexing Their Muscles

APRA Regulators and the OAIC CTRL Group

On the eve of new APRA regulations around cybersecurity for financial services firms, CBA has had to agree to an undertaking with the Office of the Australian Information Commissioner (OAIC). For the rest of the world, CBA is Australia’s largest bank. This comes the big news for those concerned about cyber compliance.

Our largest bank now has a “court-enforceable undertaking” to get their act together when it comes to securing the privacy of millions of Australian’s personal financial information that they hold. Seems they have no idea where much of the information is. It could be in a filing cabinet sent to scrap.

For some background, CBA managed to lose a few backup tapes and also had some internal hack that breached customer privacy.

I am going to attempt to break down what this means with a timeline:

  • The Australian population has had enough of the misinformation and ongoing collusion of the banking hegemony
  • The Government launches a Royal Commission into the financial services industry
  • The Hayne Royal Commission’s final report was released on the 1st of February 2019. The entire Australian population was (not) shocked by the revelations. Collectively organisations that have always had our best interests at heart and thereby angels, have not looked after us and our dead grandparents’ (to this day) financial advice so well? Who would have thought?
  • Probably the most disappointment regarding the results lies with the regulators that are expected to police these behaviours (e.g. APRA & ASIC, many others. Definitely not the ATO – I have the utmost respect for our benevolent tax overlords.)
  • APRA releases a report questioning CBA’s handling of cyber risks, especially privacy
  • The OAIC receives a court-enforceable undertaking from the CBA, just one of the organisations named in Hayne, that says – we’ll do better team, promise! I mean, after all, it is an undertaking

Actually, six not-so-easy steps have taken years to turn into a process. Justice? Not yet – where are the billions in fines and compensation for those stakeholders whose data was lost? How about some other punitive measures? But it’s a good start in any case and there are always the class actions, maybe that’s where the justice starts.

Did I mention there are several excellent class action and also litigation funding law firms in Australia? Or that rumour has it Sydney is the second most litigious city in the world after Los Angeles? So much for the “we aren’t litigious like the US” argument that I hear and debunk all the time.

We just haven’t seen so much on the Cyber side – yet.

I find it very interesting that this has been announced just a few days before APRA’s new CPS 234 – Information Security, the regulation comes into action on July 1 2019. Yes, today. I’ve read it, very broad, good for the lawyers.

If I worked in GRC at a prudentially regulated organisation right now and wasn’t prepared, I would be scared!

Have you spoken to IT? I have actually been in meetings, requested by me, with ASX-listed companies where the CRO (or equivalent) has met the CIO (or equivalent) FOR THE FIRST TIME! Handshakes over the meeting table. Nice. Good that they met then. Oh – there is an upcoming regulatory requirement to follow certain information security things? Surely IT have that in hand. IT fix problems and formulate strategies to make sure the organisation can operate its tech. Risk management ensures the organisation exists.

Sorry operational risk, the ELT & the board – APRA is not going to blame IT for a cyber incident. They will blame you. So will the judiciary. So will the people. Have a long hard think about that. Precedent is there in the US if you don’t believe me. Actions against directors and officers for being asleep at the cyber wheel are becoming more common.

Finally, the regulators in this country are making management of cyber risk an organisational responsibility. Hopefully, this regulatory push will create some urgency, finally.

I never like to have a rant without coming up with a few recommendations:

  • Escalate your IT management, including IT security functions to the big table
  • Prepare for the worst – you do it for crisis management, a shooter-on-site incident will most likely be less crippling to the business than say, losing all your customer data to the dark web.
  • Incident response planning and TESTING – your incident response strategy is only as good as its last test
  • Get some advice. Helping organisations reduce their exposure to cyber risk and respond to incidents is what we do. It is better to engage with us before the rain
  • Remember that the only way to reduce the brand, reputation, financial and functional damage from inevitable cyber incidents is to handle them well

CBA will get through this – do you have the bench to handle a very public cyber incident?

CPS 234 is coming to get you, and after Hayne the regulators can no longer afford to be toothless tigers. APRA’s actions on CBA are a good indicator of this.


– Fergus Brooks, Chief Risk at CTRL Group