(Editor's Note: The original version of this article, published earlier today, contained an error about Australian companies that have experienced cyber events. A corrected version follows.)
Key Takeaways
- Cyber risks are one of the top risks for all Australian banks, including mutuals.
- The cyber threat landscape is changing. An increased adoption of third-party technologies and skills shortages may exacerbate cyber risks.
- APRA's tripartite supervisory review will lift the bar for mutuals and the banking system.
As Australian mutuals further embrace technology, their cyber threats will rise. S&P Global Ratings believes mutual banks are more vulnerable than larger peers. This is because the larger banks have bigger security budgets, better access to cyber skills and overall better defenses. Cyber attackers would be inclined to follow a path of least resistance. Consequently, mutual banks' limited financial capacity could make them easier targets for cyber-attacks in Australia.
Mutual banks are increasingly using third-party cloud-based technologies that leverage application programming interfaces (APIs), among other technologies. This is helping them meet customers' growing preferences for online banking and to streamline their operations but within their financial capacity. But it still requires cyber skills and expertise, to manage and understand the associated risks, which are short in supply, locally and globally.
Not meeting these challenges could introduce credit risk. Failure to adequately invest in cyber security could open the mutuals up to damaging cyber events.
The Australian Prudential Regulation Authority's tripartite review--a one-off requirement for regulated entities to engage an independent auditor to report on its compliance with the prudential information security standard (CPS 234)--is a key step toward lifting the bar in cyber risk management for mutuals in Australia.
Threat Landscape Reflects Increasing Cyber Attacks Locally and Abroad
The world of cyber threats is constantly changing, with more frequent and sophisticated attacks. As technology progresses, it's crucial for security measures to keep up. According to cyber specialist Checkpoint's latest research report, global cyber-attacks increased by 7% per week in the first quarter of 2023. Asia-Pacific saw the most significant year-on-year rise in weekly attacks, increasing by 16%, followed by North America with 9%.
In Australia's financial year to June 30, 2022, cyber-crime reports rose 13% and the cost per report went up by about 14%, according to government figures. We expect this trend to continue, given several high-profile cyber-attacks resulting in significant data breaches over the past year.
Some Australian Cyber-Attacks Led To Big Data Breaches
Australian companies have suffered some high-profile cyber events. These include:
Latitude Group Holdings Limited (non-bank financial institution): The attackers gained access through a major vendor, believed to be a back-end infrastructure provider, and stole about 14 million records containing personal information of customers. (See "Latitude Finance Australia's Master Trust Remains Functional After Cyber Attack," March 27, 2023)
Medibank Private Limited (health insurance): The 2022 breach occurred due to the theft of Medibank login credentials from a third-party IT service provider to gain network access through a misconfigured firewall, resulting in the compromise of personal identification data of about 9.7 million Australians and health claims data of about 480,000 customers.
The Damage To Mutual Banks Has So Far Has Been Low
To date, incidents detected at mutuals have ranged from data breach attacks to brute force attacks where cyber criminals were able to gain access to clients' accounts. The financial losses for banks have been very limited. The attacks have also been low profile, with little to no media attention, limiting reputational damages.
Data Breach And Brute Force Attacks
Data breach attack A data breach is any security incident in which unauthorized parties gain access to sensitive data or confidential information, including personal data (personal identification numbers, bank account numbers, healthcare data) or corporate data (customer data records, intellectual property, financial information).
Brute force attack In a brute force attack, the cybercriminal generally uses a program to generate and try many possible username/password combinations, hoping that at least one will help them gain access to an enterprise system. Multi Factor Authentication (MFA) can mitigate the losses from a brute force attack.
Technology Is An Important Business Driver And So The Focus Is On Cyber Risk
Mutual banks are relying more on technology to support their business models. A major catalyst is a shift in customer preferences toward digital banking, which was further accelerated by the pandemic. (Australian Mutual Lenders' Competitive Edge All But Gone, Aug. 21, 2023). To adapt, many Australian mutual banks are moving away from their end-of-life legacy core banking and loan origination systems and embracing third-party cloud-based technologies that often leverage APIs. As this shift occurs the operation of transitory parallel systems creates overlaps that increase a bank's digital attack surface.
The increasing use of third-party cloud-based services makes controlling cyber risks and data security exponentially more difficult. The strength of cyber defenses depends on the weakest link. These services include shared hosts, APIs, and other service providers, and introduce a new set of risks to be managed; hence the importance of cyber skills.
The shift to the cloud also creates dependencies by placing a sizeable portion of responsibility for cyber protection with cloud-service providers. But as cloud-service providers have to support more and more customers, securing the infrastructure becomes more challenging. It doesn't relieve a bank of the necessity to have a thorough understanding of the shared responsibility model with the cloud-services provider and to employ its own cyber-preparedness measures (including maintenance of defenses, breach protocols, and recovery planning).
Furthermore, many core banking, loan origination and cloud-based services are provided by a small number of third-party providers, and this has the potential to connect financial institutions to a common vulnerability and may contribute to a lack of substitutability if one of these third-party providers is attacked.
Cyber Risk For The Mutual Banking Sector Is Set To Increase
In our view cyber attacks on smaller Australian mutuals are set to become more frequent and complex. Cyber criminals will veer away from larger, more sophisticated banks with stronger cyber defenses, taking a path of least resistance to smaller mutual banks.
Two key factors may drive this shift. First, a higher reliance on third-party vendors and service providers will increase the complexity of mutual banks' cyber-risk profile. Second, larger players with bigger budgets, well established frameworks, and skilled and experienced teams are better positioned to invest in detection and related cyber defense.
Skills Shortages For Australian Mutual Banks Could Therefore Become A Key Weakness
Globally there is a cyber skills shortage. Huge surges in cybercrime, including ransom demands, fraud and data theft globally have increased the demand for cyber skills.
Cyber CX, a global specialist in cyber security, estimates that Australia will have a shortage of 30,000 cyber professionals over the next four years. Mutual banks will have to compete for these resources with larger banks, information technology companies and other Australian corporates.
In our view, shortages in cyber risk skills combined with a limit on cyber risk spend (relative to larger Australian banks) could become a credit weakness for some mutual banks. In our assessment of financial institutions, we aim to understand how a financial institution manages its cyber risk exposure and the measures it would take to limit the damage from an attack.
As part of our surveillance, we have observed vacancies at the chief information officer level and in some instances, and mainly the smaller mutuals banks, no dedicated chief information security officer (CISO) function. We believe these gaps will persist over the medium term. So far, these gaps have not led to any rating differentiation, but they may become a factor as the threat landscape changes.
Some mutual banks use consultants for the CISO function, full time or on an as-needed basis--often as a virtual CISO. We view the use of consultants as a workable alternative--but they must have the requisite skills. Consultants bring specialized expertise, they are objective and independent, can cost less than a full-time CISO, are familiar with industry best practice and the latest compliance norms. On the flip side, consultants may lack long-term commitment and have limited knowledge of a mutual bank's overall business operations.
Regulatory Settings Can Offset The Security-Governance Risks
In our view, the boards and senior management of mutual banks are generally aware of the cyber-risk implications of shifting technology. Mutual banks recognize technology and cyber risk as one of their top risks and in many cases have set their risk appetite for cyber risk as low.
Nonetheless, security-governance risk could weaken if some banks balk at the idea of further straining their cost structures. In our view, regulatory settings could offset some of this governance risk.
We view APRA's tripartite review as a crucial measure in cyber-risk management for mutual banks in Australia. The first round of results identified weaknesses and control gaps. As one example, some institutions failed to employ fundamental controls such as multi-factor authentication for clients.
The feedback from this exercise boosts odds that mutuals will act to close the gaps and fixed security shortcomings.
Editor: Cathy Holcombe; Lex Hall
Related Research
- Latitude Finance Australia's Master Trust Remains Functional After Cyber Attack, March 27, 2023
- Cyber Risk Insights: European Banks' IT Complexity Amplifies Risk, March 23, 2023
- Australia's Banks Are Slowly Tuning In To The Risks Of Cyber Attacks, Oct. 05, 2022
This report does not constitute a rating action.
S&P Global Ratings Australia Pty Ltd holds Australian financial services license number 337565 under the Corporations Act 2001. S&P Global Ratings' credit ratings and related research are not intended for and must not be distributed to any person in Australia other than a wholesale client (as defined in Chapter 7 of the Corporations Act).
| Primary Credit Analyst: | Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com |
| Secondary Contact: | Lisa Barrett, Melbourne + 61 3 9631 2081; lisa.barrett@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.