Banks ordered to cyber attack themselves

James EyersSenior Reporter

Dec 9, 2020 – 9.14am

Subscribe to gift this article

Gift 5 articles to anyone you choose each month when you subscribe.

Already a subscriber?

The Council of Financial Regulators demanded banks, insurers and super funds improve fortification of computer systems, issuing a detailed new framework to govern a series of simulated cyber attacks.

Banks have been ordered to adopt a proactive rather than a reactive stance to cyber security, including hiring new, independent teams of “red team” hackers to secretly deploy the latest techniques against institutions to expose weaknesses.

It comes ahead of industry-wide cyber resilience exercises to be overseen by the council - comprising Treasury, the Reserve Bank, APRA and ASIC.

Under the Cyber Operational Resilience Intelligence-led Exercises framework, “red teams”, who will be shadowed by internal “white teams”, will use “advanced adversary simulation capabilities” including seeking to hack bank staff to get access to internal networks, “simulating a real-life adversary in a production environment”.

The techniques will use “opportunistic malicious media drops and social engineering” and also “malicious insiders” to attempt to break defence policies. Once inside systems, adversaries will attempt to initiate payment instructions to steal money from banks.

While banks, insurers and some super funds already use “white hats” to try to identify vulnerabilities and attempt to penetrate systems, under the new framework, there will be fewer traditional testing restrictions and attacks will take place over longer time periods, mimicking real-world threats. Under the simulation plans, attacks will go on for 12 to 14 weeks.

The council said the simulations would re-create “tactics, techniques and procedures of real-life adversaries, creating and utilising tools, and using techniques that may not have been anticipated and planned for”.

A detailed, 67-page guide released by the council on Tuesday details the level of qualification required by analysts and bank staff participating in the program.

Biggest risk

It also contains a detailed plan for reporting and fixing issues once exposed. Regulators will receive detailed plans on all weaknesses and insist that any holes in defences are plugged via remediation plans.

“Cyber attacks are one of the top business and reputational risks for Australian financial institutions and the inevitability of one occurring grows exponentially year-on-year, despite the banking sector having some of the most mature operational risk processes and practices in place," said Ross Lettau, vice president of cyber risk at Kroll.

"Technical testing involving external experts working closely with internal security testing teams is critical to ensuring preparedness and resilience in the aftermath of an attack. What’s needed is a stronger focus on governing remediation activity and regulation around this, and the introduction of the CFR’s cyber attack simulation framework is an extremely positive development in this regard.”

Prime Minister Scott Morrison in June indicated a foreign government was behind a series of malicious cyber attacks on Australian businesses. Suspicion fell on China.

The Council of Financial Regulators said on Tuesday cyber risk “is repeatedly classified amongst the top risks to the Australian financial system”.

“Sophisticated adversaries are continuously attacking Australian financial institutions in illegal operations that can result in substantial financial loss, reputational damage, and in a worst-case scenario impact the stability of the Australian financial markets and financial system.”

The release of the new attack simulation framework comes a fortnight after the Australian Prudential Regulation Authority warned cyber security requires much more intense focus. APRA ordered urgent audits be conducted against its prudential standard CPS 234 and warned of enforcement action against those that don't take rising security threats seriously, as it released a new, five-year cyber security strategy.

Executive board member Geoff Summerhayes said APRA was “still seeing too many basic cyber hygiene issues across the industry” and would hold boards and management accountable when CPS 234 was not being met.

All banks, super funds and insurers have been ordered to conduct independent cyber security audits against the standard from next year.

The framework document says the red team exercises will “measure the ability of an organisation to detect, respond, withstand, repel and recover from the operations of a real adversary . . . so as to maintain critical business processes and protect sensitive data”.

It says on completion of the exercises, “a report detailing industry-wide cyber resilience trends amongst financial institutions will be presented to the CFR highlighting any systemic weaknesses that may present a risk to the integrity of the Australian financial markets and financial system”.

A cyber attack against Sydney hedge fund Levitas Capital was revealed in November as one of 2000 businesses targeted by a fake email crime spree. In his speech the same month, Mr Summerhayes said it was “only a matter of time” before a major financial institution was hacked.

James Eyers writes on banking, payments and fintech. He is a former legal and investment banking editor at the AFR, has degrees in commerce and law from UNSW, and is co-author of Buy now, pay later: The extraordinary story of Afterpay Connect with James on Twitter. Email James at jeyers@afr.com.au