BANKS will tell you that, yes, bank branches have to go because they’re too expensive to run and banks need to spend up big on cybersecurity, protecting your money as it swashes through cyberspace on its merry way to pay bills and what have you.
Here’s Anna Bligh, CEO of the Australian Bankers Association, on ABC radio on 7 February this year: “…bank branches make banks very visible. But in fact, what your banking service is now and increasingly, we carry our bank branch in our pocket or our handbag and our mobile phones, and keeping that safe, keeping you know, keeping up with scammers keeping up with hackers providing you and your banking services with the safest possible protections on your money is an enormous investment every year from banks. And so, what they do when they when they are closing branches, that’s money that then goes into making sure they’re investing in all of the cyber protections that make internet banking possible. So, you know, once upon a time, it was all very visible, you saw the branch you went in, you saw the cash that was yours. You know, we don’t see cash, we don’t see our transfers. But it’s all happening behind the scenes. And all of those systems have to be paid for, maintained, protected, and continually invested in”.
APRA bank cybersecurity investigation
The Australian Prudential Regulatory Authority, better known as APRA, regulates banks. In fact, it regulates not just banks, but also insurance companies and superannuation funds. What follows is about all three – banks, insurance companies and super funds – but APRA does not differentiate between them in its criticisms of how they deal with cybersecurity.
APRA assessed about a quarter of all the entities which it regulates. It has found a lot of institutions don’t pay enough attention to making sure information assets have the proper security. Information assets include password and other encryption keys.
It’s highly unlikely bank customer passwords are not properly encrypted, but apparently in many instances the security of digital documents, such as loan agreements, and databases containing customer information, may be at risk.
The problem is with the proper identification and security classification of these assets. This means that in extreme cases anybody with access to a bank’s computer can access and potentially abuse all sorts of information which a properly managed system would bar them from.
This failing becomes especially acute in cases where a bank’s external service providers can essentially walk in and help themselves. Obviously, external service providers would not do that as a matter of policy, but the risk is that their employees are not properly screened in relation to the bank’s information assets.
What is also a worry is that banks don’t have the systems in place to test the effectiveness of whatever information security controls they have. APRA found that, in many cases, the testing programs are “incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the Board”. That makes it sound as though “management and the Board” are the victims in all this, but they, of course, are responsible for these testing systems, so you could say that they are the perpetrators.
Another failing is the lack of adequate incident response plans. The three comments offered by APRA are uncharacteristically blunt. It says that “incident response plans are not in place, not reviewed and/or not tested regularly”.
Then it says that “incident management policy and process do not clearly define the roles and responsibilities of third parties”. In other words, no one knows what they have to do if things go wrong.
Then APRA identifies possibly the most damning shortcoming in that “incident response playbooks have limited plausible disruption scenarios”. In other words, these playbooks are useless.
So, if the banks have incident response plans, they don’t take them very seriously, leaving them (and their customers, you) vulnerable to a long list of serious and major mishaps, such as ransomware, data breaches and hacks, to name but a few.
Another gap is that the banks’ internal auditors apparently take the view that cybersecurity is nothing to do with them. Internal auditors do as little cybersecurity reviewing as they can because they “lack the necessary information security skills”.
Finally, APRA (says APRA) “must be notified of material incidents and control weaknesses in every entity’s cyber security system. The assessment has found that the process to identify and define these for reporting to APRA is often inconsistent, unclear and, in some cases, not in place at all”.
So, the next time you hear a bank say that bank branches have to go because they need to spend the money on cybersecurity, you’ll know what to think.