Financial-services firms face “constructively tough” crackdown after breaches from “basic cyber hygiene” deficiencies: APRA

As regulator records 36 data breaches in 4 months, historical analysis suggests share prices could suffer a hit

Credit: ID 32715004 © Skypixel |

Loss of investor confidence from cyber attacks could hit the share prices of Australia’s financial-services giants, one analysis has suggested as an update on APRA’s newest cybersecurity regulation revealed the sector is suffering at least nine data breaches per month.

As the regulator of Australia’s financial-services industry, APRA has been monitoring compliance with the new CPS 234 regulation, which came into effect on 1 July – and has, according to executive board member Geoff Summerhayes, already surfaced 36 separate data breaches in that time.

None had resulted in “a breach material enough to threaten its viability, but I can assure you it’s not for want of trying,” Summerhayes said during a speech opening the recent CyBSA 2019 Cyber Breach Simulation Australia event co-organised by Optus Macquarie University Cyber Hub and the Trans-Tasman Business Circle.

The cybersecurity situation had evolved to the point where APRA now expects regulated entities to adopt an “assumed breach” mentality, Summerhayes said, noting that the regulator had bolstered its cybersecurity capabilities and positioned improvement of cyber resilience as one of its top four strategic priorities in its recently updated 2019-2023 Corporate Plan.

With nearly 600 entities under APRA’s watch, Summerhayes said the reported number of breaches – many of which are “relatively minor” and involved human error – “isn’t cause for undue alarm” and commended a sector that “broadly handles information security incidents well”.

That said, closer examination of companies’ regular cybersecurity practices had identified lingering issues with areas such as “basic cyber hygiene” due, for example, to poor patching practices, “common” poor access management practices, and maintaining systems that are no longer supported or updated by their vendors.

Others, he pointed out, “still haven’t developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties,” he said.

“You cannot secure what you don’t understand and you are only as strong as your weakest link.”

Share price impact

That rate of cyber breaches “indicate that there is still room for improvement,” said Kevin Vanhaelen, Asia-Pacific regional director with Vectra AI, “and I would bet my bottom dollar that there are more that are yet to be discovered.”

“Detection and response to cyber attacks is often a slow affair yet CPS 234 mandates that a regulated-entity must notify APRA no later than 72 hours after becoming aware of a material information security incident.”

Noting that it takes an average of 200 days to detect a breach, Vanhaelen said, “these time frames are simply unacceptable…. Reducing threat notification and response processes needs to move from weeks or days to minutes. A contemporary security architecture must be adaptive and integrate defence, detection, response, and learning dimensions into an iterative process.

Even as CPS 234 sees APRA clamping down on cybersecurity practices – its assignation of cybersecurity responsibility to company boards was a warning shot that couldn’t be ignored – the impact of the declared breaches remains largely undetermined.

A recent Comparitech analysis of 33 data breaches, which hit 28 New York Stock Exchange-listed companies and each involved at least 1 million leaked records, shed some light on the potential impact that data breaches can have on investor confidence.

The share prices of the breached companies – which included Apple, Adobe, Anthem, Capital One, Facebook, Equifax, Home Depot, Marriott, Sony, Target, Under Armour and others – had fallen 7.27 percent two weeks after the breaches, on average, with the affected companies underperforming rival exchange NASDAQ by 4.18 percent.

Comparitech noted a surge in share prices in the six months after a breach – growing 7.4 percent on average, compared with 4.1 percent before the breach – but after two years those companies were underperforming NASDAQ by 12.88 percent.

Finance and payment companies noted the largest drops in share price, the analysis concluded, and healthcare companies were least affected.

Interestingly, the analysis noted, breaches that happened 2011 or earlier were correlated with larger drops in share price than those in recent years. Although those companies “were already performing poorly” during the 6 months before their breaches, Comparitech posited that this was due to “breach fatigue” that saw investors become acclimated to breaches over time.

Contrary to expectations, there was a negative correlation between share price changes and the size of the breach, with larger companies “able to shake it off and ultimately outperform the market, whereas companies with smaller breaches lagged behind six months on.”

Companies leaking “highly sensitive information” like credit and debit card numbers, or social-security numbers, saw sharp drops in share price performance – and performed worse in the six months following a breach than the six months prior.

Given the many potential repercussions for data breaches – which, thanks to CPS 234, now include censure of financial-service company executives and board members – it has yet to be seen how, or even if, the breaches APRA reported will affect the companies’ share prices.

The regulator will be watching closely, Summerhayes said, noting that “there is room for improvement in the industry” and presaging an independent assessment of CPS 234 compliance “in due course.”

“APRA’s role in this process is to ensure regulated institutions are resilient to cyber-attacks through prevention, detection and response capabilities,” he said.

“We’ll be increasingly challenging entities in this area by utilising data driven insights to prioritise and tailor our supervisory activities…. We’ve set the floor with CPS 234 and will be enforcing these legally-binding minimum standards in a ‘constructively tough’ manner.”

Tags apradata breachesbreach detection

Show Comments