Cyber risk is consistently ranked among the top risks to the Australian financial system. Cyber-attacks are increasing in frequency, sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information world-wide. The Council of Financial Regulators (CFR), through its Cyber Security Working Group is pursuing a number of initiatives aimed at further improving the cyber resilience of the Australian financial system.
Recent cyber-attacks in Australia have highlighted that no organisation is immune, and a compromise may originate outside the traditional boundaries of the financial system, yet with a direct impact to the financial system. Recent experience has also reinforced the need for government and regulatory agencies to continue to strengthen collaboration.
The following are examples of the initiatives being pursued through the CFR's Cyber Security Working Group:
Domestic and NZ CFR Cyber Attack Protocol
The CFR agencies have developed a domestic cyber-attack protocol to coordinate agency engagement and communications during cyber-attacks. A similar cyber-attack protocol has also been developed with New Zealand financial regulators, given the strong links between the Australian and New Zealand financial systems.
Cyber Operational Resilience Intelligence-led Exercises Framework
In December 2020, the CFR released the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry. In March 2022, the CFR reviewed the outcomes of a pilot exercise under the framework involving several financial institutions and financial market infrastructure providers. The CFR has endorsed the adoption of an updated CORIE framework for a broader rollout of the testing program. CORIE revised framework and rollout.
Critical Infrastructure reforms
CFR agencies continue to work closely with the Department of Home Affairs on the development and implementation of new cyber-security obligations for ‘critical infrastructure’ assets.
To further strengthen collaboration and information sharing between CFR and other government agencies, the CFR's Cyber Security Working Group has begun meeting jointly with members of the Cyber Security Regulator Network, which includes agencies such as Australian Competition and Consumer Commission (ACCC), the Office of the Australian Information Commissioner (OAIC), the Australian Communications and Media Authority (ACMA) and the Cyber and Infrastructure Security Centre (CISC). This will allow agencies to discuss items of joint interest and collaborate where appropriate, thereby improving the timeliness, effectiveness and efficiency of the cyber-related regulatory activity.
CFR agencies also recognise the important operational role the Australian Cyber Security Centre (ACSC) plays prior to and during such incidents, and engage closely with it, including through the Working Group.