Skip to main content

Clifford Chance

Clifford Chance

Regulatory Investigations and Financial Crime Insights

Council of Financial Regulators mandates increase in cybersecurity standards and cyber resilience

The Council of Financial Regulators (CFR) calls for Australian Financial Institutions (AFIs) to increase cybersecurity measures by increasing cyber self-defence activities.

The CFR, the coordinating body for the Australian financial services industry, has announced the implementation of a Cyber Operational Resilience Intelligence-led Exercises (CORIE) scheme designed to test the cybersecurity defences of organisations within the Australian financial services industry by simulating/modelling realistic cyber-attacks (such as malware and prolonged phishing attacks) and responsive cyber-defence operations.

The CFR is a non-statutory body comprised of the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), the Reserve Bank of Australia (RBA) and the Department of the Treasury.

The CORIE scheme cyber-attack exercises has been proposed as a useful and timely way for an organization to measure the adequacy of its IT security capabilities, identify and expose weaknesses, and to develop tactical and strategical solutions for detecting, managing and preventing future cyber-attacks.

The CFR's CORIE scheme is available here.

2020 saw a marked increase in the number of cyber-attacks and the methods of attack employed by cyber-criminals has become more sophisticated. Head of the Australian Cyber Security Centre, Abigail Bradshaw, has stated publicly "It is indisputable that the scale, frequency and sophistication of malicious cyber activity is on the rise."

Regulators are now taking cyber security more seriously, as evidenced by ASIC commencing, for the first time in its history, proceedings against a financial services provider for failure to have adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience. ASIC's media release is available here.

In addition, APRA has put industry players on notice that any failure to uphold compliance with its cyber security standards (Prudential Standard CPS 234 Information Security) would result in enforcement action and that all institutions would be required to carry out independent cyber security audits against the standard from 2021.