The pace of digital transformation has meant that cybersecurity is no longer simply a technology issue, but an aspect of business that is of critical importance to finance professionals.
At a glance
- Even pre-pandemic, the financial services sector was among those reporting the largest share of cyber incidents globally.
- Rapid digital transformation in the sector has created several cybersecurity gaps that have increased the risk of cyber attacks.
- The Australian Institute of Company Directors recommends that company directors give the same level of importance to online assets as they do to real-world assets.
While initiatives to digitally transform business during COVID-19 have mostly been impressive, the pace and scope of the shift to a remote workforce has led to inevitable gaps, particularly with regard to cybersecurity.
Prior to the pandemic, financial services was already among the sectors accounting for the largest share of cyber incidents globally. The rapid rise in the digitalisation of services and the use of third-party technology providers during the pandemic have meant that the risk of cyber attacks in the financial system has now increased even further.
The Reserve Bank of Australia (RBA) identifies four areas of specific cybersecurity concern to the financial system:
- data breaches, where attackers steal sensitive data
- system disruptions, where attackers make systems unavailable
- integrity of data attacks, where attackers deliberately alter information to make it unusable
- financial attacks, where hackers use fraud or ransom attacks to steal funds
As these types of cyber concerns indicate, cybersecurity has evolved from being an IT issue to a material business risk that is of critical importance to accountants and finance professionals.
CrowdStrike, a leading US-based cybersecurity company, identifies accounting firms as attractive targets for cyber criminals, as accountants hold valuable financial information. With multiple accounting firms, particularly small and medium-sized enterprises (SMEs), going through a phase of digital transformation, cyber attacks are becoming a serious risk. Misused or stolen client data could result in significant legal and reputational damage.
The media has recently compared cybersecurity to vaccines: some individuals may choose to opt out, but this eventually jeopardises others’ safety.
To mitigate the risk of cyber attacks, the Australian Institute of Company Directors recommends that company directors treat the organisation’s online assets with the same level of care and attention that they pay to the organisation’s real-world assets, arguing that the two are inextricably linked.
On 6 August 2020, the Australian Government released Australia’s Cyber Security Strategy 2020. Through this strategy, the government plans to invest A$1.67 billion in cybersecurity over the next decade.
Measures outlined in the strategy include:
- protecting and actively defending the critical infrastructure that all Australians rely on
- finding new ways to investigate and shut down cybercrime
- implementing stronger defences for government networks and data
- encouraging greater collaborations to build Australia’s cyber skills pipeline
- increasing situational awareness and improving sharing of threat information
- forming stronger partnerships with industry through the Joint Cyber Security Centres program
- delivering advice for SMEs to boost cyber resilience
- providing clear guidance for businesses and consumers about securing Internet of Things devices
- establishing a 24/7 cybersecurity advice hotline for SMEs and the public
- improving community awareness of cybersecurity threats
Individual states have also taken the initiative to seek industry feedback to develop separate cybersecurity strategies of their own. The New South Wales (NSW) Government, for instance, recently sought feedback on its proposed 2020 NSW Cyber Security Strategy.
CPA Australia podcast:
Stay safe: Practical tips to create a cybersafe environment
In its submission to this strategy, CPA Australia provided several recommendations, including:
- implementing a state-wide collaboration platform that encourages the sharing of information and expertise between state government agencies and other stakeholder groups
- establishing a cybersecurity incubation hub that supports the ongoing development of cybersecurity services and skills
- giving preference to local cybersecurity suppliers sourcing local talent
- creating more cybersecurity jobs and supporting the re-skilling and upskilling of those seeking a career in cybersecurity
Another development that focuses on the relevance of cybersecurity is the Consumer Data Right (CDR) legislation and the introduction of open banking in February 2020 in Australia. The objective of the CDR regime is to give consumers greater control over their own data, including the ability to securely share data with a trusted third party.
It is hoped that the regime will make it easier for consumers to compare and switch between different financial service offerings.
With so much sensitive financial data being made available to consumers and exchanged between consumers and third parties, authorities are doubling down on security, with the Australian Competition and Consumer Commission (ACCC) flagging that maintaining data security and privacy should be the top priority for the open banking scheme.
The challenges for financial services providers participating in the open banking system will be to balance opportunities and risks – namely, addressing the need for innovative services and products, while maintaining data security and privacy across a quickly evolving ecosystem.
The other key policy concern for CPA Australia is that the CDR regime should not disrupt the flow of client information to tax agents and accountants, making it more difficult for tax agents to, for example, prepare tax returns.
In reference to the current environment, the media has recently compared cybersecurity to vaccines: some individuals may choose to opt out, but this eventually jeopardises others’ safety. This analogy highlights that cybersecurity is a complex organisational challenge, which, if not taken seriously, can affect the entire ecosystem.