Banks and other incumbent financial service providers putting themselves at risk by neglecting investment in their legacy business systems amid pressure to avoid being disrupted by smaller, more agile FinTech start-ups, the prudential regulator has warned.
Australian Prudential Regulation Authority (APRA) chairman Wayne Byres said that the agency had was concerned that the desire to invest in cybersecurity and new technology platforms would be carried out at the expense of legacy systems which were already at risk of failure because they were – as he described – “a patchwork of systems that have been bolted together over many years”.
“‘How should we allocate our investment?’ is an important question, but a more important precursor is: ‘How much do we need to invest?’” Mr Byres told a conference in Sydney on Monday.
He said that APRA’s technology risk team had conducted review of assets of nearly 90 per cent of the sector and found instances of critical systems being at end-of-life or support “without funded remediation plans in place”.
He said that frequently reported system problems were eroding public confidence in the banking system.
“Overall, our reviews suggested the health of the systems environment and associated risks have not been as well understood by peak decision-makers as they should be. The issues we highlighted have not arisen overnight, and reflect persistent underinvestment over a number of years,” Mr Byres said.
“Our reviews emphasise that, to facilitate new technology, investment budgets need to be increased, not just reprioritised. They will also likely need to be maintained at a higher level than has been the case in the past to allow for a catch up on the backlog of maintenance that is needed”.
Mr Byres said that investment in cyber-defence ran against the grain of the trend with the sector investing “considerable” effort and expense in hardening their information security measures to cope with online attacks.
In a separate development, Mr Byres signalled a softening of APRA’s stance on cloud computing since 2015 when it produced a paper in which the agency “expressed reservations about the use the cloud for initiatives with heightened or extreme inherent risk”.
Mr Byres said that the regulator had issued an updated paper that took account of advances in the technology since the release of the 2015 position paper.
“The new paper acknowledges advancements in the safety and security in using the cloud, as well as the increased appetite for doing so, especially among new and aspiring entities that want to take a cloud-first approach to data storage and management,” he said.
“To be clear, cloud usage is not without risk – but nor is the status quo. In addition to reinforcing steps to minimise the risks of cloud usage, the information paper also summarises observed weaknesses that industry must continue to focus on.”
However, Mr Byres warned that accountability for information and data security remained a function that couldn’t outsourced.