ANZ did not deny the potential arrangement when asked about it last week, with a spokesman saying the bank looked to “specialists with niche skills” to bolster its cyber-security function.
But on Wednesday, the bank issued another statement saying there had been no “serious discussions” about the potential arrangement and denying a tender had been created for “managed services in its cyber-security area”.
ANZ’s ‘security operations centre’
ANZ’s cyber-security staff run a “security operations centre” that monitors emails phishing for customer log-in details and malicious internet traffic as well as educating staff about threats.
Currently, the bank hires external parties to test the security of its systems — the normal industry practice.
ANZ is understood to have been considering adding more external assistance to test the systems of those outside the bank to ensure customer data that is shared remains protected. This is to cope with an expected increase in the number of third parties seeking to access ANZ customer data as the bank engages in more partnerships with start-ups and other technology industry players.
The sensitivity around cyber security reflects the high stakes for the bank of any data breach, with the new laws requiring any material data breach to be notified to the market.
Ultimate responsibility
New rules by the Australian Prudential Regulation Authority, known as CPS 234, also dictate that when data is “managed by a related party or third party”, the main financial institution “must assess the information security capability of that party”.
To ensure banks take cyber security seriously, APRA also makes directors “ultimately responsible for ensuring that the entity maintains its information security”.
Asked about a cyber-security managed service arrangement last week, an ANZ spokesman said the bank would continue to run its main cyber-security operations internally.
“ANZ recognises trust is a fundamental element of our business and our cyber-security team is a significant contributor to that,” a bank spokesman said.
“We have absolutely no plans to change this team’s critical role in protecting ANZ’s core systems and services or its responsibilities, though we are looking to hire more people to join it
“We sometimes partner with other organisations that can complement the important work [the cyber security] team does. This includes looking at specialists with niche skills and others who are providing world’s best practice in certain areas to help us with things such as reviewing third parties we use to provide services.”
On Wednesday morning, the bank issued another statement playing down the seriousness of any discussion about having an external party provide ongoing cyber security as a “managed service”.
“ANZ does not have a major tender for managed services in its cyber-security area and we have not had any serious discussions about one,” the spokesman said.
Cyber security a critical internal function
The global trend is for banks to build up their cyber-security teams internally and not outsource critical parts of the function, said James Turner, the founder of CISO Lens, a forum for chief information security officers of large Australian companies.
“Generally, when it comes to cyber risks, banks tend to want to do it themselves,” Mr Turner said, emphasising he was speaking in general and not specifically about ANZ’s arrangements.
“The big banks see cyber risk as an existential threat and firmly want to take their destiny in their own hands. They know they cannot transfer risk, and that they cannot count on an external provider caring as much as they do.
“Having internal capability also gives a bank much more flexibility in responding to the evolving environment. And a critical challenge with multi-year contracts is that the risks the contract was drafted to address may have vastly different importance and impact in year three of the contract.”
Mr Turner estimated that the local banks were spending “hundreds of millions” on their cyber-security teams.
Cyber security skill shortage
EY cyber-security leader Anthony Robinson declined to talk about ANZ but agreed to speak in general about the demand for cyber-security experts.
“The availability of key skills is top of mind for Australian CEOs in the wake of technological change and automation,” Mr Robinson said.
Companies were now splitting the function, he said, with internal cyber teams “identifying new hacking [or] cyber risks” and external parties providing “ongoing monitoring”.
“Large organisations have been focused on building new capabilities; they’re now reassessing how best to balance the competing priorities of improving quality and effectiveness of cyber controls while addressing operational costs,” he said.
For its part, ANZ is advertising positions, including “cyber defence” engineers based in Melbourne and a “cyber defence” analyst and “cyber defence” engineer based in the Philippines.
Last year, the Financial Review revealed EY’s plan to to turn ANZ into one of the firm’s biggest advisory clients in the Asia-Pacific region with target billings of $US50 million a year by 2020.
EY’s margins for the work varied by service line, ranging from about 35 per cent for assurance work to almost 50 per cent for consulting and cyber-security work.
from Trendy Newses https://ift.tt/2Hi4Abc
0 Comments