There have been 36 notifications of cyber breaches in the four months since the Australian Prudential Regulation Authority’s (APRA) cyber-security information standard was implemented, the regulator says.

Executive Board Member Geoff Summerhayes warns that many financial companies aren’t supporting some systems with IT or updating them with security measures, and there is a lack of a comprehensive security patching regime in the financial sector. Poor access management practices are also common, he says.

Many of the notifications were for inadvertent disclosure of personal information, but some compromised staff or customer credentials resulting in fraud, manipulation of records and website graffiti.

Speaking at the Cyber Breach Simulation Australia conference, Mr Summerhayes said organisations must act on the assumption that their cyber security measures will be breached at some point.

“We’ve warned repeatedly that it’s only a matter of time until an Australian bank, insurer or superannuation licensee suffers a significant breach that, in a worst-case scenario, could force it out of business,” he said. More than 70% of APRA-regulated entities have self-assessed gaps in their cyber-security compliance.

He also says it is possible that a bank, insurer or super fund has been compromised by a cyber breach unknowingly, as some breaches take years to detect.

“It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded – and that we know about,” he said.

APRA’s corporate plan now puts improving cyber resilience in the financial system among its top four strategic priorities. It will be using data to create baseline measures against which it will hold companies to account for maintaining their defences.