Fines aren’t the only answer to Australia’s financial data breach problem

David Sandell CI-ISAC

Fines are rapidly becoming the regulator’s go-to tool to force financial institutions into taking cybersecurity seriously. But while some organisations might be spurred into action by the threat of financial or reputational damage, others view penalties as simply a cost of doing business.

David Sandell, Co-Founder and CEO of not-for-profit international information sharing and cyber analysis hub, CI-ISAC, explores how to target the underlying gaps that exacerbate organisations’ vulnerability, and how the tried and tested approach of applying fines may be only punishing failures instead of preventing them.


And despite the billions spent on fines and compliance measures, the industry continues to grapple with outdated systems, complex supply chains, and a rapidly expanding attack surface. The question is: are fines enough to drive the transformational change the financial sector needs to safeguard itself?

Fines often follow catastrophic breaches, aiming to punish non-compliance and encourage better practices. Yet they do little to address the root causes of cyber incidents – issues like aging legacy systems, insufficiently tested updates, and poor supply chain oversight. Fixing these problems demands significant resources, planning, and cross-industry collaboration: challenges that penalties alone cannot overcome.

Take the Latitude Financial breach of 2023, for instance, one of Australia’s largest cybersecurity failures. The attack exposed the personal and financial records of 14 million customers, including driver’s licenses and passport numbers. While penalties were imposed, they did little to address the operational gaps that left Latitude – and by extension, its customers – vulnerable.

A sector under siege

When financial institutions fall victim to cyberattacks, the fallout can be catastrophic. In addition to direct attacks on the institutions themselves, banks are tasked with protecting their client’s assets, with many Australians falling prey to direct financial theft or scams by cybercriminals.

Finance companies are the custodians of vast amounts of sensitive customer data, from personal identification details to financial records and spending metadata. They also operate or integrate with payment systems, creating an irresistible target for both cybercriminals and nation-state threat actors.

Attacks on financial institutions go beyond mere theft or operational disruption. Nation-state actors may target these organisations to access sensitive M&A or client financial information or establish footholds for future damage operations amid political tensions.

The ripple effects of such incidents are profound. Beyond immediate financial losses, breaches erode consumer trust, leaving customers increasingly wary of how their data is managed.

Financial institutions are prime targets

Despite their robust cybersecurity postures, top-tier banks remain vulnerable due to the intricacies of supply chains and dependencies. The Latitude Financial breach, for instance, highlighted the risks posed by third-party vendors, even for mature organisations with solid defensive capabilities.

Financial institutions also face challenges inherent to the complexity of their systems. Legacy technologies, often running on outdated software, introduce vulnerabilities that are expensive and disruptive to address. Even system updates and patches, while necessary for maintaining security, can inadvertently create new weaknesses if not rigorously tested.

The increasing adoption of cloud-based technologies has expanded the attack surface for financial institutions. Managing visibility across multiple enterprise environments with varied attack profiles adds another layer of complexity, straining already stretched defensive resources.

Sharing knowledge and positive reinforcement

The limitations of penalties highlight the need for a more proactive and collaborative approach to cybersecurity. Instead of focusing solely on punishment, regulators and industry bodies should consider measures that reward organisations for proactive investments in their cybersecurity infrastructure.

One solution is to create incentives for adopting best practices and sharing threat intelligence across the sector. Financial institutions could benefit from reduced insurance premiums or regulatory relief for demonstrable improvements in their security posture. Additionally, secure, anonymised information-sharing platforms could enable institutions to learn from each other’s experiences without risking competitive advantage.

No single organisation can fully defend itself against the sophisticated and evolving threats posed by cybercriminals and nation-state actors. By working together, financial institutions can develop stronger collective defences. Collaborative efforts could include sector-wide incident response drills, shared vulnerability testing, and coordinated investments in cutting-edge technologies.

The financial sector isn’t alone in facing these challenges. Cross-sector collaboration with industries such as telecommunications and healthcare is critical to addressing the systemic vulnerabilities that cybercriminals exploit. These industries share the common challenges of managing vast amounts of sensitive data, navigating legacy systems, and securing complex supply chains, making them valuable sources of shared insights.

The stakes are too high to let fines serve as a Band-Aid for systemic vulnerabilities. Only prevention, collaboration, and resilience can truly secure the financial sector against an ever-evolving threat landscape.