NAB's AU$150m annual cybersecurity spend set to increase

Meanwhile, ANZ's CEO said banks have always been in the security business, it is just the threat realm that's changed.
Written by Asha Barbaschow, Contributor

National Australia Bank has revealed it spends around AU$100-AU$150 million annually on cybersecurity, with the exact figure growing exponentially each year.

The red and black bank's newly minted CEO Philip Chronican discussed NAB's approach to cybersecurity on Friday, facing the House Standing Committee on Economics. While he was unsure just how many people are employed in a cyber capacity within the bank, he did say cyber is an ongoing area of focus and interest "for all of us".

"We have our own challenges at our end; it is not just something for NAB," Chronican said.

"We are active daily in identifying potential threats and shutting them down, and we work closely with all of the authorities across the landscape to assist in that.

See also: Research finds 2019 increase in breaches and cybersecurity spending (TechRepublic)

"I haven't recently had any data, but I know that every day there are attempts to attack our environment and every day we are beating them back. And we're building resilience inside our environment to make sure that data is secured and that we can monitor any untoward activity inside our environment as well as protect the external face of the environment." 

NAB in July admitted that some personal information on approximately 13,000 customers was uploaded, without authorisation, to the servers of two data service companies.

The compromised data included customer name, date of birth, contact details, and in some cases, a government-issued identification number, such as a driver's licence number.

NAB in early 2017 also admitted it had sent the details of approximately 60,000 customers to an email address on a global domain rather than its .au address.

It is understood customer information was sent in error to a nab.com address rather than an email address on the nab.com.au domain.

The bank last month launched the NAB Cyber Security Roadshow, which is a small tour around the country to teach Australian small businesses how to best protect themselves from cybercrime.

"We increasingly try to be proactive, particularly with our customer base and our SME and business customers around raising awareness about what they can do," CFO Gary Lennon told the committee.

According to Chronican, the initiative has had a positive impact.

"Everything I've heard over the last couple of weeks from that is that it has been well received by customers," he said. "I think we're going to continue to offer that."

He said he believes small and medium businesses are actually understanding the gravity of the threat landscape and are taking preventative measures.

"Many of them have suffered loss and realise how important that is," he explained.

Also addressing the committee was ANZ CEO Shayne Elliott, who said banks are in the security business and that cybersecurity is part of the culture.

"Banks are in the security business. We've been in that from day dot," Elliott said on Friday. "The way we go about securing our customers' money and their data has changed, and now we talk about cybersecurity. 

"It's sort of a part of the culture of banking."

Like NAB, ANZ is investing "really heavily" in security. According to Elliott, that comes in two parts -- hardware and software.

"One is on the hardware -- working with the world's best providers of the technical hardware that secures the bank and the architecture within the bank," he explained. "The second side is the software, which is the culture of the bank -- that is, we have people who understand it, can design processes, can work with government agencies, and can work with other people in the industry to stay a step ahead."

Additionally, ANZ boasts a cyber control centre, where Elliott said "all the high-tech stuff feeds in" and is continuously monitored. There is approximately 200 staff in the cyber control centre.

"We are constantly monitoring all parts of our network for risk and acting, whether that's low level cyber-risk, such as amateurs trying to hack in, or whether it's sophisticated nation-state activity et cetera," the blue bank's CEO said.

The CEO is unsure just how much his bank spends on cyber-related activities, but said "depending how you count it, it's likely to be hundreds of millions of dollars, I would imagine".

"It will be a significant number," he said. "I think sometimes people think somehow cybersecurity is new. We've been doing it for a long time. Technology is not new in banks. We've had mainframes and systems for 50 or 60 years.

"I've spent time with that team and time with our scam and fraud teams and my observation is that the bad guys -- for want of a better term -- have realised that hacking into banks is really hard," Elliott continued.

"The point of weakness is customers and/or other parts of the ecosystem, so they're much more likely to target, sadly, vulnerable people, who are duped into providing access to their accounts through passwords or other things."

Elliott said his bank has seen a rise in that activity as a result of the bank's systems being "actually incredibly secure".

Facing the committee a week prior was Westpac CEO Brian Hartzer who revealed his bank was spending AU$50 million annually on upgrades to its various cybersecurity capabilities.

"We have extensive teams that are dedicated to that, both in terms of monitoring activity that's going on and making improvements in our systems and processes," he said. 

"It's quite a sophisticated set of controls that we have in place and we start with lots of investment into technology to make sure that foreign actors can't get in or can't disrupt what we're doing.

"And we have another number of controls around that."

According to Hartzer, when it comes to security, Westpac is focusing on customer privacy, labelling it as a massive agenda item for his bank.

He also said there is much more coordination and collaboration across the sector, and between the sector and various government agencies, with the overarching agenda of making sure intelligence is shared to help each other strengthen protections.


Editorial standards