Australian banks and their internal audit teams need to pay more attention to the risks posed by legacy technology and an over reliance on a select number of cloud providers, according to the industry's watchdog.
In a speech to Australia's banking sector, Suzanne Smith, a member of the Australian Prudential Regulatory Authority (APRA), warned that the regulator is paying particular attention to concentration risk.
"Across banking, insurance and superannuation, critical operation delivery often hinges on a concentrated set of technology vendors in areas such as the cloud, processors, network, software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS)," said Smith.
"That means if one of these technology providers fails, even temporarily, they can potentially take down services at every company relying on their services.”
She also referenced the risks associated with outdated technology. “Many of the banks, insurers and superannuation trustees APRA supervises rely heavily on legacy systems, which are often built on now outdated software and hardware," said Smith.
"These systems are typically less resilient to cyber threats as they often fall short of modern requirements for encryption, segregation, user access, authentication, and real-time monitoring.”
Consequently, banks should be asking more of their internal audit teams to monitor any technology-related risks.
“One of the key responsibilities internal audit has is making sure the fundamentals are in place, particularly with respect to workforce planning, employee engagement and the delivery of digital transformation initiatives," said Smith.
"Internal audit should also be alert to cost-cutting and cost optimisation strategies designed to maintain profitability that inadvertently become very expensive. Delaying the replacement of technology assets, for example, often comes with hidden costs which eventually need to be paid.”