APRA-Regulated Entity Threat Analysis
Key Findings
- Financial sector most targeted by state-sponsored actors
- BEC (Business Email Compromise) losses averaged $850K per incident
- Third-party vendors significant attack vector
- API vulnerabilities increasingly exploited
- Insider threats responsible for 15% of incidents
Executive Summary
APRA-regulated entities experienced elevated threat activity in 2024, targeted by sophisticated actors including state-sponsored groups, organized cybercrime, and insiders. The financial sector's high-value data and transaction capabilities make it priority target. Business email compromise resulted in average losses of $850K per incident. Third-party vendor compromises affected multiple institutions simultaneously. API security emerged as critical concern with increasing exploitation attempts.
State-Sponsored Targeting
APT groups attributed to China, North Korea, and Russia actively targeted financial institutions for intelligence collection, intellectual property theft, and potential disruption capabilities.
- Banks: 89 confirmed targeting attempts
- Insurers: 45 reconnaissance activities
- Superannuation funds: 34 targeting attempts
- Focus on customer data and financial intelligence
- Preparation for potential future disruption
Business Email Compromise
BEC attacks remained highly effective against financial institutions. Average losses reached $850K per incident. Attackers employed sophisticated social engineering and email spoofing techniques.
- CEO/CFO impersonation attacks
- Vendor email account compromises
- Wire transfer fraud
- Tax/salary diversion schemes
- Real estate transaction intercepts
Third-Party Risk Materialization
Third-party vendor compromises provided attackers access to multiple institutions. Managed service providers, software vendors, and data processors represented significant risk vectors.
- 23 confirmed third-party compromises
- Average 8 downstream customers affected
- Payment processor compromises: 5 major incidents
- Cloud service provider attacks
- Software supply chain vulnerabilities
API Security Incidents
API vulnerabilities increasingly exploited as financial institutions expand digital services. Authentication bypasses, authorization flaws, and excessive data exposure enabled unauthorized access.
- Authentication bypass: 45 confirmed exploits
- Broken object level authorization: 67 incidents
- Excessive data exposure: 34 findings
- Lack of rate limiting enabled scraping
- API key leakage in mobile apps
Insider Threats
Insider threats accounted for 15% of incidents. Motivations included financial gain, disgruntlement, and inadvertent data exposure. Privileged user abuse and inadequate access controls contributed to incidents.
- Data theft by departing employees: 23 cases
- Privilege abuse: 18 incidents
- Inadvertent exposure: 31 cases
- Collusion with external actors: 7 confirmed
Recommendations
- Implement comprehensive BEC defenses including DMARC, user training, and verification procedures
- Enhance third-party risk management with continuous monitoring and contractual security requirements
- Deploy API security testing and runtime protection
- Implement insider threat program with user behavior analytics
- Conduct regular security assessments aligned with APRA CPS 234
- Deploy advanced email security with impersonation protection
- Strengthen privileged access management and monitoring
- Implement network segmentation limiting lateral movement
- Deploy fraud detection capabilities for financial transactions
Need Help Responding to These Threats?
Our security experts can help you assess your risk and implement effective defenses.