Cyber security self-regulation has failed 25 March 2015 4:29PM John Kavanagh Finance industry self-regulation in the area of cyber security has failed and it is time for the regulators to step in, according to a leading banking industry figure.Paul Tucker, senior fellow at Harvard Kennedy School and former deputy governor of the Bank of England, told delegates at the Australian Securities and Investments Commission's annual forum that the industry was not doing enough to address the cybercrime issue."There is a crisis of collective action and that is where governments and regulators play a role," Tucker said.The number of data breaches where a data loss was confirmed more than doubled in 2013, compared with the previous year, according to Verizon's most recent annual cybercrime survey.Attacks on payment systems featured prominently in the report. Of the 1367 breaches analysed, 14 per cent were point of sale intrusions and nine per cent were card skimming attacks.Non-compliance with voluntary industry standards appears to be a big part of the problem. Verizon released its annual review of PCI compliance in January, reporting that while the number of companies applying for validation under the PCI Security Standards Council's data security standard increased substantially last year, the number failing to meet compliance was also large. Four out of five companies failed to meet aspects of their PCI compliance obligations.ASIC's view is that data breaches are a key business risk, especially in the financial services industry, and that senior management needs to take responsibility for managing the risks.ASIC chairman Greg Medcraft said financial services licensees had an obligation to be cyber resilient.ASIC's cyber resilience report, published earlier this month, says cyber risk management is still a largely voluntary exercise for most companies in the United States, Asia and Europe.However, this is changing. The European Union is moving to require companies in certain sectors to report all cyber attacks to government and take specific risk management measures to protect systems and data.The Australian government plans to introduce a mandatory breach notification scheme this year.President Obama's State of the Union address in January declared that cyber security was a government priority. It has been followed by a series of proposed reforms.Oliver Wyman partner Jacob Hook said the problem was exacerbated by new entrants into the financial services industry using innovative technology platforms. Hook said: "As digital disruption progresses and more financial services activities fall outside the regulatory sphere, new forms of detriment threaten."Some speakers at the conference were sceptical about how much regulators could do in this era.ANZ chief executive Mike Smith said: "The issue with digital change is that it is moving very fast and it is very difficult for regulators to keep pace with it."Former Australian Prudential Regulation Authority chairman John Laker said financial regulators were not skilled in dealing with cyber security."It is not a narrow regulatory issue. It requires a response across all government and industries," Laker said.