Skip to main content Skip to log on Skip to search Accessibility at CommBank

Building a secure future together: SXSW Sydney 2024

Achieving a secure digital environment requires a collaborative, ecosystem-wide approach a group of industry experts concluded at the CommBank SXSW Brighter Futures Dinner.

7 November 2024

“With cyber threats intensifying, our cyber defence team now analyses approximately 400 billion signals each week to detect potential security threats. As a whole, the organisation invests over $800 million annually in cybersecurity, targeting fraud, scams, and financial crime risks,”[1] Andrew Hinchliff, Group Executive for Institutional Banking & Markets, told senior business leaders gathering to discuss strategies for securing the technology our future depends on. “Over the past year, this commitment has yielded significant results, with fraud affecting Australian consumers and customers reduced by an impressive 50 per cent.”

“Yet, while these gains are encouraging, we understand that cybersecurity is not a solitary effort. Achieving a secure digital environment requires an ecosystem-wide approach, with all industries and companies working together to combat cyber fraud and scams,” he noted.

CommBank’s Andrew Hinchcliff speaking at a lectern at CommBank SXSW Brighter Futures Dinner. CommBank’s Andrew Hinchcliff speaking at the CommBank SXSW Brighter Futures Dinner.

Threat casting for the future

Brian David Johnson, renowned futurist and former Chief Futurist at Intel, called on Australian business leaders to foster a culture of innovation within their teams. He emphasised the need for organisations to extend beyond leadership insights, empowering teams to engage creatively – even in exploring challenging, "darker" scenarios – to build resilience and scale ideas.

“How are you enabling your teams to innovate?” he asked, challenging leaders to consider whether they provide the support, freedom, and platforms necessary for proactive thinking. Johnson highlighted the importance of embedding innovation into the fabric of day-to-day work through methods such as intelligence sharing, wargaming, and cross-departmental collaboration. By granting teams permission to think expansively and prepare for complex issues, leaders can unlock new dimensions of strategic creativity and strength.

The attacker mindset

To strengthen cyber resilience, Johnson advocates for threat casting – a method that enables teams to adopt the attacker’s perspective. "We model a person experiencing a threat from multiple angles, allowing us to embody the mindset of an attacker," he explained. "Australia has a top cyber defence reputation, while the US leads offensively. Both defensive and offensive perspectives help us avoid complacency by constantly evaluating our vulnerabilities."

Andrew Pade, General Manager of Cyber Defence Operations, elaborated on this strategy, describing the synthesis of vast swathes of data that inform CommBank’s security efforts. "With the 400 billion signals we receive a week, we synthesise them down to critical focus areas. Our red and blue teams simulate attacks on our systems to address vulnerabilities proactively,” he said. “The blue team handles 'known knowns', while the red team simulates 'known unknowns' by hacking ourselves. Beyond that, we also engage in threat hunting to address 'unknown unknowns', identifying threats before they even emerge."

AI and scamming

AI plays an increasingly vital role in identifying and mitigating innovative threats. Kate Crous, Executive General Manager of Everyday Business Banking, pointed to the $2.7 billion Australians lost to scams last year, largely originating from outside traditional banking channels. “Scammers are reaching consumers through various channels - platforms, phone calls, SMS, and phishing links. It’s crucial to consider these methods of contact in all forms of protection, including AI and deepfake technology. For instance, there were 800 media stories on deepfakes from mid-September to mid-October alone."

Leah Pinto, Cyber Intelligence Lead at CyberCX highlighted the agility of cybercriminals in adopting AI without the procedural delays that legitimate businesses face. "Threat actors can rapidly deploy AI to exploit vulnerabilities, even using deepfakes to impersonate executives in sensitive financial negotiations.”

Panellists Andrew Pade, Leah Pinto, and Ethan Teas in discussion. Andrew Pade, Leah Pinto and Ethan Teas were panellists at the CommBank SXSW Brighter Futures Dinner.

Pade noted how critical AI will be in reinforcing defence, for the benefit of our security and the productivity of cybersecurity workforces. "One of the most significant developments is the introduction and adoption of AI technologies within detection and response capabilities. This advancement enables us to address more threats at speed,” he said. Historically, the issue has been that the more signals you receive, the more people you need to manage them— “like playing whack-a-mole”.

“But now, we're shifting towards greater automation and integration. AI allows us to move beyond simply managing signals to actively targeting threats. It enables us to pinpoint critical moments before an event occurs. We want to ensure our detection and response teams don’t face burnout. AI-driven automation assists by picking up on critical signals, which helps our teams respond effectively."

Payment security complexity

Ethan Teas, Executive General Manager of Payments at CommBank, addressed security challenges in payments innovation. "The New Payments Platform (NPP) has been fantastic for customers, allowing faster interactions, but it’s also enabled scammers to move money out of the system at high speeds. In fraud, the issue usually lies with the sender’s credentials, but with scams, it’s often about the recipient. This shift means one of the things we must focus on is identity – linking payments and identity is critical,” he said.

"We've rolled out 'NameCheck'* technology across our systems, verifying the payments intended recipient, which has saved customers over $400 million across mistaken payments and scams. Through our APIs, we’ve extended this service to trusted corporates and other banks, saving an additional $30 million for others. Next year, we’ll enhance this with ‘confirmation of payee’ at the industry level. On top of that we can build experiences with ConnectID®**, an initiative of Australian Payments Plus, for positive identity verification. This will allow corporates to differentiate with secure, real-time payments at the intersection of identity and safety."

Alongside these opportunities, Teas acknowledged the heightened risk inherent in real-time payments. "With real-time payments comes real-time risk," he emphasised, citing the rise of scams, corporate fraud, and first-party fraud in the consumer and corporate spaces. In a traditional payments setting, Teas explained, time itself often acts as a natural control mechanism, allowing companies a buffer to detect and respond to fraud before transactions are finalised and slowing down money running to the exit. "Today, you have a variety of controls, and one of those, probably not documented, is time," he said. This natural delay between initiating and completing a transaction, he adds, has often provided a valuable layer of protection—a layer that now must be carefully considered in the context of real-time payments.

Conference room with tables of people and panellists sitting on a stage. CommBank SXSW Sydney Brighter Futures Dinner 2024

A collaborative ecosystem

Crous, reflecting on recent strides made by the Australian Financial Crime Exchange (AFCX) intelligence-sharing framework, described the transformative potential of industry-wide data sharing. "What if financial institutions, telcos, and platforms collaborated more closely to prevent scams?" Crous asked. "By sharing data across sectors, we could block scams before they reach customers—whether it's a telco halting a malicious link, a platform removing a fraudulent ad, or a financial institution stopping a dubious transaction." For Crous, such collaboration aims to make Australia a more hostile environment for scammers, protecting consumers and reducing the reach of fraudulent activities.

Teas agreed, saying "This exchange has become integral to Australia’s fraud response, now powering the National Anti-scams Centre in Canberra.”

However, he flagged the delicate balance between cooperation and competition in the banking ecosystem. "We aim for collaboration at the infrastructure level—setting common standards—while remaining competitive in innovation," he notes. Citing ISO standardisation efforts, Teas describes how central banks, SWIFT, and industry stakeholders have collectively shaped secure, resilient systems to benefit the financial sector.

Pade described how collaboration extends beyond individual industries. With a 20-year tenure at the Reserve Bank before joining CommBank, he witnessed firsthand the cooperative response of sectors like banking, airlines, and critical infrastructure when threats emerge. "When one industry faces a cyber threat, others rally to protect it. We see this cooperation across sectors—be it mining, banking, or aviation—to address risks before they escalate," he said. "It's about anticipating the next step we need to protect against. It's not limited to one area or industry; everyone steps in to ensure we protect each other."

Spark brighter ideas

Get the latest research, actionable insights and expert views on the big issues facing businesses.

Brighter Perspectives

Things you should know

  • [1] Commonwealth Bank Annual Report 2024

    This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article.

    *NameCheck is a security tool that searches the account details you’ve entered when making a first-time payment in NetBank, the CommBank app or CommBiz. Based on our available payment data, NameCheck will then indicate whether the account details look right. For example, if we’ve never seen an account name used for a particular BSB and account number, we’ll prompt you to take further steps to help ensure you’re paying the intended recipient.

    ** ConnectID® is a new service that lets you use the CommBank app to prove your identity online to merchants and other businesses, while keeping your personal data safe. Once you’ve given consent, ConnectID® allows you to share your verified identity data with approved merchants securely within the CommBank app. It’s a quick and easy process that gives you greater control of your data and privacy - you only share the personal information you need to. ConnectID® is a registered trademark of ConnectID Pty Ltd ABN 80 648 970 101.