Recent instances of cyber-attacks targeting third party service providers of government agencies and private sector organisations have coincided with the latest release of the Australian Cyber Security Centre (ACSC)’s 2017 Threat Report.
This report comes as a timely reminder of the ongoing digital threats to organisations, such as those in the financial services sector, especially with the rise of innovation and financial technologies (FinTech) in this market. ACSC identified over 47,000 cyber incidents over the last year (up 15%) and reported that 7283 of these cyber security incidents affected major Australia business. It estimates that business email compromises alone cost Australian businesses over $20 million. Many of these breaches involve exploiting security vulnerabilities in the systems of third party contractors.
Indeed, financial institutions are attractive targets for hackers and cyber-criminals because, under Australia’s Anti-Money Laundering and Counter Terrorism Financing (AML/CTF) laws that encompass a strict Know Your Customer (KYC) regime, financial institutions are mandated to verify their consumers’ identity, and keep records of customers and their transactions. AUSTRAC’s recent high-profile action against a major Australian bank for alleged breaches of AML/CTF laws and KYC requirements demonstrates the strict stance that Australia’s financial intelligence agency adopts towards compliance with these laws. However, compliance with AML/CTF laws also means that extremely large amounts of personal and financial information are stored on the servers and databases of Australian financial services organisations – ripe for hackers and cyber criminals to target.
It, therefore, comes as no surprise that the newly released ACSC’s 2017 Threat Report sets out that:
“Cybercrime conducted by criminal and state-sponsored cyber adversaries remains a persistent threat to Australian financial institutions. Criminal groups continue to conduct malicious cyber activity such as deploying malware on a network to steal online banking credentials or conducting large, multi-stage intrusions to facilitate larger scale theft. The global financial system is likely to face challenges from a growing volume of increasingly sophisticated malicious activity.
Foreign state and criminal groups are demonstrating the capabilities and operational tradecraft to conduct major intrusions into financial institutions. The adverse effects of these actions on second parties and on confidence in system security will probably have wide ranging repercussions.”
Currently, the management of personal information of individuals (including financial records) is governed by the Privacy Act 1988 (Cth) (Privacy Act). Financial institutions which come under the Privacy Act are subject to the Australian Privacy Principles (APPs). Under APP 11, an entity “must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.”
Despite this, the many recent instances of unauthorised access to and unauthorised disclosure of personal information raise questions about the attitudes of some organisations towards compliance with the APPs. From a public policy perspective, lacklustre approaches to financial data security is highly problematic. If the market wants to encourage investment, whether that be the simple opening of a bank savings account by retail clients, investments in superannuation funds or through a start-up FinTech platform, investors need to have full confidence in the law, regulators and the financial industry to protect their personal KYC information from misuse, interference and loss.
In February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, which amends the Privacy Act. This legislation, which will come into force in February 2018, requires federal government agencies and private sector organisations with a turnover of more than $3 million to notify the Office of the Australian Information Commissioner and affected individuals of eligible data breaches. The notification of individuals whose data has been breached allows them the opportunity to take steps to protect themselves from the consequences of the data breach. It is also possible the public embarrassment, and reputational and commercial damage associated with public disclosure, will be seen as incentives to encourage financial service organisations to implement measures to protect their customers’ KYC information, in the interest of avoiding negative publicity.
Where third party contractors are involved, the new legislation potentially allows for notification by either party. This means that the ‘primary data collector’ may be obliged to notify if the contractor has not done so – even if the contractor is at fault for the data breach. Under this new notification regime, if the parties fail to comply with notification requirements, they could be both liable to material civil penalties. In addition, while a contractor may be responsible for a data breach and may have an obligation to notify individuals of that breach, your organisation may suffer the ‘reputational hit’ as a result. For this reason, we recommend that service provider agreements contain clear obligations on the service provider to notify the principal to allow for management of identified issues, as well as compliance with the new laws.
With this legal framework in mind, we note that, in some recent cases, victims of cyber attacks have been vulnerable because of their lacklustre cyber security protocols. In one recent instance, it was alleged that the ‘sloppy’ data security protocols of a government’s third party service provider included using generic passwords such as “admin” and “guest” on their public facing webservers. Although the contracting organisation itself was not at fault in this instance, ultimately, it is still responsible for the setting of standards and accreditation.
This approach can be similarly applied to the financial services sector. From an optics point of view, if a bank’s customer details are collected by and stored with a third party, any data loss by the third party provider will inevitably cause embarrassment and reputational and financial damages to the bank itself.
Thus, financial services organisations and entities that are subject to the Privacy Act in general, are reminded of the need to ensure that their own data security protocols, and those of their service providers, are adequate and compliant with Privacy laws. From a legal point of view, this can be done through adequately drafted cyber security clauses in service agreements and relevant audits. Agreements that require third party service providers to warrant that they have adequate data protection measures in place to meet privacy laws and standards, coupled with extending liability to service providers for any loss and damage as a result of the service provider’s cyber security lapses, will encourage greater cyber protections in the expanding FinTech world.
It’s also worth remembering that it’s not just compliance with the Privacy Act that matters – your contractor may meet the threshold requirements for Privacy Act compliance and still lose your data.
Here at Norton Rose Fulbright Australia, we have developed a fixed-price Vendor Data Management Package that includes a detailed data security schedule to assist clients with drafting such service provider agreements and in dealing with third party contractors with respect to data management and protection. Please contact us if you would like further advice or assistance.
 Business for cyber crooks ‘booming’, Australian Associated Press, 10 October 2017
 Andrew Davis, senior analyst for the Australian Strategic Policy Institute’s international cyber policy centre.