What Australian financial institutions need to know about cybersecurity and responding to cyber-attacks

It has been 3 months since Australia’s Notifiable Data Breach Scheme (NDB Scheme)[1] came into force and, already, the Office of the Australian Information Commissioner (OAIC) is receiving many notifications of cyber-attacks and other data breaches – both voluntarily and under the NDB Scheme.

We will see even greater awareness of cybersecurity and data protection issues now that the European Union (EU) has introduced its General Data Protection Regulation (GDPR).

So what do financial institutions operating in Australia have to know about their obligations when responding to cyber-attacks?

Hackers are targeting financial institutions

Financial institutions hold large volumes of data about their clients, investors and consumers. In addition, that data is often valuable and sensitive and, in the wrong hands, can lead to fraud and identity theft.

Personal information is typically collected when people open bank accounts, apply for units in a trust, apply for credit, make investments, etc. This collection of personal information is augmented by the fact that many financial service providers provide “designated services” and are “reporting entities” which are subject to Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF). Under that regime, those financial service providers are compelled by law to collect personal data as part of their mandatory “customer due diligence” and “know your customer” obligations.

Remember those 100 point ID checks when you open a bank account? Those checks are satisfied when the customer provides personal information.

It must come as no surprise then, that the wealth of personal data collected by financial institutions for AML/CTF purposes and for their own marketing purposes, makes financial institutions very attractive targets to hackers. In fact, in 30% of all data breach cases that were notified to the OAIC during February and March of this year, financial details (such as bank account and credit card details) were involved in the breach. Worse, the financial services industry is generally at or near the top of lists of those industries that suffer the most cyber-attacks.

As the popularity of FinTech, digital tokens and the use of blockchain technology continue to grow, so too may the potential for cyber-attacks to occur.

Australian cyber-security regulation

In Australia, there is no “Cybersecurity Act” per se, but entities that hold Australian financial service licences (AFSLs) have obligations under the Corporations Act 2001 (Cth) (Corporations Act) to have available adequate resources (including technological resources) to provide the financial services covered by the licence.

ASIC’s Regulatory Guide 104 tells us that this means that AFSL holders need to have enough technological resources to, amongst other things, maintain client records and data integrity as well as protect confidential and other information.

Those who are regulated by the Australian Prudential Regulation Authority (APRA) may also be subjected to cyber-security standards in the near future. The prudential regulator is currently seeking public consultation on its proposal to set prudential standards aimed at tackling the growing threat of cyber-attacks against banks, authorised deposit-taking institutions, superannuation funds, insurers and other APRA regulated entities.

The Privacy Act 1988 (Cth) (Privacy Act) also contains a general security obligation requiring organisations to take reasonable steps to secure personal information against misuse, unauthorised access or loss. The obligation has the effect that financial services providers must also take steps to ensure that their relevant contractors also implement security precautions.

That said, although organisations have to do all they reasonably can to protect their systems and protect the personal data they have collected from unauthorised access, it is commonly accepted that no IT system can be entirely secure from third party attacks. However, any successful cyber-attack or data breach suggests that the organisation may not have taken all reasonable steps to secure its holdings of personal information. A data breach will tend to attract the unwanted scrutiny of customers, shareholders and regulators.

What Australian financial institutions may have to do if they have been hacked or suspect that they have been hacked?

In the first instance, AFSL holders may have to notify ASIC if they suspect they have been hacked. This is because it is possible that the hack may have arisen because the AFSL holder breached its obligations under the Corporations Act to have adequate technological resources (as described above).

The next step is to assess whether Australia’s new NDB Scheme is triggered. The NDB Scheme requires that all entities (not just financial institutions) who are subject to the Privacy Act, notify all affected persons as well as the OAIC of an ‘eligible data breach’.

An eligible data breach is when there has been:

unauthorised access to personal information; or
unauthorised disclosure of personal information; or
loss of personal information,

which is likely to result in serious harm to one or more individuals, and that risk of serious harm cannot be prevented by remedial action.

On top of this requirement under Australian law, financial institutions need to be mindful that they may have similar obligations under foreign law. For example, the GDPR, which the EU has just implemented, may require Australian businesses to comply with its obligations if they are established in the EU or if they offer goods or services to citizens in the EU.

Although similar in principle to the NDB Scheme, the data breach notification obligations in the GDPR are accompanied by privacy obligations that are much more demanding than those under Australia’s Privacy Act. Contraventions of the GDPR include hefty fines of up to €20 million or 4% of the organisation’s global revenue. These new privacy protection laws may also result in heightened litigation risks as they provide new rights to consumers to bring class actions against data controllers or processors for breaches.

It is clear that financial institutions should now determine whether they are subject to the GDPR. If so, we recommend that financial institutions prepare for what can be a considerable project to ensure that their handling of personal data complies with GDPR obligations.

In any case, our advice to our financial services clients is to be vigilant when it comes to protecting its IT systems and the personal information it collects about consumers and investors. We strongly recommend implementing a well-designed and comprehensive data breach response plan that includes how to deal with data breach notification, public relations, back-up recovery systems and other measures that can be implemented quickly and effectively following any cyber incident. The plan should be rehearsed and tested periodically. An appropriate and rehearsed data breach response plan can reduce the costs and time taken to respond to a data breach. It can also assist the organisation to recover quickly and to continue providing quality financial services to customers and investors.

Lastly, in New South Wales, if the cyber-attack results in someone committing fraud or any other serious indictable offence under the Crimes Act 1900 (NSW), financial institutions (and others) may be obligated to report it to the police. Please contact us for more advice.

[1] Part IIIC of the Privacy Act 1988 (Cth)