security

Viruses about! Cyber-security update for lenders – Technology – Australia – Mondaq News Alerts



To print this article, all you need is to be registered or login on Mondaq.com.

The COVID-19 outbreak poses an array of cyber security
challenges for lenders in Australia. The ACCC’s cyber monitor,
ScamWatch, has reported a significant increase in cyber security
incidents since the global pandemic evolved, with over 2,000
reported scams relating to COVID-19 to date. This is of particular
concern for the financial services industry, which was already the
second highest reporting sector for data breaches, with 64% of all
notifiable data breaches consisting of malicious or criminal
attacks.

While lenders juggle to meet the various unprecedented and
pressing demands, it is important for lenders to continue to remain
vigilant in monitoring its compliance with data-security and
privacy obligations in the face of a heightened risk
environment.

This article serves as a timely reminder of the steps that a
lender should take to ensure that it is well placed to respond
quickly and efficiently to a cyber incident, and the steps that a
lender should take if it believes that its systems or data have
been compromised.

Be prepared

It is prudent to review, and to ensure that the relevant staff
members are familiar with your data breach response plan, including
undertaking the following:

  • have your crisis management team ready for immediate
    mobilisation and response – a team of multi-disciplinary
    specialists (including, as appropriate, IT, legal, risk and
    compliance, PR/communications, corporate affairs and HR) which is
    known in advance and has full authority to act without permission;
    and

  • ensure that you have a robust data breach response plan (or
    review your existing plan) which should be capable of being
    implemented immediately. The plan should set out:

    • your strategy for containing, assessing and managing a data
      breach from start to finish – with clear reporting lines,
      escalation paths and criteria for when to mobilise the crisis
      management team;

    • your strategy for dealing with the communication of the data
      breach internally and externally – including to affected
      individuals, the OAIC and other regulators that may be relevant to
      your business;

    • the roles and responsibilities of staff members; and

    • processes for dealing with a data breach involving another
      entity, such as your IT supplier.

Consider having data-breach drills the same way that you would
have fire drills to test your data breach response plan and to
ensure that staff members are aware of their roles in order to
respond promptly to cyber incidents.

We may have been hacked – what now?

Practical steps

In practical terms, your response may include taking some or all
of the following steps:

  • get the facts of the data breach – don’t just rely on
    assumptions;

  • carefully manage communications to internal and external
    stakeholders – including setting the correct narrative for
    the data breach and your response from the outset;

  • build a stakeholder map, and consider the legal relationship
    you have with each stakeholder so as to ultimately guide you to a
    prioritised work plan for responding to the incident;

  • seek the protection that can be gained through legal
    professional privilege by engaging with your internal or external
    legal advisers – otherwise sensitive internal communications
    and documents about the breach (including forensics reports) could
    be exposed to regulators or those pursuing civil damages claims
    against you;

  • determine your notification obligations at law – to
    affected individuals, to the Office of the Australian Information
    Commissioner (OAIC) and to any other regulators relevant to your
    business – see below for further details; and

  • consider your contracts that may be impacted by the cyber
    incident, including rights and obligations that may be
    triggered.

Obligations at law

Lenders with an annual turnover of $3 million or more have
obligations under the Privacy Act 1988 (Cth) to report
certain data breaches (known as “eligible data
breaches”).

If you do become aware of a cyber-incident, including one that
could result in a data breach, it is important to act methodically
and quickly to assess the incident, mitigate the impacts of the
incident and, if appropriate, report the breach. If a suspected
data breach occurs, you should take the following steps:

  1. Commence an assessment

  2. You must undertake a reasonable and expeditious assessment (and,
    in any event, within 30 days of the suspected data breach
    occurring) to determine whether there are reasonable grounds to
    believe that an “eligible data breach” has occurred.

  1. Determine whether an “eligible data breach”
    has occurred

  2. An “eligible data breach” occurs if:


    • there is unauthorised access to, or disclosure of, information,
      or information is lost in circumstances where such unauthorised
      access or disclosure is likely to occur;

    • a reasonable person would conclude that access or disclosure
      would be likely to result in “serious harm” to any of the
      individuals to whom that information relates; and

    • you have not been able to prevent the likely risk of serious
      harm with remedial action.

    • The key test for notification is whether the actual or suspected
      data breach is “likely to result in serious harm” to
      individuals. You should have regard to the following, among other
      relevant matters, when assessing whether individuals are likely to
      suffer “serious harm”:


      • the kind and sensitivity of the information involved in the
        breach;

      • whether the information is protected by security measures(s)
        and the likelihood of overcoming that protection;

      • the persons, or kinds of persons who have obtained, or could
        obtain, the information;

      • if a security technology or methodology was used to make the
        information unintelligible or meaningless – the information
        or knowledge that would be required to circumvent the technology or
        methodology; and

      • the nature of the harm – whether that harm be physical,
        psychological, emotional, reputational, economic or financial.

      It is not just the likelihood of the harm occurring, but also
      the anticipated consequences for individuals if the harm was to
      materialise (e.g. risk of identity theft).


      For example:


      • you become aware a USB drive containing customer credit card
        numbers and expiry dates is misplaced within your offices. The
        information is encrypted to industry standards and the USB drive is
        located within an hour. On that basis, it is unlikely that someone
        could have circumvented the encryption technology within that time
        and unless there are other escalating factors, this is unlikely to
        be an eligible data breach; and

      • you become aware that the one of your employee’s smart
        phones has been left on the bus. The phone allows access to a
        spreadsheet you maintain (for internal reference) which analyses
        customers’ tendency to pay their credit cards on time. The
        spreadsheet is not password protected or otherwise encrypted and
        the employee did not allow your organisation the ability to
        remotely-wipe data from their phone. This is likely to be an
        eligible data breach.

      As the notifiable data breaches scheme is relatively new, the
      meaning of “serious harm” is still somewhat nebulous.
      From a reputational perspective, it is often best to err on the
      side of caution and to make the required notifications if there is
      doubt as to whether the threshold of “serious harm” has
      been reached.

  1. Notify the OAIC, APRA and/or affected
    customers

  2. If you have reasonable grounds to believe that an “eligible
    data breach” has occurred, you must as soon as
    practicable:


    • prepare a statement setting out:

      • your contact details;

      • a description of the data breach;

      • the kinds of information concerned; and

      • the steps you recommend individuals take to mitigate the harm
        that may arise from the data breach;

    • give a copy of the statement to the OAIC; and

    • take such steps as are reasonable in the circumstances to
      notify affected individuals of the contents of the statement. This
      generally involves contacting the affected individuals by their
      preferred contact method (e.g. by mail / email). Where this is not
      practical (such as where the information relates to old customers
      for whom you no longer have current contact details), you should
      include a copy of the statement prepared for the OAIC on your
      company website and take reasonable steps to publicise the contents
      of that statement for other affected individuals to refer to.

If you are an Australian Prudential Regulation Authority
(APRA)-regulated entity, and the breach has, or has the potential
to materially affect you, the interests of your depositors,
policyholders, beneficiaries or other customers, then there is an
additional obligation to notify APRA as soon as possible (and
within 72 hours after becoming aware of the
breach). This means that you may need to notify APRA
notwithstanding that the assessment as described in step 1 above is
not yet complete.

A failure to notify an “eligible data breach” is
considered an interference with the privacy of an individual
affected by the breach. Serious or repeated interference’s with
the privacy of an individual can give rise to civil penalties of up
to $2.1 million. Please note that if the EU General Data Protection
Regulation (GDPR) applies to you, you may be subject to additional
penalties under GDPR.

Key takeaway

Lenders must be vigilant of this heightened risk environment.
Despite the extraordinary environment in which we find ourselves,
data security and privacy obligations continue to apply.

Now is the time for lenders to prepare methodically – by
assessing and, where appropriate, increasing cyber-security
measures they have in place, maintaining clear and regular lines of
communication with personnel, suppliers and customers, and
reviewing, testing and updating their business continuity and data
breach response plans – so that they are well placed to act
rapidly and effectively to external threats and to minimise the
impact of any successful attacks.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from Australia

Be cyber-safe, do not hibernate

McCullough Robertson

Businesses now must prepare methodically, by assessing and, where appropriate, increasing their cyber-security measures.



READ SOURCE

Leave a Reply