The Australian Cyber Security Centre (ACSC) has released their annual threat report, finding that advanced malicious cyber activity has increased in “frequency, scale, sophistication and severity” with regard to accessing business and customer data.  Cyber criminals have adapted tradecraft to target specific businesses with ransomware and credential-harvesting malware posing significant threats. Cyber criminals have also begun targeting companies that provide products or services through outsourcing arrangements by seeking secondary or tertiary access through the trusted third party.  

Fintech businesses should seek to address these issues to the extent they are dealing with third parties in their own supply chains.  This is a key risk both for fintechs and incumbent financial services businesses.  It is a particularly pertinent warning following the results of the ASX 100 Cyber Health Check report earlier this year.  That report indicated that a key shortcoming for large companies was the lack of knowledge held in relation to their dealings with third parties. 

ACSC’s key recommendation for business is to invest in prevention through implementing strong cyber security mitigation and incident management strategies such as the Australian Signals Directorate’s Essential Eight.  Entities subject to the Australian Privacy Principles (APP) are also reminded that the Federal Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Act 2017 earlier this year (discussed here), which would require APP entities to notify the Office of the Australian Information Commissioner and any potentially affected individuals of an eligible data breach.