Cyber security, incidents and privacy non‑compliance risks are paramount concerns for the financial services sector, an industry that holds large volumes of personal information dealing with customers' financial affairs.

The need for participants in the financial services sector to build resilience to respond to, and recover from, a significant data breach, or other cyber incident has been put into sharp focus by recent regulatory developments.

  • ASIC has commenced its first enforcement action against an Australian Financial Services Licensee for breaches arising from failure to adequately prepare for cyber security incidents.
  • APRA has released its Cyber Security Strategy for 2020 to 2024, introducing heightened accountability where companies fail to meet their legally binding requirements under CPS 234.
  • ASIC's increasing focus on cyber security and cyber resilience under director's duties (ie to exercise their powers and discharge their duties with 'care and diligence').
  • The forthcoming review of the Privacy Act 1988 (Cth) is a reminder that regulatory parameters in respect of data are constantly evolving and financial service providers must also constantly adapt their data governance approach.

Not just a privacy Issue: ASIC commences enforcement action for failure to protect against cyber incidents

Australian companies' protection of their customers' data is coming under increased scrutiny from a range of regulators, not only the Office of the Australian Information Commissioner (OAIC). In August 2020, ASIC commenced proceedings against RI Advice Group Pty Ltd (RI), for failing to have adequate cyber security systems.

The action is only in its early stages with the Court tentatively listing it for trial in late November 2021. However, the claim highlights the importance that companies and their directors and officers should place on having robust cyber security policies and practices in place. It also illustrates that, in the face of a cyber incident, businesses need to consider, and receive advice on, their corporate regulatory obligations more generally not only their privacy obligations.

The protection of personal information under the Privacy Act

In Australia, the regulation of personal information at the Commonwealth level is effected through the Privacy Act 1988 (Cth) (Privacy Act). Pursuant to section 13G of the Privacy Act the OAIC may seek a civil penalty order of up to AUD 2.1m in matters involving repeated or serious interference with privacy, although this has been flagged to increase later this year to the greater of $10m and 10% of annual domestic revenue.

To date, OAIC civil penalty proceedings are rare. Further, the protection of the data of corporate customers is not captured in this regulatory framework. However, in the recent penalty proceedings taken by the OAIC against Facebook (resulting from the Cambridge Analytica saga), the OAIC is seeking separate penalties (i.e. up to $2.1m) for each of the approx. 320,000 Australians affected which, if successful, will be a hefty fine, even by global standards.

Data protection and financial services obligations

Those participants in the financial services sector, who hold an Australian financial services licence are also subject to a range of general and specific obligations under Chapter 7 of the Corporations Act. Section 912A (1) of the Corporations Act sets out a range of general obligations and the ASIC action against RI is based on a breach of the following obligations:

A financial services licensee must:

(d) …have available adequate resources (including…technological….resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and

(h) …have adequate risk management systems.

Additionally, it is a standard term of Australia Financial Services Licenses that:

The licensee must establish and maintain compliance measures that ensure, as far as is reasonably practicable, that the licensee complies with the provisions of financial services laws.

These provisions have always been broad enough to cover cyber security risks and bring data breaches and other cyber incidents within ASIC's investigatory remit. However, up until the RI action, there seemed to be no appetite for ASIC to take action in this space.

ASIC action against RI Advice Group

RI is a financial planning and advisory firm and an Australian Financial Services Licensee. ASIC alleges that RI was the target of several cyber incidents between 2016 and 2020. These included:

  • A ransomware attack which encrypted the company's files and made them inaccessible.
  • A malicious agent accessed RI's network through a remote access port, affecting 226 client groups.
  • A malicious agent used a brute force attack on an employee's login to access RI's servers. The intruders spent more than 155 hours logged on to the server. They accessed the client's identification documents and used them to redirect a client's mail with Australia Post and opened multiple bank accounts without the client's consent. The intruder also installed malicious software enabling crypto currency mining, a virtual private network and peer-to-peer file sharing.
  • The laptop of an authorized representative (AR) had a Trojan virus installed on it and was used to perpetrate a man-in-the-middle fraud, by sending an email using the AR's email address to email her bookkeeper requesting the transfer of funds to a Turkish bank account.
  • An unauthorized party compromised a staff member's mailbox account.
  • A phishing attack, the second malicious attack targeting a particular AR's email account, accessed over ten thousand emails.

ASIC alleges that, although, RI did undertake some cyber security initiatives to address the cyber security problems across its AR networks, RI's measures and its responses were inadequate and should have included the following:

  1. developing a cyber security framework;
  2. undertaking a risk assessment across its AR network;
  3. seeking technical security assurance across its network to measure the level of cyber security risk;
  4. developing and implement a cyber security remediation plan; and
  5. supporting cyber security initiatives tailored to its AR network.

ANZ Bank sold RI to IOOF on 1 October 2018. After the change of ownership, RI adopted IOOF's cyber security documentation. However, ASIC alleges that RI did not implement or use these documents correctly. Specifically, it is alleged that:

  • both RI and its ARs failed to tailor the documents to their requirements; and
  • neither RI nor the ARs implemented the content of the documents as part of their management of cyber security resilience and risk management.

ASIC alleges that RI breached its AFLS obligations and is seeking orders that RI pay a civil penalty and implement an appropriate cyber security risk management framework.

Under recent amendments to the Corporations Act there has been a significant increase in the penalty regime for breaches of financial services obligations. The maximum civil penalty for companies that are found to be in breach of section 912A obligations is now a fine of the greater of:

  • $11.1 million;
  • three times the benefit obtained and detriment avoided, and
  • 10% of annual turnover, capped at $555 million.

Analysis

ASIC's action demonstrates that it considers robust data security and governance to be a core obligation of all AFSL holders. The case is part of a growing trend globally, which has seen corporate regulators take an increased interest in how companies use and protect their customers' data, including personal information.

The RI action further emphasises that cyber security and cyber resilience and data governance must be a fundamental part of all organisations' risk management practices and frameworks. It needs to be documented and considered at board level. Once policies are set, they need to be implemented and monitored. Organisations face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches.

Additionally, in the event of a data breach an AFSL holder needs to consider not just its obligations to notify the OAIC in relation to the affected personal information but also whether it needs to notify ASIC of a potential breach of its AFSL conditions. The obligation to notify will not be trigged by every data breach and will turn of the facts underpinning the incident.

It is also clear from the RI prosecution, that incident response and remediation in the event of a data breach or cyber incident is critical. How an organisation responds to an incident and the remediation steps that are put in place to avoid a repeated breach will proportionally affect the chances of ancillary regulatory action and the level of any fines imposed.

APRA warns of step change in Australia's financial system cyber resilience

With the announcement of APRA's 2020-2024 Cyber Security Strategy, APRA has heralded a shift in APRA's approach to testing the cyber resilience of the financial sector.

APRA introduced Prudential Standard CPS 234 in July 2019 to ensure that APRA-regulated entities take measures to be resilient against information security incidents (including cyber attacks) by maintaining information security capability commensurate with the criticality of the IT/function and the information security vulnerabilities and threats.

One of the components of CPS 234 is implementation of controls to protect information assets. In particular, where information assets are managed by a third party, APRA-regulated entities must assess the information security capability of that party, commensurate with the consequences or potential impact of an information security incident affecting those assets. Over the last 18 months we have assisted numerous clients reconsider their third party information security relationships.

In its latest strategy, APRA highlights that it only directly supervises 680 participants in the financial services sector. However, there are over 17,000 interconnected financial entities, markets and financial market infrastructure that provides products and services to consumers. APRA has foreshadowed that it will apply a broader set of regulatory tools and techniques to cyber risk, to impose greater accountability on entities in the financial services sector.

APRA's new cyber strategy includes:

  • Enhanced cyber guidance for board members, internal auditors and risk management professionals.
  • Rectifying weak links with the broader financial eco-system and supply chain by fostering a more robust approach to cyber-assessment and assurance.
  • Harmonising the regulation and supervision of cyber security across the financial system by developing a system of third-party provider assessment and assurance for use by APRA-regulated entites.

Tougher sanctions for privacy breaches: Proposed changes to the Privacy Act

The Attorney-General's Department released the Privacy Act Review Issues Paper (Issues Paper) in October 2020. A discussion paper is scheduled to be released in 2021. The review of the Privacy Act follows recommendations made in the ACCC's Digital Platforms Inquiry in 2018 and the Australian Law Reform Commission Report on Serious Invasions of Privacy in the Digital Era.

The proposed changes foreshadowed in the Issues Paper have several implications for financial services providers as entities that deal with large volumes of personal information.

Expanding the Scope and Application of the Privacy Act 1988 (Cth)

The Issues Paper considers whether the definition of 'personal information' should be expanded to include technical data and online identifiers, including IP addresses, location data and device identifiers. Additional regulatory protection for de-identified, anonymised and pseudonymised information has also been suggested.

The Issues Paper also proposes a review of the current exemptions to the operation of the Privacy Act, especially the employee records exemption. The Privacy Act currently exempts personal information relating to the employees' work related activities (i.e. employee records) from the operation of the Privacy Act. The scope of this exemption may be narrowed or it may be removed altogether.

In December 2020, the OAIC provided their response to the Submissions paper. The OAIC recommended a number of changes across the Act. These amendments are driven by the OAIC's desire for a greater emphasis on the rights of individuals and the obligations of entities to protect those rights to ensure the public interest is served by privacy law into the next decade.

Increased Consumer Protections

Requiring consent to (as opposed to notice for) the collection and disclosure of personal information has also been identified as a key area for reform in the Issues Paper. Reforms may be made in the following areas are being considered:

  • Bundled consents: Although a document/privacy policy that bundles together multiple consents is currently common, it presents a barrier to obtaining informed and meaningful consent from consumers. Unbundled consents (like under the GDPR) may soon be required.
  • Imposing stricter notice requirements: The Issues Paper raises concerns regarding the collection notices currently used by organisations. It emphasises that notices will only be effective if they are presented in a way that can be easily understood by the individual to whom it is given. The extra risks posed by third party collectors and 'information fatigue' in individuals means that there will likely be increased focus on this area. Reforms may include standardised notices or icons and thought will be required when dealing with vulnerable persons.
  • Introduction of a right of erasure: A right of erasure (in addition to the existing APP 11.2 obligation) will likely involve the right of an individual to request, at any time, the erasure of their personal information by the organisation, unless retention of the information is required by law, or is otherwise in the public interest. However, the Issues Paper also asks respondents to consider the potential financial impact of this obligation on entities.

Stricter Enforcement and Penalties

The Issues Paper also covers proposals for harsher civil penalties and new enforcement actions for breaches of the Privacy Act.

As noted earlier, the Australian Government is already planning to increase the maximum penalty for serious or repeated breaches of privacy, which currently sits at $2,100,000, to a maximum penalty of the greater of:

  • $10,000,000;
  • three times the value of any benefit obtained through the misuse of information; and
  • 10% of a company's annual domestic revenue.

There are also planned amendments to provide the OAIC with new infringement notice powers. These powers will be backed by new penalties of $63,000 for bodies corporate for failure to cooperate with efforts to resolve minor breaches.

The Issues Paper is also considering the introduction of a right for individuals to bring direct actions and class actions against organisations to seek damages for harm suffered as a result of an interference with their privacy (which may be evidenced by a notifiable data breach). A possible statutory tort of 'invasion of privacy' has also been raised.

Implications for the Financial Services Sector

The proposed reforms demonstrate a shift away from reliance on principles towards prescriptive provisions, towards heavier more rigurously applied penalties for privacy breaches. As companies that collect a large volume of personal information from their customers, this increased oversight has several implications for providers of financial services:

  • Companies will need to reconsider how they secure personal information
  • The operation of privacy policies, consent and notification mechanisms for collecting, using, disclosing, correcting and de‑identifying personal information will need to be reviewed or revised to ensure compliance with any stricter regulatory requirements
  • Companies will likely need to adopt new technologies to comply with the new requirements
  • There will likely be a higher cost of compliance for companies, especially if the right of erasure is adopted
  • Companies will likely be exposed to (i) harsher penalties and increased legal action in the event of breach and (ii) re-energised regulators