What Australian Financial Institutions Need to Know About Cyber Security

It’s been over a year since Australia’s Notifiable Data Breach Scheme (NDB Scheme) made headlines. The Office of the Australian Information Commissioner (OAIC) was made aware of the countless cyber attacks and data breaches within the NDB Scheme. There has been increased awareness of cyber security and data protection since the European Union (EU) introduced its General Data Protection Regulation (GDPR). The GDPR is a regulation that was made under EU law that ensures data protection and privacy for all users living in the European Union. Learn about what happens when Australian financial institutions respond to cyber attacks.


How Hackers Target Financial Institutions

All banks, credit unions, and other financial institutions have a lot of information about their clients, customers, and investors. That data contains sensitive information. When it ends up in the wrong hands, it can lead to data breaches, fraud, and identity theft. This personal information becomes sensitive when an individual applies for a credit card, applies for several units in a trust fund, makes investments, or opens a bank account.

This personal information is required since managed services are reporting entities that provide designated services under Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF). These providers are required by law to collect this sensitive information as part of customer due diligence and know your customer policies.

One example is the 100 point ID checks that are required when you open a new bank account. These checks are approved once the individual provides their personal information. The amount of information collected by these institutions is for AML/CTF purposes as well as their own purposes and for marketing purposes. This makes these institutions vulnerable to cyber attackers.

During February to March 2018, 30% of data breaches were reported to the OAIC. Sensitive personal information was compromised during the data breach. These institutions are at the top of the list when it comes to cyber attacks. Due to the popularity of bitcoin, digital coins, and blockchain technology has also made individuals susceptible to cyber attacks.


About Australian Cybersecurity

Since there’s no Cybersecurity Act in Australia, institutions that have Australian financial service licenses (AFSLs) have to follow the rules under the Corporations Act 2001 (Cth) to provide adequate sources to provide these services offered by the license. ASFL license holders must meet the information security requirements to keep client records secure and protect this confidential information, according to ASIC’s Regulatory Guide 104.

Those who follow the Australian Prudential Regulation Authority (APRA) should also meet other cyber-security measures in the near future. The regulator that is responsible for public consultation has to set prudential standards to prevent cyber-attacks from happening to banks and credit unions. The Privacy Act 1988 requires these managed services to take the steps to protect consumers’ personal information from unauthorized access or data loss.

These managed services must also take other steps to ensure that their contractors follow these safety precautions. Institutions are doing everything they can to make sure the personal data they collect from their clients are protected from third-party attacks. Cyber attacks and data breaches have suggested that the institution may not have taken the steps it needed to secure this personal information. A data breach makes a business susceptible to scrutiny and criticism.


What Should Australian Institutions Do if They Have Been Hacked?

ASFL license holders must contact ASIC if they know they have been hacked. This needs to be done as soon as the hack happened since the holder failed to have the necessary information security resources listed under the Corporations Act to prevent the data breach from happening.

The next step would be to determine if the organisation is affected by the NDB scheme. The NDB scheme includes all institutions that are subject to the Privacy Act, not just the individuals who have been affected. A data breach occurs when there has been a loss of sensitive information, unauthorized access to personal information, or unauthorized revelation of personal information.

This exposure of sensitive information could cause harm to one or more individuals. That exposure cannot be prevented, even if it’s reported as soon as possible. These institutions have to fulfill similar obligations under European law. The GDPR requires Australian institutions to follow these obligations if they’re already established in the European Union or if they provide goods and services.

In addition to the NDB Scheme institutions have to determine whether or not they follow the GDPR. These institutions need to follow these standards to make sure their personal information and technologies meet the standards of GDPR obligations. If a cyber attack is a result of fraud or another offense, institutions must report it to the authorities as soon as possible.

Learn how to secure complex hybrid IT environments here in one of our previous posts.