In this era of technological change, financial innovation, online engagement, and the heavy reliance on smart devices, it comes as no surprise that protection of consumer data across technology platforms and the associated cyber risk that comes with such innovation has become the cornerstone of concern for holders of an Australian Financial Services Licence or Credit Licence (Licensees).
Cyber risks also affect nearly all sectors of the economy, affecting nearly any business that sells a product or services that utilises an online platform or facilitates an online payment. Noting this emerging risk, the Australian Government has established an Executive Cyber Council with a Cyber Security Strategy over the period 2023-2030. The main objectives of this Council are to increase awareness of cyber threats to industry and government, build resilience and consider protection strategies [1].
What is cyber resilience?
The protection of personal, sensitive and credit information is overseen by the Office of the Australian Information Commission. The use of this information within the technological resources of a Licensee during the provision of its financial services is overseen by the Australian Securities and Investments Commission (ASIC).
ASIC considers ‘Cyber Resilience’ to be:
“…the ability to adapt to disruptions causes by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from incidents.” [2]
ASIC has recently published its intention to increase awareness, encourage risk based and proportional cyber resilient management practices. To this effect, we expect that ASIC is likely to monitor market developments in this area and incorporate cyber resilience as part of its surveillance programs.
How does cyber risk management apply to Licensees?
Cyber risks may arise within the context of inadvertent disclosure or access to personal information, credit information, sensitive information, digital identification, use of biometrics, online banking, paying bills, opening banking, paying distributions, settlements, telecommunications, and use of internet services providers, some, or all of which would be associated within the realm of financial or credit services by Licensees. Cyber risks may also arise from deliberate malicious attacks by third parties.
As part of their general obligations, Licensees are (amongst other things) required to have adequate resources (including financial, technological, and human resources) and risk management systems to provide the financial or credit services covered by the Licence. [3] Additionally, expects that Licensees will explicitly identify the risks that they face and have measures in place to mitigate or avoid those risks.
What should Licensees do?
Licensees should scope their data flow and technology landscape and consider the potential risks that may arise on a day-to-day basis. We think it would also be prudent for Licensees to refer to ASIC’s guidance on good practice (GP) and canvas such issues across the whole of their business, taking note of the following in the development cyber resilience processes and policies:
- GP 1 – Board engagement
- GP 2 – Governance
- GP 3 – Cyber risk management
- GP 4 – Third party risk management
- GP 5 – Collaboration and information sharing
- GP 6 – Asset management
- GP 7 – Cyber awareness and training
- GP 8 – Protective measures and controls
- GP 9 – Detection systems and processes
- GP 10 – Response planning
- GP 11- Recovery planning [4]
Cyber awareness and resilience should be cascaded across the spectrum of the Licensee’s business. It is an obligation that obviously touches the Licensee’s general obligations, but also may give rise to obligations within directors’ duties, disclosures made within annual reports, information memoranda, prospectuses and PDSs.
Your Next Steps
At Madison Marcus, we have the expertise and resources to assist Licensees consider their cyber risks framework procedural needs, draft and review your cyber policies, and deliver training tailored to your business needs.
[1] 2023-2030 Australian Cyber Security Strategy (homeaffairs.gov.au)
[3] Section 912A of the Corporations Act 2001 and section 47 of the National Consumer Protection Act 2009