Be cyber-safe, don’t hibernate

As Scott Morrison implements strict social distancing measures and puts our Australian economy into hibernation, businesses in the financial services sector must remain extra vigilant of the increase in cyber-threats facing them, their suppliers and their customers from the digital space. 

Although we are all busily practising social distancing, it is crucial for businesses in the financial services sector not to distance themselves from their privacy obligations, including under the Privacy Act 1988 (Cth) (Privacy Act) as well as any additional commitments made under their privacy policies and other customer facing arrangements.  There is no relief from these obligations during the COVID-19 outbreak and, in fact, with so many people glued to their TVs and online news sources, the damage flowing from data breaches during the pandemic (including reputational damage) has the potential to be higher than ever before.

Particular challenges for the Financial Services sector

Scammers are attempting to exploit Australian businesses and individuals that are impacted by the COVID-19 crisis, and the ACCC’s cyber monitor, ScamWatch, has reported a significant increase in cyber security incidents since the global pandemic evolved, with over 1,000 COVID-19 related scams reported already[1]. This is of particular concern for the financial services industry, which was already the second highest reporting sector for data breaches[2], with 64% of all notifiable data breaches consisting of malicious or criminal attacks[3]. 

As the use of remote access technology increases (in terms of the applications, frequency and even types of people using technology), so, too, do the risks of malicious and criminal cyber security incidents.  From credential phishing (attempts to steal log-in and password details including by pretending to be banks, payment facilitators, Centrelink, MyGov, the ATO, etc.) to sham fundraising, fradusters are ramping up cyber activity to take advantage of the global pandemic.

As the personal information that financial services businesses (and their suppliers) hold in respect of their customers is particularly valuable for fraudsters (such as credit card and bank account information), there is an increased risk that:

• customers will be successfully targeted through spam, phishing or targeted spear-phishing attacks;
• suppliers will be successfully targeted, leading to a breach of their privacy and data security obligations; and
• financial services companies themselves will breach their privacy obligations.

Practical measures

As the financial services industry is facing an even higher threat of cyber attacks due to COVID-19, it is crucial for businesses to enhance security measures and technology practices to align with that increase. This is particularly crucial while financial services businesses are, for example, encouraging more of their customers to engage in internet and online banking, with some of those customers being unsophisticated or vulnerable when it comes to the use of technology and protecting themselves from cyber-threats. In addition to the general security measures which Australian businesses should implement (see our earlier article here) we recommend financial services businesses consider implementing the following additional security measures:

What to do if there is a cyber-incident

If you do become aware of a cyber-incident, including one which could result in a data breach, it is important to act methodically and quickly to assess the incident, mitigate the impacts of the incident and, if appropriate, report the breach.  Additional guidance on what to do, including for compliance with the Privacy Act, is set out here.

If you are an Australian Prudential Regulation Authority (APRA) regulated entity, and the breach has, or has the potential to, materially affect you, the interests of your depositors, policyholders, beneficiaries or other customers, then there is an additional obligation to notify APRA as soon as possible (and within 72 hours after becoming aware of the breach).

Key takeaway

The COVID-19 outbreak poses an array of cyber security challenges for financial services businesses in Australia.  Despite the government’s economic hibernation approach, Australian businesses cannot (and their privacy obligations do not) freeze at this point in time. Now is the time for financial services businesses to prepare methodically – by assessing and, where appropriate, increasing cyber-security measures they have in place; maintaining clear and regular lines of communication with personnel, suppliers and customers; and reviewing, testing and updating their business continuity and data breach response plans – so that they are well placed to act rapidly and effectively to external threats and to minimise the impact of any successful attacks. 

Thanks to Emily Stone for her assistance in putting this article together.

For further information on any of the issues raised in this alert, please contact our team below.

References:

[1] https://www.scamwatch.gov.au/types-of-scams/current-covid-19-coronavirus-scams

[2] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/ 

[3] ibid.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.