Skip to content

  • Home
  • COVID-19 Guide
  • Podcast library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / Be cyber-safe, don’t hibernate
Insight 5 May 2020

Be cyber-safe, don’t hibernate

As Scott Morrison implements strict social distancing measures and puts our Australian economy into hibernation, businesses in the financial services sector must remain extra vigilant of the increase in cyber-threats facing them, their suppliers and their customers from the digital space. 

Although we are all busily practising social distancing, it is crucial for businesses in the financial services sector not to distance themselves from their privacy obligations, including under the Privacy Act 1988 (Cth) (Privacy Act) as well as any additional commitments made under their privacy policies and other customer facing arrangements.  There is no relief from these obligations during the COVID-19 outbreak and, in fact, with so many people glued to their TVs and online news sources, the damage flowing from data breaches during the pandemic (including reputational damage) has the potential to be higher than ever before.

Particular challenges for the Financial Services sector

Scammers are attempting to exploit Australian businesses and individuals that are impacted by the COVID-19 crisis, and the ACCC’s cyber monitor, ScamWatch, has reported a significant increase in cyber security incidents since the global pandemic evolved, with over 1,000 COVID-19 related scams reported already[1]. This is of particular concern for the financial services industry, which was already the second highest reporting sector for data breaches[2], with 64% of all notifiable data breaches consisting of malicious or criminal attacks[3]. 

As the use of remote access technology increases (in terms of the applications, frequency and even types of people using technology), so, too, do the risks of malicious and criminal cyber security incidents.  From credential phishing (attempts to steal log-in and password details including by pretending to be banks, payment facilitators, Centrelink, MyGov, the ATO, etc.) to sham fundraising, fradusters are ramping up cyber activity to take advantage of the global pandemic.

As the personal information that financial services businesses (and their suppliers) hold in respect of their customers is particularly valuable for fraudsters (such as credit card and bank account information), there is an increased risk that:

  • customers will be successfully targeted through spam, phishing or targeted spear-phishing attacks;
  • suppliers will be successfully targeted, leading to a breach of their privacy and data security obligations; and
  • financial services companies themselves will breach their privacy obligations.

Practical measures

As the financial services industry is facing an even higher threat of cyber attacks due to COVID-19, it is crucial for businesses to enhance security measures and technology practices to align with that increase. This is particularly crucial while financial services businesses are, for example, encouraging more of their customers to engage in internet and online banking, with some of those customers being unsophisticated or vulnerable when it comes to the use of technology and protecting themselves from cyber-threats. In addition to the general security measures which Australian businesses should implement (see our earlier article here) we recommend financial services businesses consider implementing the following additional security measures:

What to do if there is a cyber-incident

If you do become aware of a cyber-incident, including one which could result in a data breach, it is important to act methodically and quickly to assess the incident, mitigate the impacts of the incident and, if appropriate, report the breach.  Additional guidance on what to do, including for compliance with the Privacy Act, is set out here.

If you are an Australian Prudential Regulation Authority (APRA) regulated entity, and the breach has, or has the potential to, materially affect you, the interests of your depositors, policyholders, beneficiaries or other customers, then there is an additional obligation to notify APRA as soon as possible (and within 72 hours after becoming aware of the breach).

Key takeaway

The COVID-19 outbreak poses an array of cyber security challenges for financial services businesses in Australia.  Despite the government’s economic hibernation approach, Australian businesses cannot (and their privacy obligations do not) freeze at this point in time. Now is the time for financial services businesses to prepare methodically – by assessing and, where appropriate, increasing cyber-security measures they have in place; maintaining clear and regular lines of communication with personnel, suppliers and customers; and reviewing, testing and updating their business continuity and data breach response plans – so that they are well placed to act rapidly and effectively to external threats and to minimise the impact of any successful attacks. 

Thanks to Emily Stone for her assistance in putting this article together.

For further information on any of the issues raised in this alert, please contact our team below.


References:

[1] https://www.scamwatch.gov.au/types-of-scams/current-covid-19-coronavirus-scams

[2] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/ 

[3] ibid.


This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Matthew McMillan

    Partner
  • Rebecca Lindhout

    Special Counsel

Emily Stone
Lawyer

In other news

Branding on trend: Certification of Australian Fashion

10 May 2022Insight

Verification of identity: a refresher

10 May 2022Insight

Categorising land for rating purposes used for both permanent residential and temporary tourist accommodation

4 May 2022Insight

Court of Appeal decision brings welcome relief to local councils

4 May 2022Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

        follow us

        CLIENT LOGIN

        newcastle

        92 Young Street
        Carrington NSW 2294
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3669
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Statement of Business Ethics Credit Reporting Policy

            X