Are you hacker proof or an old hack? Avoiding the next Ashley Madison

Being cyber resilient is not only about fulfilling a statutory obligation but also about preserving the integrity of a financial services firm, according to Holley Nethercote.

Last year I wrote about how the section 912A requirements of the Corporations Act are not just  a series of obligations, but are useful tools in running a successful financial services business.

One of the key tools is the business’ risk management framework. Risk management and success in business go hand in glove. A key risk that all financial services businesses must consider right now is exposure to computer hacking.

There are already many instances of financial planning businesses, accounting practices, lawyers and their clients, having funds stolen by hackers. 

VIEW ALL

View all

This includes the convincing impersonation of clients by following online behaviour, expensive ‘ransom ware’ attacks where your system shuts down until you meet the ransom demand and pay money to an anonymous and untraceable party, or software that intercepts and re-diverts what appears to be validly entered online payment details but sends the money to another account.  

In addition to the money, hackers frequently gain unauthorised access to personal and sensitive information which could result in significant harm to the individuals concerned. These occurrences are increasing at an alarming rate.

It is no wonder that the Australian Securities and Investments Commission (ASIC) has made cyber resilience a focus point in 2017!

With this in mind, it is more important than ever to avoid your business turning into the next Ashley Madison – the dating website that resulted in one of the largest data breaches to date. You can: 

• Proof yourself against digital disruption and cyber attacks; and
• Ensure that you have a plan in place for when an attack occurs.

It is an unfortunate fact that the resources of ‘the hackers’ are much greater than the resources of a single financial services business. If the hackers can breach the systems of major government and private institutions, they will be able to breach those of most licensees.

That is why it is important to have a plan in place in the event that a breach occurs. Treat it as a “not if, but when” event.

Change in the industry 

The world is changing rapidly, and financial services are no exception to this. As an industry, it is becoming increasingly reliant on technological and internet-based services to both deliver its services and to store confidential client information.

On the plus side, this has led the industry to experience significant growth, improved efficiency, and re-engage consumers through exciting new and creative fintech platforms. Unfortunately, this success exposes the financial services sector, and increases its overall cyber crime risk profile.

Those who engage in cyber crime include the same type of people that used to engage in bank robbery. It is not surprising that they follow the money. Many are sophisticated and well resourced.

These attacks threaten not only the consumers whose information may be leaked or accounts hacked, but investor confidence and the economy at large. ASIC has outlined these key threats as: 

Unauthorised trading – ASIC has discovered identity fraud on client accounts;

• Market manipulation – cyber-attacks have been used to manipulate share prices;
• “Dark pool” and high-frequency trading – a dark pool enables assets such as shares to be traded away from public exchanges by ‘matching’ client orders. The matching of client orders can be described as a ‘crossing system’. Attacks on crossing systems or automated trading can take advantage of trading complexity and capacity. This increases the risks of algorithmic malfunctions and unsolicited information leakage;
• Banking transactions – examples include targeting pre-paid debit cards because such cards are not linked to specific accounts, minimising early detection; and
• Contactless payments – this technology is vulnerable to exploitation, i.e. data can be intercepted where the card or phone is in close proximity or communicating with compromised or custom-built devices intended to intercept and extract personal and financial information.

In its response to these threats, ASIC is largely seeking to engage in preventative regulation through s912A compliance obligations, and over the next 18 months will be: 

• Undertaking market surveillance; 
• Conducting cyber resilience surveys; and 
• Setting up a cyber-taskforce. 

s912A and ASIC’s 2017 focus

As we discussed last time, section 912A requires a financial services business to, among other things:

• “Have adequate risk management systems”; and 
• “Have available adequate resources (including…technological and human resources)”.

Risk managing your technology and your staff seems easy enough – you have a decent server and IT contractor and send your staff off for some cyber risk training, right?  

If that is all you are doing, then your licensee is fairly typical. However, those steps will no longer be sufficient. The increasing incidence of cyber attacks, and ASIC’s 2017 focus, are compelling reasons to have a specific project around cyber resilience.

Additionally, a recent bill has been passed that means there will soon be mandatory data breach notification requirements.

If there is a data breach

First, not all data breaches are reportable data breaches. Those that are reportable must be reported to the Office of the Australian Information Commissioner (Privacy Commissioner) and your affected clients.

For a data breach to be reportable, unauthorised access to information must have occurred; and this is likely to lead to serious harm (including physical, psychological, emotional, economic, and financial harm).

So, if this had been around back when Ashley Madison was hacked in 2015, the breach would have been reportable because the unauthorised access to the personal information led members of the public to discover their partners had been eliciting affairs online, causing serious emotional harm.

Secondly, a data breach is not reportable if “the entity takes action to prevent serious harm occurring (and a reasonable person would conclude that due to the remedial action, the disclosure is not likely to result in serious harm to the affected individuals)”.

This essentially means that if you have adequate and effective cyber resilience systems in place, in the event of a breach, if you are quick to respond and take action, you may be able to avoid reporting to the Privacy Commissioner and your affected clients.

Risk management

ASIC’s 2017 focus on cyber resilience should give you a good reason to seize the opportunity to assess your threats and vulnerabilities now, and understand where and how your most valuable information is held.

Understanding exactly how your confidential client information is stored, and its potential vulnerabilities, are important first steps. Effective risk management means adequate resources, and a commitment of resources, to assess and develop appropriate strategies, including planning responses to a cyber attack and data breaches.  

It is important to consider when evaluating your cyber crime risk:

1. Whether your existing information technology systems, processes and procedures have been tested for cyber resilience.  If not, it might be useful to perform a penetration test to find this out. 
2. What resources are available to deal with cyber risks? What is adequate will depend on the types of risk you face, the nature, scale and complexity of your business, and your legal compliance obligations. You may be required to consider updating or renewing appropriate education and training for employees and contractors.
3. What are the monitoring processes and procedures to detect a cyber attack? Some common signs of cyber attack include:

• Any anomalous activity occurring on your system (e.g. unauthorised access to restricted applications or data, or unusually high accesses to certain data);
• Irregular behaviour by users on your website; or
• Abnormal external service provider activity. 

      4. Does the board take “ownership” of cyber strategy and ensure period review to assess progress? For example:

• Should you involve active engagement by directors and the board in managing any applicable cyber risks; and
• If you are a director of a company, you may need to take cyber risks into account when undertaking your duties.

       5. Would your current insurance policies respond to either a direct loss or a claim against you by a client who has lost money or had their data breached by hacking into your system?
       6. Are your staff trained in what to look out for? (For example, the use of mobile phones that may not be secure and that may synchronise with your business server, or when not to open an attachment).

Developing an understanding of exactly how your private client information is stored, and the risks it exposes you to, allows you to more accurately proof your business against cyber attacks. 

Conclusion

ASIC’s 2017 focus on cyber resilience is not just another in a long string of regulatory requirements that you, as a licensee, have to comply with.

This focus on cyber resilience is a great opportunity to strengthen your business by upgrading your systems and reassuring your customers that their finances and their sensitive information are as safe as you can make them, and that, if your systems are breached, that you will respond quickly to limit any damage.

If history has taught us anything, it’s that a data breach has the potential not only to trigger legal obligations, but to destroy a brand as well.

Investing in both your technological and human assets regarding cyber security is not just a statutory obligation, it is preserving the integrity of your brand. 

Nicola Stevenson and Alexandra Consiglio are legal clerks, and Grant Holley is a partner at Holley Nethercote.