Type
Industry

Why Australian Financial Services Licensees absolutely MUST prioritise cyber-resilience

image description
David Court Partner Linkedin

12-18 November is Fraud Awareness Week, and once again, cyber-resilience is a hot topic.  As a licensee, do you wonder what you legally have to do?  Before we tell you, let’s start, as Simon Sinek recommends, with Why…

In one weekend earlier this year, the world was subject to an “unprecedented” cyber-attack which is reported to have affected approximately 200,000 users in 150 countries.  The “WannaCry” attack combined ransomware with a worm virus and spread quickly.  Victim’s systems were locked down and, unless they had appropriate safeguards in place, and backups, they had no access to information until a ransom was paid. In the meantime, the virus continued to spread through networks.

Why are we telling you this?

Licensees have possession of highly personal information. This information in the wrong hands can be used for criminal activities such as ID fraud, and can be sold for a high value. Certain industries are considered more vulnerable to attacks such as WannaCry because of the sensitive nature of the information that they held.[1]

This secondary market for personal information, as well as the inability to conduct business means that unprepared targets of an attack, like WannaCry, are more willing to pay a ransom to have the information unlocked and returned.

“This is a massive reminder to sectors across the world that Cyber-security should be a top-line executive priority and you need to do something to protect yourselves”.[2]

Of course, no-one wants to suffer from a cyber attack. But there are extra reasons why licensees should immediately prioritise cyber-resilience – for example, because your AFSL requires it.

1. You must have adequate risk management systems

  • Have you identified your vulnerability and exposure to cyber incidents?
  • Do you know what the risks are, and have you assessed what controls you need to deal with them?

If you haven’t incorporated cyber-resilience in your risk management systems, then you probably won’t be satisfying this license obligation.

2. You must have adequate information technology resources to provide the financial services covered by the license

  • If your information is locked down and you must pay a ransom, what will you do?
  • Can you continue to provide the financial services?
  • Have you identified the resources that your business needs to prevent cyber-incidents?

Licensees should be reviewing information technology resources in light of their ability to avoid, manage and respond to a cyber-incident – but also the ability to keep providing the financial services.

As all licensees would know, these procedures need to be documented, and you will need to update your compliance manual as well.

However, we are here to help! We’ve created a cyber-resilience manual to assist you with implementing cyber-resilience within your AFSL business.

For assistance or for more information, please contact our team.

Authors: David Court (Partner) and Fiona McCord (previously Senior Associate at Holley Nethercote)

[1] Rob Wainwright, Director Europol, speaking to the BBC “Ransomware cyber-attack threat escalating – Europol” 14 May 2017 https://www.bbc.com/news/technology-39913630

[2] As above