Optus was recently the subject of what is being billed as the largest cyber-attack in Australian history. As flagged in our previous article, the Federal Government is currently reviewing Australia’s privacy and information security legislation, with various options mooted, including stronger privacy laws and harsher financial penalties for breaches.
Recently, the Federal Government announced the first in what will likely be a series of changes to update Australian privacy and information security legislation – granting governments and certain financial services providers the ability to request information from telecommunications carriers and carriage service providers (telcos) in relation to cybersecurity incidents.
The privacy landscape for telcos
The Australian Privacy Principles (APPs), which are contained within the Privacy Act 1988 (Cth) (Privacy Act), form the bulk of Australia’s privacy landscape. Entities that are regulated under the APPs are generally prohibited from disclosing personal information other than for the purpose for which the personal information was collected. In addition to the Privacy Act, the Telecommunications Act 1997 (Cth) (Telecommunications Act) specifically prohibits telcos from disclosing consumers’ personal information and the content of consumers’ communications (with a few exceptions).
Concerned that the existing prohibition on the disclosure of personal information may in fact impede governments and organisations from limiting the impact of data breaches on individuals, the government has passed the new Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (Regulations). The Regulations, which are only intended to operate for the next 12 months, permit telcos to share personal information to government agencies and ‘financial services entities’ who request it for the purposes of preventing or responding to cyber security incidents or malicious cyber activity, fraud, scam activity or identity theft.
Where a request is issued following a cyber security incident that has impacted the telco, the disclosure may coincide with the telco making a mandatory data breach notification as required by the Privacy Act. However, the grounds on which such a request may be made are not limited to where a data breach notification is required. There is no threshold as to the scope, or threat posed by, a cyber incident before the disclosure may be requested. Nor is there a requirement that the telco actually be the subject of the data breach or cyber-attack.
‘Malicious cyber activity’ is also not defined, and would conceivably encompass a broad set of circumstances. That said, a government agency or financial services entity may only request the information if it is of the opinion that the disclosure is necessary and proportionate to address a relevant cyber security incident, malicious cyber activity, fraud, scam or identity theft.
What are ‘financial services entities’?
Under the Regulation, only particular categories of financial services providers are empowered to request the disclosure of specified information or documents from carriers and carriage service providers.
These categories of financial services providers are captured by the definition of ‘financial services entities’. Financial services entities are largely a subset of the bodies regulated by the Australian Prudential Regulation Authority (APRA), but also include entities providing services that are directly related to, or support, the provision of services by or to one or more of the financial services entities that are bodies regulated by APRA. The latter are not automatically financial services entities, but must apply to the Minister for approval.
Financial services entities and bodies regulated by APRA
Body regulated by APRA?
Financial services entity?
ADI, or authorised NOHC, within the meaning of the Banking Act 1959
General insurer, authorised NOHC or subsidiary of a general insurer or authorised NOHC, within the meaning of the Insurance Act 1973
Lloyd’s, or a Lloyd’s underwriter, within the meaning of the Insurance Act 1973
Life company or registered NOHC within the meaning of the Life Insurance Act 1995
Private health insurer within the meaning of the Private Health Insurance (Prudential Supervision) Act 2015
Trustee of a superannuation entity within the meaning of the Superannuation Industry (Supervision) Act 1993
RSA provider, within the meaning of the Retirement Savings Accounts Act 1997
Body approved by the Minister which provides services which are directly related to, or support, the provision of services by or to financial services entities
Additional requirements for sharing with financial services entities
The grounds on which a financial services entity may issue a request are the same as those for government requests – for the sole purpose of preventing or responding to a cyber security incident or addressing malicious cyber activity, and where the officer believes that disclosure is necessary and proportionate to achieve this purpose.
However, requesting financial services entities must issue the Australian Competition and Consumer Commission (ACCC) with a written commitment relating to the manner in which it will handle the information sought. These include commitments that the entity will:
- only share the information with associates and related bodies for the purpose for which it received the information (e.g. to respond to a cyberattack);
- only access, use and disclose the information in accordance with the Privacy Act;
- store the information or document in a manner that prevents unauthorised access, disclosure or loss (note that this goes beyond the data security standard set out in the Privacy Act, specifically APP 11, which only requires that an entity take ‘reasonable steps’ to protect personal information); and
- destroy the information once it is no longer required for the cyber security purposes for which it was shared and, unless the information is destroyed sooner, review its need to retain the information at least every 12 months (this review obligation extends beyond the data handling processes required by the Privacy Act).
The Regulations do not require telcos to share requested information with any government agencies or financial services entities. The Federal Government appears to be confident that commercial and reputational factors will be sufficient motivation to ensure co-operation. Telcos should also be mindful that government entities retain the right to request access to such information through other means, such as warrants.
Cyber security a priority for the financial services industry
This new ability for financial services entities to request data from telcos will interact with these entities’ increasing cyber security obligations. Both APRA and the Australian Securities and Investments Commission (ASIC) take the view that the entities they regulate require strong cyber security practices, and that deficiencies in this space constitute a breach of their obligations under prudential and corporations regulation respectively. Financial services entities should begin to plan and prepare for the circumstances in which they might request information from telcos so as to continue to comply with these obligations.
Cyber security in prudential regulation
APRA largely regulates cyber security through CPS 234 – Information Security. CPS 234 makes the board of an APRA-regulated entity ultimately responsible for the entity’s information security. Information security must be maintained ‘in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity’.
In his opening statement to the House of Representatives Standing Committee on Economics, APRA Chair Wayne Byres described materially enhancing the cyber and operational resilience of financial institutions as one of the industry-wide themes which it was devoting an increasing share of its efforts towards. In response to further questioning on the subject, Chair Byres noted that cyber security was taken very seriously across the financial services industry. However, Chair Byres noted that due to the fact that cyber security concerns were the product of active adversaries, it was almost certain that at some point large-scale cyber security incidents might occur. As such, financial services entities should plan on how to integrate the new ability to request information from telcos into their cyber security policies.
Cyber security in corporations regulation
Australian Financial Services (AFS) Licensees are required by s 912A(1)(d) to have available adequate resources (including technological resources) to provide the financial services covered by the license. ASIC has long taken the view that while the question of whether technological resources are adequate would depend on the ‘nature, scale and complexity’ of the business, AFS Licensees needed to be able to maintain client records and data integrity; and protect confidential and other information (RG 104).
ASIC’s view on cyber security recently received the judicial support in ASIC v RI Advice, where the court found that the respondent had failed to manage its cyber security risk. Financial services entities should be aware that they are likely obliged by s 912A(1)(d) to integrate the new ability to request information from telcos into their cyber security policies, and plan accordingly.
Against the backdrop of an increasing number of cyber-attacks – which can often generate significant brand and reputational damage for an organisation – it is no surprise that cyber security is assuming greater regulatory and industry significance in the financial services sector. It is also no secret that cyber-attacks in the financial services sector have the potential to destabilise market certainty by damaging consumer trust and confidence in the financial services system.
These regulatory developments that permit telcos to share certain personal information with financial services entities are a step in the right direction in terms of the prevention of further consumer harm following a cyber-attack. However, they do not remove the need for organisations to remain vigilant and focus on areas for improvement in their cyber security strategies, including in the following areas (which are often identified as critical by regulators and cyber security experts):
- Information risk management (e.g. staying abreast of externally managed systems and data).
- User access management (e.g. ensuring access to systems and data is adequately controlled).
- Monitoring and detection (e.g. establishing benchmarks for information flows over networks to identify any abnormalities).
- Security processes and procedures (e.g. undertaking an annual performance audit to review cyber controls).
- Staff education and awareness (e.g. committing to regular staff education and training in cyber resilience and realising the value of staff as a line of first defence).
- Incident response and management (e.g. stress testing internal and external networks in terms of crisis and incident management and having a plan for managing a variety of stakeholders, including customers and shareholders).
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.