Licensing, insurance and data security
“The impact of cyber risk is insidious. It can have a multiplier effect on individual businesses, markets and ultimately – consumers.”
— A speech by Deputy Chair Karen Chester, to the AFR Business Summit 2021, Wednesday 10 March 2021.
Risks, vulnerabilities and threats
“More than half of Australian businesses were hit by attacks on their computer systems in the past 12 months, losing on average four days of productivity in attempts to get back online.”
— Max Mason, The Australian Financial Review, 23 April 2021
We’ve previously discussed risks, regulatory expectations and the consequences of complacency when dealing with privacy and data security issues. We don’t want to labour the point, but it’s becoming increasingly apparent that all businesses – regardless of their size – need to address these risks, vulnerabilities and threats.
It’s tempting for advisers and licensees to dismiss these as institutional responsibilities, but if you needed a counter-argument, consider ASIC’s decision to commence proceedings against RI Advice Group Pty Ltd (RI) for failing to have adequate cyber security systems.
Although you might be surprised by 20-191MR “ASIC commences proceedings against RI Advice Group”, you’ll no doubt recall our previous warning that, as an AFSL, s912A(1)(a) of the Corporations Act requires you to ensure that the financial services covered by your licence are provided efficiently, honestly, and fairly. In addition, you need adequate resources and adequate risk management systems.
In August 2020, ASIC shattered licensees’ complacency by commencing proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.
Think of it as a core obligation and a significant duty.
We have yet to see a determination from the RI case, however in a speech delivered on 10 March 2021 by the ASIC Deputy Chair, Karen Chester to the AFR Business Summit, cyber risk was called out as one of the harms in ASIC’s crosshairs and recommended that regulated entities anticipate self-assessments and prepare themselves for a regulator willing to take decisive, deterrence-based enforcement action.
We differentiate ourselves from our peers by being practical rather than alarmist, but we’d be negligent if we didn’t remind you of your risks and liabilities in respect of privacy, data security and record keeping.
Like it or not, securing client data is now a core responsibility of both licensees and advisers and you need to take action commensurate to your perceived risks and and appropriate for the nature, scale, and complexity of your business.
In addition to securing data, ASIC require Licensees to ensure the records are kept for 7 years after the day the personal advice was provided to the client and ensure that these accessible to your authorising Licensee.
PII: A measure of safety?
“Given the increased threat of cyber attacks, we expect our regulated population, particular licensees, to address cyber risks as part of its legal and compliance obligations—including risk management and disclosure requirements.”
— REP429 at Page 38
As we have seen in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd ASIC considered that the Licensees failure to implement adequate cyber security systems, represent a contravention of the obligation imposed by s912A(1)(d) to have adequate resources (including financial, technological, and human resources) to provide the financial services covered by the Licence.
ASIC suggests that RI Advice, as part of their licence conditions, were required to identify the risks that it and its ARs faced in the course of providing financial services on RI Advice’s behalf, including in relation to cyber security and cyber resilience. Our focus on client data and data security was premised on our appreciation of the rich data held by advisers and licensees, and our anticipation of further regulatory action.
According to the Australian Cyber Security Centre 62% of small to medium businesses (SMBs) in Australia and found that 62% had experienced a cyber incident (which are more common among businesses with five or more employees).
The real challenge for many licensees and advisers, is their presumption that their Professional Indemnity Insurance will insulate from any claims, loss or damage that is a consequence of poor information management.
“Just because something is part of your obligations for holding an AFSL it does not mean it is part of the ‘professional services’ being covered by your PI policy.”
— Greg Hansen, Director of Professional Risks., Austbrokers Countrywide
Although there appears to be a logical overlap (and a grey area) for some data security breaches, most insurers consider that these types of claims are matters for an online crime policy and not PII. In fact, most PII either doesn’t mention cyber insurance or, if they do, treat it as a specific exclusion.
According to Greg Hansen, Director of Professional Risks at Austbrokers Countrywide, it’s more common for Insurers to avoid cyber-insurance coverage than to include as part of the professional services cover. It might not be specifically excluded, but it’s imprudent to presume cover or confidently assert a sufficient nexus to the provision of your professional services. If your Insurer is silent on the risks, then it might be because they will not consider any incident related to the professional services covered.
Greg notes that, in his experience, only one PI Insurer provides adequate clarity on the limits of coverage and they’ve done so by including specific endorsements in their PI wording:
- An exclusion saying the PI policy does cover a loss arising from ‘unauthorised instructions given to you to transfer money…’ (social engineering fraud / identity fraud scenario) but only where the financial planner has previously verified the authentication of the instructions by a call back to the telephone number held on file for oral confirmation.
- A specific endorsements ( below) saying what they are covering in terms of a ‘Cyber Act’.
CYBER AND DATA
1. Legal Liability from a Claim arising out of a Cyber Act or a Cyber Incident will be payable subject to all of the terms, conditions, warranties and exclusions of this Policy or endorsed hereon.
2. Notwithstanding the provisions set out in 1 above, this Policy does not cover:
2.1 Any regulatory investigation or any fines or penalties as a result of a Cyber Act or a Cyber Incident,
2.2 any costs or expenses of whatsoever nature incurred by the Insured to notify individual data subjects following the actual or suspected access to or acquisition of personally identifiable information resulting from a Cyber Act or a Cyber Incident. This includes, but is not limited to, the cost of crisis consultancy; legal advice and services; print and mailing; contact centre services; the provision of any identity/credit protection product or service.
1. Computer System means any computer, hardware, software, communications system, electronic device (including, but not limited to, smart phone, laptop, tablet, wearable device), server, cloud or microcontroller including any similar system or any configuration of the aforementioned and including any associated input, output, data storage device, networking equipment or back up facility, owned or operated by the Insured or any other party.
2. Cyber Act means an unauthorised, malicious or criminal act or series of related unauthorised, malicious or criminal acts, regardless of time and place, or the threat or hoax thereof involving access to, processing of, use of or operation of any Computer System.
3. Cyber Incident means:
3.1 any error or omission or series of related errors or omissions involving access to, processing of, use of or operation of any Computer System; or
3.2 any partial or total unavailability or failure or series of related partial or total unavailability or failures to access, process, use or operate any Computer System
Notwithstanding the specific endorsement, the exclusion of “cyber acts” and “cyber incidents” might more significantly narrow the value the cover. More troubling, it may give advisers and licensees false confidence in the extent of their cover.
“The best advice I can give as a PI Insurance broker to AFSL Holders is the only real way to obtain adequate protection in both areas of professional services … and … cyber claims is to buy both a PI insurance and a Cyber Insurance policy. ”
— Greg Hansen, Director of Professional Risks, Austbrokers Countrywide
There is simply no Insurer that offers an insurance policy that covers the AFSL Holders obligations under its license in both the PI / advice space and the Cyber / protection of client data. While this has been offered to other professionals, there is neither the appetite, nor capacity, to develop a combined insurance policy covering both areas. With PII premiums already increasing 30-40% there’s little likelihood that it will automatically be covered and theres no likelihood that specialist insurers will move into the PII (financial planning) market. Plus, given the large increase in cyber-security claims, insurers are likely to avoid any additional liability for these issues.
In the absence of adequate cover, it’s even more important to embrace the controls, processes and procedures that mitigate your vulnerabilities or decrease your risks.
There is a view that adequate cyber-security requires significant resources but, in reality, you only need to implement arrangements appropriate to the nature, scale and complexity of your business. You need to identify, and be alert to these risks.
Build a safe environment for your data – Structured, Appropriate, Flexible and effective.
- Identify where all your data is stored
- Regularly monitor your systems and applications
- Review (and update) your security incident response plan
- Strengthen login credentials (Salt passwords)
- Don’t open attachments from unknown senders
- Restrict access rights
- Provide all employees with security training
- Ensure every device is password protected
- Adopt an anti-virus solution
- Be vigilant.
READ ASBFEO Cyber Security Report
You can start by:
- Acknowledging that cyber security is a real risk and right now should be one of your top priorities.
- Considering how you govern and manage cyber risk. These risks extend beyond Technology , you so consider your people and your outsourced providers.
- Doing a stocktake of your risks, vulnerabilities and controls.
- Do you have cyber policies that enshrine your rules and expectations?
- Have you communicated these?
- How are you regularly checking that people are living and applying your policies, procedures and processes?
- Do your people know how to identify, escalate and respond to cyber incidents?
- Taking the time to review, and consider, the standards, guidelines and best practices designed to help you manage cybersecurity risk.
- Undertaking an audit of the technology infrastructure underpinning your AFSL
- Engaging an external expert to test your IT security