Govt inquiry backs mandatory data breach notifications

A Government inquiry into Australia’s financial system has put its weight behind mandatory notification of data breaches and an update to Australia's ‘out of date’ national cyber security strategy.

The Financial System Inquiry, announced by Treasurer Joe Hockey late last year and led by former Commonwealth Bank CEO David Murray, was tasked with examining how Australia’s financial system is keeping up to date with the country’s evolving needs and economic growth.

It has so far received over 270 submissions and today released its interim report [pdf], ahead of the release of a final report in November.

The interim report calls on the Government to create technology-neutral legislation for the financial sector.

The inquiry panel recognised the effect technology-driven innovation is having on the financial system and singled out cloud computing, online and mobile banking and big data as the most disruptive trends.

It also noted that outdated regulation, cyber crime and privacy concerns were producing either new or increased risks.

While the use of cloud technology and 'big data' offered both cost and efficiency benefits to financial services operators, these trends come laden with increased security risks, the report noted.

This provided a further case for the introduction of mandatory data breach reporting - a topic which has been front of mind for both the Government and Opposition in recent years, but which has so far failed to be passed into law.

The panel recommended the scheme be implemented to provide transparency and help the financial services system regain public trust after a data breach.

It would also allow affected individuals to regain control over their personal information, the report said.

“If Australians do not trust institutions to protect their personal information, this will impede the ability to transact and conduct business online.

A recent study shows data breaches not only negatively impact Australian businesses, in terms of the direct costs of managing the consequences of the breach; they also significantly damage reputation and drive away customers.”

- Interim Financial Services Inquiry report

The increasing adoption of cloud technology within Australia’s financial sector similarly posed security risks related to the control of data and systems, the panel found. Regulators have limited capacity to investigate or take enforcement action in instances of a breach involving an offshore cloud provider. 

The panel recommended the Australian Prudential Regulation Authority be granted scope to deliver yet more guidelines for use of cloud computing to drive home the importance of protecting customer data and core systems.

But neither proposal would achieve its aims without a revised nationwide cyber security strategy.

Both the Commonwealth Bank and Westpac in their submissions to the inquiry called on the Government to update Australia’s national cyber security strategy (CSS), which was implemented in 2009.

The panel noted it lagged behind similar strategies in the United States, United Kingdom, Canada, New Zealand, France, Germany, Japan and Singapore, all of which were produced in the last 12 months to three years. 

The rise of e-commerce had positioned the financial services sector as a key target for a growing number of cyber attacks, the panel found.

It proposed the Government update the cyber security strategy not only to reflect changes in the threat environment, but also to progress public-sector collaboration. 

“While recognising industry collaboration already occurs, submissions argue that cyber security risk management could be improved by greater collaboration between Government, regulators and industry.

Although stakeholders acknowledge that financial institutions retain ultimate responsibility for maintaining the security of their own systems, they note that collaborating with Government can help institutions fine tune their efforts."

- Interim Financial Services Inquiry report

The panel found that, more generally, regulators and government need to balance the benefits of technological innovation - such as increased efficiency from access to growing amounts of customer data - against the risks - such as privacy and data security - when designing regulatory frameworks.

The ongoing challenges involved in attempting to apply existing, outdated, laws to a rapidly evolving financial services sector could be better met by amending existing legislation to become technology neutral, the panel found - an approach it would like to see taken to all future regulation.