By Jim Bulling
At the Association of Superannuation Funds of Australia (ASFA) conference held in Brisbane in the last week of November, Stephen Glenfield, APRA’s General Manager of the South West region indicated that an area of significant interest for APRA during 2016 would be the extent to which superannuation funds were prepared for cybersecurity risks.
Mr Glenfield indicated that APRA would be conducting a thematic review of superannuation funds during 2016 which was designed to provide APRA with much more detailed information about the processes that superannuation fund trustees were putting in place to protect their funds and their members from cybersecurity breaches.
As thematic reviews carried out by APRA are usually precursors to further regulatory or prudential reform, this announcement should alert superannuation funds to expect more comprehensive regulatory requirements in relation to the cybersecurity risks in the near future.
It is expected that APRA will be particularly interested in understanding how superannuation fund risk management frameworks address cybersecurity risks and how trustee boards are involved in the oversight of cybersecurity risk management. A likely focus of the reviews will be investigating the measures which superannuation funds have established to:
- identify critical assets and data
- protect such assets and data
- promptly detect when breaches have occurred
- respond to breaches including communications and reporting
- recover from breaches including reinstatement of systems and learnings from incidents.
This initiative comes on the back of ASIC’s release during March of this year of its Report 429 on Cyber Resilience and underlines how Australia’s financial system Regulators are becoming much more concerned about cybersecurity risks.
By Jim Bulling and Michelle Chasser
A quick response to a data breach is key to mitigating its impact. The Office of the Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan in place and has recently released draft guidance on how to develop such a plan.
The guidance recommends that the plan include setting out the actions to be taken in the event of a breach and the team members involved in those actions. Here are some questions for your organisation to consider based on the OAIC’s draft guidance to developing a data breach response plan.
1. What constitutes a data breach?
2. What actions should your staff take?
3. Who is a member of the response team?
4. When does a breach needs to be escalated to senior management?
5. Who is responsible for contacting and managing any affected individuals?
6. Who decides whether to contact law enforcement or regulators?
7. How are records of data breaches kept?
8. How will you identify and address any weaknesses in data handling that contributed to a data breach?
9. Are there any steps your cybersecurity insurance policy requires you to follow?
10. How will you test your response plan?
The OAIC’s Guide to developing a data breach response plan Consultation draft can be found here.
Australian Federal Government Cybersecurity Review
The Australian Federal Government holds a Cybersecurity Review.
See the Australian Government’s summary of the review here.
SEC Guidance Update
The SEC’s Investment Management Team published a Guidance Update which outlines measures managed funds and investment advisers may wish to consider in addressing cybersecurity risk. The guidance includes practical tips applicable to Australian entities.
See the Guidance Update here.