FAAA backs no-fault, no-liability cyber security model

In a submission to the Department of Home Affairs cyber security legislative reforms consultation, the Financial Advice Association Australia (FAAA) said due to the inherently sensitive nature of the information held by financial advisers, it is increasingly important to remove barriers for reporting cyber crimes and ransomware.

“It goes without saying that in the wrong hands, the circulation of this data could be very damaging to the personal lives of these clients and also to the advice business themselves,” the submission said.

“This is an important issue that the licensees in the financial advice sector take very seriously and are already devoting significant time and resources to manage.

“FAAA believes that cyber crime is a critical issue that requires a comprehensive government response and we therefore are broadly supportive of measures to improve the visibility and oversight of cyber security incidents. We are supportive of a proactive response, and one with flexibility to learn from past experiences.”

In an effort to ease anxiety around reporting occurrences of cyber attacks and ransomware, the association has thrown its support behind a no-fault, no-liability model, particularly for small businesses.

“The FAAA is broadly supportive of there being better and more agile reporting by businesses of ransomware attacks and for clearer guidance around the security of critical infrastructure that the financial services industry operates under,” it said.

“Whilst we support the mandatory reporting regime proposed for ransomware, we are also strongly supportive of a no-fault, no-liability model. This will help to make it easier to report and to reduce the anxiety that may have been generated in reporting such situations to the government.

“We would also suggest that the requirements need to exclude any report of those types of cyber security emails that claim to have hacked an individual or a company’s website, where payment has been demanded, however there is no evidence that there has been any loss of data.”

The submission noted the importance of recognising the large number of self-employed licensees and small businesses in the financial advice sector and how responses to cyber crime may differ because of this.

“Financial advice is largely a small business sector, with a predominantly self-employed business model. Responding to cyber risk and crime has particular additional challenges for the small business sector that needs to be carefully considered,” the submission said.

“If it is expected that the number of these attacks was to increase, making the information both easy to collate and quick to distribute should be the guiding principles.

“Many of our members run and operate small businesses who have limited spare capacity. It would be a failing of the regime if reporting such an incident was seen as either oppressive or futile.”

The FAAA also put its support behind lesser penalties for small advice businesses who fail to meet the ransomware reporting obligations.

“Whilst we note the suggestion of a civil penalty regime, we are also conscious that some civil penalty regimes can involve very significant fines. That should not be the case for small businesses,” the submission said.

“An alternative to a civil penalty regime would be an infringement notice payment. This would be more straightforward and avoid the need for a court case.”

In light of the high-profile cases of cyber attacks over recent years, the FAAA noted the need to be flexible and proactive in the response to these types of events.

“As evidenced by the high-profile incidents of Medibank and Optus, Australia is vulnerable to cyber attacks and our economy should not be recalcitrant to change or adopting further appropriate reporting.”