Financial advice firms face some specific risks around cyber security due to their access to financial information. Combined with a recent history of hacks that have shown that even the largest businesses in Australia are in danger of hacks, such as Optus and Medibank, it is important that advice firms prepare for what happens in the event of a cyber incident, not just how to avoid one.
According to Jason Symons, partner – head of cyber at Mills Oakley, the first reaction is often grief and denial.
“I think denial is pretty common because it’s that moment where it’s like, ‘Oh, it’s our turn’ or ‘It’s happened to us’,” Mr Symons said on the FAAA podcast.
“You have to be able to, I guess, help whoever’s found out, whoever the leaders of that organisation are, to not panic, to try and keep reasonably calm, and that there are people who are experienced in dealing with one of these and we can help them.”
This transitions into a period where a team of experts is working together across disciplines involving legal, IT forensics, communications, both external experts and internal people dealing with each of those issues.
“We’re working together. We’re having regular teams meetings, or even face to face, war-room type situations and we’re working through the problem methodically,” Mr Symons added.
“Whether it’s a ransomware attack dealing with the criminal group, or it might be some sort of live data breach where we have to manage the assessment of that data breach and possibly notification.”
Importantly, Mr Symons said, in addition to requirements around informing clients of a breach and when that needs to happen, there are also regulatory requirements involved in the response to a cyber incident, such as informing the Office of the Australian Information Commissioner (OAIC).
“That’s the regulator that sits within the Privacy Act. When we talk about a data breach, we’re talking about personal information being compromised by criminals and the access or disclosure of information,” he said.
“The regulator is interested in you telling her and the individuals impacted within certain periods of time and providing regulated information in your notification.
“But then, if you’re responsible for critical infrastructure assets, you have to tell the Australian Cyber Security Centre (ACSC) about an incident. If you’re not, but you still want to tell the government what’s happening to you as a responsible corporate citizen, or you may want to see if they’ve got information about the criminal group that could be useful to you, you inform the ACSC through the cyber reporting website.
“But what that then does is that can then filter through to the different state police authorities, the Federal Police, and that coordination of government agencies happens through the ACSC.”
There is also a clean-up phase that happens following an incident, ranging from technical issues to responding to client questions.
“If we’re talking about an incident that’s been notified to different regulators, there’s often a tail to that of questions being asked and you having to respond,” Mr Symons said.
“Similarly, if you’ve notified hundreds of people or even thousands, that notification process might take a while and working it through possibly responding to questions, having FAQs online, updating websites, that all goes on for a while.”
“Then you’ve got to think about whether there’s clean-up with regards to the business itself. So, are you back online properly now? Have you been able to restore from backups or recover the system separately, and that’s a whole other stream of work that can take some time.”
Unsurprisingly, a business can take a serious reputational hit when clients have had their data breached, so the clean-up phase also includes a “brand rebuild”.
“The brand rebuild starts to happen in this phase, which is you’re through the immediate crisis, and then you need to take a step back and go, ‘OK, what trust have we lost here? What has happened to our company more broadly, that we might need to address through different strategies and working through that?’”
