It’s no secret that financial organisations like banks and insurance companies handle delicate information—they have the money of the nation in their hands. And if you are part of the finance industry, this means that all eyes are on you, and it can be reputation-destroying if your systems slip up.
With the recent amendments to the Security of Critical Infrastructure Act (SOCI Act), the risk of ineffective security is only increasing, as more industries are classified as ‘critical infrastructure’ and are being held accountable for their risk management and security. As the deadline for SOCI Act compliance approaches, is your company ready to meet obligations?
What is the SOCI Act, and which financial services companies are affected?
The Security of Critical Infrastructure Act (SOCI Act) 2018 regulates the security and resilience of critical infrastructure in Australia, and it has recently been amended to include 11 sectors in total. Companies that are part of the newly added sectors have been given six months to follow the SOCI Act regulations—this window opened on February 17 and will shut on August 17, 2023.
- The financial services and markets sector is one of the 11 critical infrastructure sectors in the SOCI Act, and your financial company will be included if it is part of:
- Insurance
- Banking
- Superannuation
- Financial markets
- Clearing and settlement facilities
- Derivative trade repositories
- Financial benchmarks
- Payment systems
- Credit facilities (Cyber and Infrastructure Security Centre, 2023)
How can the financial services sector comply with SOCI Act requirements?
According the 2022 amendments to the SOCI Act, there are three main requirements that critical infrastructure financial services companies must meet:
1.) Register critical infrastructure assets
You need to register the operational, ownership, interest, and control information of your critical assets with the government.
2.) Report cyber incidents
Report any cyber security incidents and events, both critical and non-critical through the Australian Cyber Security Centre’s online cyber incident reporting portal.
3.) Create a Risk Management Program (RMP)
When organising your RMP, you must identify potential hazards, then minimise or remove the risk of the hazard occurring, and plan mitigations for if it does happen.
*Note: The Cyber and Infrastructure Security Centre (CISC) is regulating the RMP obligations for all asset classes, except final payment systems. This class will be regulated by the Reserve Bank of Australia.
“The CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure. For some critical infrastructure entities, we recognise that implementation of a CIRMP (Critical Infrastructure Risk Management Program) [Critical Infrastructure Risk Management Program] will be an extensive task. Wherever your business is in terms of maturity, the CISC will assist whenever possible.”
Cyber and Infrastructure Security Centre, 2023
A banking data breach could have a national impact
Next to the health sector, there is no industry that holds more sensitive information than the financial services sector. And after the Optus data breach in 2022, an S&P Global report found that banks are an extremely attractive target for hackers, presenting an increasing threat for lenders.
“A successful cyberattack or data breach at an Australian bank could threaten to destabilise the country’s financial system, given the interconnectedness and concentration of the sector.”
Koob, 2022
The Australian financial system is dominated by the big four banks, which means that one successful attack could have widespread, national effects. However, it is not just the big banks that are at risk, banks with a large customer base, but low revenue—like regional companies—have an even higher chance of a data breach. This could be because of the high number of unique IP addresses, the popularity of the website, or their volume of network traffic. (Koob, 2022)
Penalties for non-compliance
When financial companies are such prime targets for data hacking, their security and Risk Management Programs (RMP) need to be flawless. We only need to look at the widespread negative rhetoric around Medibank and Optus to see the damage that can be done to a company’s reputation—and their customers’ wellbeing—when the systems fall short.
However, negative media attention and waning customer trust are not the only consequences for non-compliance. If you fail to adopt or maintain a Risk Management Program (RMP) or do not meet any of the related obligations, then you will receive 1,000 penalty units ($275,000) per day until you meet the requirements. You could also be penalised if you fail to meet the annual reporting requirement of your RMP, this will result in a penalty of 750 penalty units ($206,250) per day (Clyde & Co, 2023).
References:
“Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’”. Clyde & Co. (2023, February 27). https://www.clydeco.com/en/insights/2023/02/critical-infrastructure-update-risk-management-pro
Koob, S. (2022, October 6). Cyberattack on Australian bank could threaten financial system, but risk is low. The Sydney Morning Herald. https://www.smh.com.au/business/banking-and-finance/cyberattack-on-australian-bank-could-threaten-financial-system-but-risk-is-low-20221005-p5bng1.html