With growing cyber attacks and a continual list of breaches in the media, we are seeing more and more changes to legislative and regulatory compliance requirements around the world, especially around breach reporting. In this article, I wanted to discuss these requirements in Australia, and across various industries. I also wanted to touch on a recent breach that resulted in significant financial consequences imposed on the affected organisation, not because of the cost of the breach itself, but the financial impact of not complying with legislative reporting obligations.
Blackbaud’s $3 Million Penalty
Last week Blackbaud, a public company that provides donor data management software to non-profit organisations, agreed to pay a $3 million civil penalty to settle charges for making misleading disclosures about a ransomware attack they suffered back in 2020. When first investigated, the company specified that no donor bank account information or social security numbers were accessed by the threat actors. A few days later, their IT and customer relations staff learned that this data was in fact accessed and stolen by the threat actor.
Now we have seen cases like this before where organisations have hidden information and downplayed the breach, but this was not actually the case with Blackbaud. The company did not have disclosure controls and procedures in place, so the new information that came to light was not escalated to the relevant people, leading to their quarterly report being issued to the Securities and Exchange Commission (SEC) missing this critical information. So, no malicious intent, just poor internal processes and procedures which have now led to a $3 million settlement. On top of this, the HIPAA Journal reported in November 2020 that the cost of the breach from July to September that year had already cost Blackbaud $3.2 million and was expected to continue to rise. That makes it a very costly breach, still impacting them financially over 2 years later.
As some background, the SEC introduced “disclosure controls and procedures” in August 2002 following the enactment of Sarbanes-Oxley. Disclosure controls and procedures are designed to ensure that information required to be disclosed by a publicly listed company is recorded, processed, summarised and reported within the time periods specified in the SEC’s rules and forms.
Of course not complying with this, whether through intent or neglect, as we have seen leads to severe financial implications.
Australian Cybersecurity Reporting Requirements
Similar to SEC’s requirements, Australia has reporting requirements for publicly listed companies, along with a myriad of other legislative and regulatory reporting requirements depending on your business and industry. Below are the most prominent requirements.
ASX Listing Rules for Public Companies
Under the Australian Securities Exchange’s (ASX) Listing Rules, listed companies, under their continuous disclosure requirements, must ensure the market is kept up to date with the appropriate information as soon as that information becomes available. ASX’s Chief Compliance Officer discussed this rising issue, as it relates to cybersecurity incidents, in the Australian Financial Review in November last year, and how organisations need to be more prepared, stating:
“We’d advise companies to plan for these moments because they will come out of the blue and happen in real time, and will be complicated. So, the more work you have done in advance, the better.”
I could not agree more with this statement. It’s critical to have prepared for these events well ahead of time to ensure a smooth response, but also that everything that needs to be done from a compliance point of view, is done. This will ensure you avoid additional ramifications from a breach like Blackbaud saw last week.
Privacy Act Requirements and Reporting
On February 22nd 2018, the Notifiable Data Breaches (NDB) scheme came into effect in Australia. Any organisation or agency covered by the Australian Privacy Act 1988 must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information has been impacted.
Entities that fall under the Privacy Act include Australian Government agencies, businesses and not-for-profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
Complying with Australian privacy reporting obligations means being prepared to report to the Privacy Commissioner if the breach is an ‘eligible date breach’. The Commissioner provides a downloadable form, but you need to ensure all relevant information is captured during your incident response processes. Entities must also notify affected individuals and inform them of the content of the statement sent to the Commissioner. The entity has the choice of:
- Notifying all individuals
- Notify only those individuals at risk of serious harm, or
- Publish the statement on the entity’s website and publicise it.
The NDB scheme requires entities to carry out an assessment of a data breach within 30 days of becoming aware of reasonable grounds to suspect that there may have been an eligible data breach, and to notify the OAIC and affected individuals as soon as practicable after it confirms that an eligible data breach has occurred.
More information to prepare for a data breach under the Privacy Act can be found on the OAIC website.
Critical Infrastructure (SOCI) Reporting Requirements
The amended Security of Critical Infrastructure Act 2018 (SOCI Act) was finalised on the 6th of April, 2022 under the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022. This meant the reporting obligations, Register of Critical Infrastructure Assets and Mandatory Cyber Incident Reporting, went into effect as of 8th of April, 2022.
What critical asset classes are impacted and what classes must report breaches goes far beyond the scope of this article (but reach out if you want to discuss this). Reporting requirements state:
“If you become aware that a critical cyber security incident has occurred, or is occurring, AND the incident has had, or is having, a significant impact on the availability of your asset, you must notify the Australian Cyber Security Centre (ACSC) within 12 hours after you become aware of the incident. If you make the report verbally, you must make a written record through the ACSC’s website within 84 hours of verbally notifying the ACSC.”
A great factsheet that covers requirements can be downloaded in PDF form from the CISC.
These are some pretty tight timelines to abide by, especially when you are in the middle of a crisis and enacting your incident response plans. To be able to meet these timelines means having everything prepared, and ready for if/when a cyber security incident occurs. It’s a tall order and one you don’t want to be trying to make up on the spot under that type of pressure.
Even if it is not a “critical” incident, a “relevant impact on your asset” must also be reported but with timelines stretched to within 72 hours after you become aware.
APRA CPS 234
APRA’s CPS 234 standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents, including cyberattacks. CPS 234 states:
“An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:
(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or
(b) has been notified to other regulators, either in Australia or other jurisdictions.”
CPS 234 also has a requirement outside of breach notifications to notify APRA within 10 days if any material information security control weakness has been identified that cannot be remediated in a timely manner.
Once again, this requires another set of communication plans to ensure timely reporting to regulatory bodies.
ASIC Requirements
From 1 October 2021, Australian financial services (AFS) licensees and Australian credit licensees are required to submit notifications about reportable situations (breach reports) to the Australian Securities & Investments Commission (ASIC). ASIC has a Regulatory Portal that any registered licensee can use to submit notifications. AFS and credit licensees must report all reportable situations to ASIC, including:
“- Significant breaches or likely significant breaches of ‘core obligations’
– Investigations into whether there is a significant breach or likely breach of a ‘core obligation’ if the investigation continues for more than 30 days
– The outcome of such an investigation if it discloses there is no significant breach or likely breach of a core obligation
– Conduct that constitutes gross negligence or serious fraud
– Reportable situations about other licensees”
AFS and credit licensees are required to notify ASIC of reportable situations within 30 calendar days. More information can be found in Regulatory Guide 78 from ASIC.
How Can You Make Sure You Address All Compliance Requirements?
One of the most common areas I see missed within organisational cybersecurity strategies, policies and processes is documenting all relevant compliance obligations and ensuring those obligations are addressed and monitored. We see a lot of different risk areas addressed across organisations: financial risk, IT risk and cybersecurity risk to name a few, but what is often neglected is compliance risk. Depending on the industry and the customers you deal with, organisations can have a laundry list of legislative, regulatory and contractual compliance obligations. I would hazard to guess this was a key point missed in the Blackbaud breach. If compliance requirements around SEC’s disclosure controls and procedures were documented, processes put in place, AND staff across the organisation educated in those processes, the additional breach details would have been escalated to the correct people and a $3 million settlement avoided.
Compliance obligations extend far beyond just breach reporting and need to be addressed fully. So what steps should you take to ensure you are prepared?
- Identify all legislative compliance requirements that impact your business, such as the Privacy Act.
- Identify all regulatory compliance requirements that impact your industry, such as the Payment Card Industry Data Security Standards (PCI DSS), or APRA CPS 234. Also bear in mind that just because you aren’t in a specific industry, doesn’t mean you don’t fall under another industry’s standard. If you provide services to organisations in that industry, you may need to comply with their standards.
- Identify contractual compliance requirements. These are the requirements I rarely see documented and addressed. When you engage with any business where contracts are signed, any obligations stated in those contracts need to be identified, documented and addressed. We are seeing far more cybersecurity obligations in contracts as more and more organisations become aware of the risk to their data and businesses when doing business with third parties.
- All these requirements need to be documented, along with how you will comply with them. And as with any compliance regime, it’s not a one-off endeavour. You must ensure your requirements are continually monitored for compliance.
- Finally, for addressing breach notifications, incident response plans need to include facilities for communicating with outside regulatory bodies. This includes clear time frames and well-documented URLs for online reporting or easily accessible forms that can be filled out and submitted.
Hopefully, this article gives you a solid starting point for looking at your compliance obligations, and some food for thought about what the impacts of not complying can mean for your business. Don’t find out the hard way like Blackbaud has. If you need help or want to discuss any of this further, please reach out.
0 Comments