Our thoughts on the year ahead

At elevenM, we love shooting the breeze about all things work and play. We recently got together as a team to kick off the new year, share what we’d been up to and the thoughts inspiring us as we kick off 2019. Here’s a summary…

Early in the new year, under a beating sun at the Sydney Cricket Ground, our principal Arjun Ramachandran found himself thinking about cyber risk.

“Indian batsman Cheteshwar Pujara was piling on the runs and I realised – ‘I’m watching a masterclass in managing risk’. He’s not the fanciest or most talented batsman going around, but what Pujara has is total command over his own strengths and weaknesses. He knows when to be aggressive and when to let the ball go. In the face of complex external threats, I was struck by how much confidence comes from knowing your own capabilities and posture.”

A geeky thought to have at the cricket? No doubt. But professional parallels emerge when you least expect them. Particularly after a frantic year in which threats intensified, breaches got bigger, and major new privacy regulations came into force.

Is there privacy in the Home?

Far away from the cricket, our principal Melanie Marks was also having what she describes as a “summer quandary”. Like many people, Melanie this summer had her first extended experience of a virtual assistant (Google Home) over the break.

“These AI assistants are a lot of fun to engage with and offer endless trivia, convenience and integrated home entertainment without having to leave the comfort of the couch,” Melanie says. “However, it’s easy to forget they’re there and it’s hard to understand their collection practices, retention policies and deletion procedures (not to mention how they de-identify data, or the third parties they rely upon).”

Melanie has a challenge for Google in 2019: empower your virtual assistant to answer the question: “Hey Google – how long do you keep my data?” as quickly and clearly as it answers “How do you make an Old Fashioned?”.

Another of our principals and privacy stars Sheila Fitzpatrick has also been pondering the growing tension between new technologies and privacy. Sheila expects emerging technologies like AI and machine learning to keep pushing the boundaries of privacy rights in 2019.

“Many of these technologies have the ‘cool’ factor but do not embrace the fundamental right to privacy,” Sheila says. “They believe the more data they have to work with, the more they can expand the capabilities of their products without considering the negative impact on privacy rights.”

The consumer issue of our time

We expect to see the continued elevation of privacy as a public issue in 2019.  Watch for Australia’s consumer watchdog, the Australian Competition and Consumer Commission, to get more involved in privacy, Melanie says. The ACCC foreshadowed in December via its preliminary report into digital platforms.

Business will also latch onto the idea of privacy as a core consumer issue, says our Head of Product Development Alistair Macleod. Some are already using it as a competitive differentiator, Alistair notes, pointing to manufacturers promoting privacy-enhancing features in new products and Apple’s hard-to-miss pro-privacy billboard at the CES conference just this week.

We’ll also see further international expansion of privacy laws in 2019, Sheila says. Particularly in Asia Pacific and Canada, where some requirements (such as around data localisation) will even exceed provisions under GDPR, widely considered a high watermark for privacy when introduced last May.

Cyber security regulations have their turn

But don’t forget cyber security regulation. Our principal Alan Ligertwood expects the introduction of the Australian Prudential Regulation Authority’s new information security standard CPS 234 in July 2019 to have a significant impact.

CPS 234 applies to financial services companies and their suppliers and Alan predicts the standard’s shift to a “trust but verify” approach, in which policy and control frameworks are actually tested, could herald a broader shift to more substantive approach by regulators to oversight of regulatory and policy compliance.

There’s also a federal election in 2019. We’d be naïve not to expect jobs and national security to dominate the campaign, but the policy focus given to critical “new economy” issues like cyber security and privacy In the lead-up to the polls will be worth watching. In recent years cyber security as a portfolio has been shuffled around and dropped like a hot potato at ministerial level.

Will the Government that forms after the election – of whichever colour – show it more love and attention?

New age digital risks

At the very least, let’s hope cyber security agencies and services keep running. Ever dedicated, over the break Alan paid a visit to the National Institute of Standards and Technology’s website – the US standards body that creates the respected Cybersecurity Framework – only to find it unavailable due the US government shutdown.

“It didn’t quite ruin my holiday, but it did get me thinking about unintended consequences and third party risk. A squabble over border wall funding has resulted in a global cyber security resource being taken offline indefinitely.”

It points to a bigger issue. Third parties and supply chains, and poor governance over them, will again be a major contributor to security and privacy risk this year, reckons Principal Matt Smith.

“The problem is proving too hard for people to manage correctly. Even companies with budgets which extend to managing supplier risk are often not able to get it right – too many suppliers and not enough money or capacity to perform adequate assurance.”

If the growing use of third parties demands that businesses re-think security, our Senior Project Manager Mike Wood sees the same trend in cloud adoption.

“Cloud is the de-facto way of running technology for most businesses.  Many are still transitioning but have traditional security thinking still in place.  A cloud transition must come with a fully thought through security mindset.”

Mike’s expecting to see even stronger uptake of controls like Cloud Access Security Brokers in 2019.

But is this the silver bullet?

We wonder if growing interest in cyber risk insurance in 2019 could be the catalyst for uplifted controls and governance across the economy. After all, organisations will need to have the right controls and processes in place in order to qualify for insurance in line with underwriting requirements.

But questions linger over the maturity of these underwriting methodologies, Alan notes.

“Organisations themselves find it extremely difficult to quantify and adequately mitigate cyber threats, yet insurance companies sell policies to hedge against such an incident.”

The likely lesson here is for organisations not to treat cyber insurance as a silver bullet. Instead, do the hard yards and prioritise a risk-based approach built on strong executive sponsorship, effective governance, and actively engaging your people in the journey.

It’s all about trust

If there was a common theme in our team’s readings and reflections after the break, it was probably over the intricacies of trust in the digital age.

When the waves stopped breaking on Manly beach, Principal Peter Quigley spent time following the work of Renee DiResta, who has published insightful research into the use of disinformation and malign narratives in social media. There’s growing awareness of how digital platforms are being used to sow distrust in society. In a similar vein, Arjun has been studying the work of Peter Singer, whose research into how social media is being weaponised could have insights for organisations wanting to use social media to enhance trust, particularly in the wake of a breach.

Alistair notes how some technology companies have begun to prioritise digital wellbeing. For example, new features in Android and iOS that help users manage their screen time – and thus minimise harm – reflect the potential for a more trusting, collaborative digital ecosystem.

At the end of the day, much of our work as a team goes towards helping organisations mitigate digital risk in order to increase digital trust – among customers, staff and partners. The challenges are aplenty but exciting, and we look forward to working on them with many of you in 2019.

End of year wrap

The year started with a meltdown. Literally.

New Year’s Eve hangovers had barely cleared when security researchers announced they had discovered security flaws that would impact “virtually every user of a personal computer”. “Happy new year” to you too. Dubbed “Meltdown” and “Spectre”, the flaws in popular computer processors would allow hackers to access sensitive information from memory – certainly no small thing. Chipmakers urgently released updates. Users were urged to patch. Fortunately, the sky didn’t fall in.

If all this was meant to jolt us into taking notice of data security and privacy in 2018 … well, that seemed unnecessary. With formidable new data protection regulations coming into force, many organisations were already stepping into this year with a much sharper focus on digital risk.

The first of these new regulatory regimes took effect in February, when Australia finally introduced mandatory data breach reporting. Under the Notifiable Data Breaches (NDB) scheme, overseen by the Office of the Australian Information Commissioner, applicable organisations must now disclose any breaches of personal information likely to result in serious harm.

In May, the world also welcomed the EU’s General Data Protection Regulation (GDPR). Kind of hard to miss, with an onslaught of updated privacy policies flooding user inboxes from companies keen to show compliance.

The promise of GDPR is to increase consumers’ consent and control over their data and place a greater emphasis on transparency.  Its extra-territorial nature (GDPR applies to any organisation servicing customers based in Europe) meant companies all around the world worked fast to comply, updating privacy policies, implementing privacy by design and creating data breach response plans. A nice reward for these proactive companies was evidence that GDPR is emerging as a template for new privacy regulations around the world. GDPR-compliance gets you ahead of the game.

With these regimes in place, anticipation built around who would be first to test them out. For the local NDB scheme, the honour fell to PageUp. In May, the Australian HR service company detected an unknown attacker had gained access to job applicants’ personal details and usernames and passwords of PageUp employees.

It wasn’t the first breach reported under NDB but was arguably the first big one – not least because of who else it dragged into the fray. It was a veritable who’s who of big Aussie brands – Commonwealth Bank, Australia Post, Coles, Telstra and Jetstar, to name a few. For these PageUp clients, their own data had been caught up in a breach of a service provider, shining a bright light on what could be the security lesson of 2018: manage your supplier risks.

By July we were all bouncing off the walls. Commencement of the My Health Record (MHR) three month opt-out period heralded an almighty nationwide brouhaha. The scheme’s privacy provisions came under heavy fire, most particularly the fact the scheme was opt-out by default, loose provisions around law enforcement access to health records, and a lack of faith in how well-versed those accessing the records were in good privacy and security practices. Things unravelled so much that the Prime Minister had to step in, momentarily taking a break from more important national duties such as fighting those coming for his job.

Amendments to the MHR legislation were eventually passed (addressing some, but not all of these issues), but not before public trust in the project was severely tarnished. MHR stands as a stark lesson for any organisation delivering major projects and transformations – proactively managing the privacy and security risks is critical to success.

If not enough attention was given to data concerns in the design of MHR, security considerations thoroughly dominated the conversation about another national-level digital project – the build out of Australia’s 5G networks. After months of speculation, the Australian government in August banned Chinese telecommunications company Huawei from taking part in the 5G rollout, citing national security concerns. Despite multiple assurances from the company about its independence from the Chinese government and offers of greater oversight, Australia still said ‘no way’ to Huawei.

China responded frostily. Some now fear we’re in the early stages of a tech cold war in which retaliatory bans and invasive security provisions will be levelled at western businesses by China (where local cyber security laws should already be a concern for businesses with operations in China).

Putting aside the geopolitical ramifications, the sobering reminder for any business from the Huwaei ban is the heightened concern about supply chain risks. With supply chain attacks on the rise, managing vendor and third-party security risks requires the same energy as attending to risks in your own infrastructure.

Ask Facebook. A lax attitude towards its third-party partners brought the social media giant intense pain in 2018. The Cambridge Analytica scandal proved to be one of the most egregious misuses of data and abuses of user trust in recent memory, with the data of almost 90 million Facebook users harvested by a data mining company to influence elections. The global public reacted furiously. Many users would delete their Facebook accounts in anger. Schadenfreude enthusiasts had much to feast on when Facebook founder and CEO Mark Zuckerberg’s uncomfortably testified in front of the US Senate.

The social network would find itself under the pump on various privacy and security issues throughout 2018, including the millions of fake accounts on its platform, the high profile departure of security chief Alex Stamos and news of further data breaches.

But when it came to brands battling breaches, Facebook hardly went it alone in 2018. In the first full reporting quarter after the commencement of the NDB scheme, the OAIC received 242 data breach notifications, followed by 245 notifications for the subsequent quarter.

The scale of global data breaches has been eye-watering. Breaches involving Marriott International, Exactis, Aadhar and Quora all eclipsed 100 million affected customers.

With breaches on the rise, it becomes ever more important that businesses be well prepared to respond. The maxim that organisations will increasingly be judged not on the fact they had a breach, but on how they respond, grew strong legs this year.

But we needn’t succumb to defeatism. Passionate security and privacy communities continue to try to reduce the likelihood or impact of breaches and other cyber incidents. Technologies and solutions useful in mitigating common threats gained traction. For instance, multi-factor authentication had more moments in the sun this year, not least because we became more attuned to the flimsiness of relying on passwords alone (thanks Ye!). Security solutions supporting other key digital trends also continue to gain favour – tools like Cloud Access Security Brokers enjoyed strong momentum this year as businesses look to manage the risks of moving towards cloud.

Even finger-pointing was deployed in the fight against hackers. This year, the Australian government and its allies began to publicly attribute a number of major cyber campaigns to state-sponsored actors. A gentle step towards deterrence, the attributions signalled a more overt and more public pro-security posture from the Government. Regrettably, some of this good work may have been undone late in the year with the passage of an “encryption bill”, seen by many as weakening the security of the overall digital ecosystem and damaging to local technology companies.

In many ways, in 2018 we were given the chance to step into a more mature conversation about digital risk and the challenges of data protection, privacy and cyber security. Sensationalist FUD in earlier years about cyber-attacks or crippling GDPR compliance largely gave way to a more pragmatic acceptance of the likelihood of breaches, high public expectations and the need to be well prepared to respond and protect customers.

At a strategic level, a more mature and business-aligned approach is also evident. Both the Australian government and US governments introduced initiatives that emphasise the value of a risk-based approach to cyber security, which is also taking hold in the private sector. The discipline of cyber risk management is helping security executives better understand their security posture and have more engaging conversations with their boards.

All this progress, and we still have the grand promise that AI and blockchain will one day solve all our problems.  Maybe in 2019 ….

Till then, we wish you a happy festive season and a great new year.

From the team at elevenM.

APRA gets $60m in new funding: CPS 234 just got very real

We have previously talked about APRA’s new information security regulation and how global fines will influence the enforcement of this new regulation.

Today we saw a clear statement of intent from the government in the form of $58.7 million of new funding for APRA to focus on the identification of new and emerging risks such as cyber and fintech.

As previously stated, if you are in line of sight for CPS 234 either as a regulated entity or a supplier to one, we advise you to have a clear plan in place on how you will meet your obligations. No one wants to be the Tesco of Australia.

If you would like to talk to someone from elevenM about getting ready for CPS 234, please drop us a note at hello@elevenM.com.au or call us on 1300 003 922.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

Up close and personal with the Singaporean Cybersecurity Act

Due to a recent engagement we carried out an in-depth review of the new Singaporean Cybersecurity Act.

What do we think?

The Act is a bold approach to ensuring the security of a nation’s most critical infrastructure, which we think will be copied by other countries and may even be a model for large enterprises.

Why bold?

A fundamental challenge is that the level of cybersecurity protecting any piece of infrastructure at any given time is usually heavily dependent on a Chief Information Security Officer’s (CISO) ability to present cyber risk to those controlling the purse strings. The result is a varied levels of control and capability across some very important infrastructure.

So what is the answer? Like most things, depends who you ask. Singapore has taken the bold approach to regulate the cybersecurity of the technology infrastructure that the country needs to run smoothly.

Our key takeaways

  • The Act introduces a Cyber Commissioner who will “respond to cybersecurity incidents that threaten the national security, defence, economy, foreign relations, public health, public order or public safety, or any essential services, of Singapore, whether such cybersecurity incidents occur in or outside Singapore” – Interesting to see how this works in practice. Many global companies in this framework will be hesitant to provide that level of access to a foreign state.
  • The Act creates Critical Information Infrastructure (CII) in Singapore meaning “the computer or computer system which is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore” – These CIIs span most industries across both the public and private sector. It will be very interesting to see what they determine to be CIIs and how private companies deal with this. Even from an investment perspective, who pays to increase the security posture or the rewrite of the supporting business processes?
  • Each designated CII will have an owner who will be appointed statutory duties specific to the cybersecurity of the CII. – Yeah, these owners will be held to account by the Commissioner. Failure to fulfil their role will result in personal fines up to $100,000 or imprisonment for a term not exceeding 2 years. Given most companies already struggle defining the ‘owner’ of a system, will this push the ownership of these business/operational systems to CISOs?
  • The Act introduces a licencing framework for suppliers where “No person is to provide licensable cybersecurity service without licence”. – A very interesting one. The suppliers of cybersecurity services to the CIIs will need to have a license issued by the Commissioner. A sign of things to come in the supplier risk space perhaps?

The Act can be found here:  Singapore Cybersecurity Act 2018


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

Introducing our free data breach notification tool

When we previously looked at the trends emerging from the mandatory notifiable data breaches scheme, we observed that organisations seem to be playing it safe and reporting when in doubt, possibly leading to overreporting.

We’re big supporters of mandatory notification, and we agree that when there’s doubt, it’s safer to report. But we also think it’s important that we all get better at understanding and managing data breaches, so that individuals and organisations don’t become overwhelmed by notifications.

That’s why we’ve prepared a free, fast and simple tool to help you consider all of the relevant matters when deciding whether a data breach needs to be notified.

Download here

Keep in mind that this is just a summary of relevant considerations – it’s not legal advice, and it only addresses Australian requirements. If your organisation handles personal information or personal data outside of Australia, you might need to consider the notification obligations in other jurisdictions.

Also remember that notification is just one aspect of a comprehensive data breach response plan. If your organisation handles personal information, you should consider adopting a holistic plan for identifying, mitigating and managing data breaches and other incidents.

Please let us know if you find this tool useful or if you any feedback or suggestions.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

The journey toward trust – Part 3: Trust through reputational management

This is the third and final article in a three-part series that explores the notion of trust in today’s digital economy, and how organisations can practically build trust. In part 1 we took a deeper look at the meaning and underlying principles of trust. Part two explored best practice approaches to using regulatory compliance to build trust.

In this piece, we look at the role of reputation management in building trust on privacy and security issues. 

Reputation management

The way an organisation manages its reputation is unsurprisingly tightly bound up with trust.

While there are many aspects to reputation management, an effective public response is one of, if not the most, critical requirements.

In the era of fast-paced digital media, a poorly managed communications response to a cyber or privacy incident can rapidly damage trust. With a vocal and influential community of highly informed security and privacy experts active on social media, corporate responses that don’t meet the mark get pulled apart very quickly.

Accordingly, a bad response produces significantly bad outcomes, including serious financial impacts, executive scalps, and broader repercussions like government and regulatory inquiries and class actions.

A google search will quickly uncover examples of organisations that mishandled their public response. Just in recent weeks we learned Uber will pay US $148m in fines over a 2016 breach, largely because of failures in how it went about disclosing the breach.

Typically, examples of poor public responses to breaches include one or more of the following characteristics:

  • The organisation was slow to reveal the incident to customers (ie. not prioritising truth, safety and reliability)
  • The organisation was legalistic or defensive (ie. not prioritising the protection of customers)
  • The organisation pointed the finger at others (ie. not prioritising reliability or accountability)
  • The organisation provided incorrect or inadequate technical details (ie. not prioritising a show of competence)

As we can see courtesy of the analyses in the brackets, the reason public responses often unravel as they do is that they feature statements that violate the key principles of trust that we outlined in part one of this series.

Achieving a high-quality, trust-building response that reflects and positively communicates principles of trust is not necessarily easy, especially in the intensity of managing an incident.

An organisation’s best chance of getting things right is to build communications plans in advance that embed the right messages and behaviours.

Plans and messages will always need to be adapted to suit specific incidents, of course, but this proactive approach allows organisation to develop a foundation of clear, trust-building messages in a calmer context.

It’s equally critical to run exercises and simulations around these plans, to ensure the key staff are aware of their roles and are aligned to the objectives of a good public crisis response and that hiccups are addressed before a real crisis occurs.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

The journey toward trust – Part 2: Trust through regulatory compliance

This is the second article in a three-part series that explores the notion of trust in today’s digital economy, and how organisations can practically build trust. In part 1 we took a deeper look at what trust means, and uncovered some guiding principles organisations can work towards when seeking to build trust.

In this piece, we look at best practice approaches to using regulatory compliance to build trust.

Privacy laws and regulatory guidance provide a pretty good framework for doing the right thing when it comes to trusted privacy practices (otherwise known as, the proper collection, use and disclosure of personal information).

We are the first to advocate for a compliance-based framework.  Every entity bound by the Privacy Act 1988 and equivalent laws should be taking proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the Australian Privacy Principles.  They should be able to demonstrate appropriate accountabilities, governance and resourcing.

But compliance alone won’t build trust.

For one, the majority of Australian businesses are not bound by the Privacy Act because they fall under its $3m threshold. This is one of several reasons why Australian regulation is considered inadequate by EU data protection standards.

Secondly, there is variability in the ways that entities operationalise privacy. The regulator has published guidance and tooling for the public sector to help create some common benchmarks and uplift maturity recognising that some entities are applying the bare minimum. No such guidance exists for the private sector – yet.

Consumer expectations are also higher than the law. It may once have been acceptable for businesses to use and share data to suit their own purposes whilst burying their notices in screeds of legalise. However, the furore over Facebook Cambridge / Analytica shows that sentiment has changed (and also raises a whole bucket of governance issues).  Similarly, increasingly global consumers expect to be protected by the high standards set by the GDPR and other stringent frameworks wherever they are, which include rights such as the right to be forgotten and the right to data portability.

Lastly, current compliance frameworks do not help organisations to determine what is ethical when it comes to using and repurposing personal information. In short, an organisation can comply with the Privacy Act and still fall into an ethical hole with its data uses.

Your organisation should be thinking about its approach to building and protecting trust through privacy frameworks.  Start with compliance, then seek to bolster weak spots with an ethical framework; a statement of boundaries to which your organisation should adhere. 


In the third and final part of this series, we detail how an organisation’s approach to reputation management for privacy and cyber security issues can build or damage trust.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

The journey toward trust – Part 1: Understanding trust

Join us for a three-part series that explores the notion of trust in today’s digital economy, and how organisations practically can build trust. We also focus on the role of regulatory compliance and reputation management in building trust, and outline best practice approaches.

Be-it users stepping away from the world’s biggest social media platform after repeated privacy scandals, a major airline’s share price plummeting after a large data breach, or Australia’s largest bank issuing a stronger commitment to a stronger focus on privacy and security in rebuilding its image – events in recent weeks provide a strong reminder of the fragility and critical importance of trust to businesses seeking success in the digital economy.

Bodies as illustrious as the World Economic Forum and OECD have written at length about the pivotal role of trust as a driving factor for success today.

But what does trust actually mean in the context of your organisation? And how do you practically go about building it?

At elevenM, we spend considerable time discussing and researching these questions from the perspectives of our skills and experiences across privacy, cyber security, risk, strategy and communications.

A good starting point for any organisation wanting to make trust a competitive differentiator is to gain a deeper understanding of what trust actually means, and specifically, what it means for it.

Trust is a layered concept, and different things are required in different contexts to build trust.

Some basic tenets of trust become obvious when we look to popular dictionaries. Ideas like safety, reliability, truth, competence and consistency stand out as fundamental principles.

Another way to learn what trust means in a practical sense is to look at why brands are trusted. For instance, the most recent Roy Morgan survey listed supermarket ALDI as the most trusted brand in Australia. Roy Morgan explains this is built on ALDI’s reputation for reliability and meeting customer needs.

Importantly, the dictionary definitions also emphasise an ethical aspect – trust is built by doing good and protecting customers from harm.

Digging a little deeper, we look to the work of trust expert and business lecturer Rachel Botsman, who describes trust as “a confident relationship with the unknown”.  This moves us into the digital space in which organisations operate today, and towards a more nuanced understanding.

We can infer that consumers want new digital experiences, and an important part of building trust is for organisations to innovate and help customers step into the novel and unknown, but with safety and confidence.

So, how do we implement these ideas about trust in a practical sense?

With these definitions in mind, organisations should ask themselves some practical and instructive questions that illuminate whether they are building trust.

  • Do customers feel their data is safe with you?
  • Can customers see that you seek to protect them from harm?
  • Are you accurate and transparent in your representations?
  • Do your behaviours, statements, products and services convey a sense of competence and consistency?
  • Do you meet expectations of your customers (and not just clear the bar set by regulators)?
  • Are you innovative and helping customers towards new experiences?

In part two of this series, we will explore how regulatory compliance can be used to build trust.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

What does the record FCA cyber fine mean for Australia?

First, bit of context: The Financial Conduct Authority (FCA) is the conduct and prudential regulator for financial services in the UK. They are in-part an equivalent to the Australian Prudential Regulatory Authority (APRA).

Record cyber related fine

This week the FCA handed down a record cyber related fine to the banking arm of the UK’s largest supermarket chain Tesco for failing to protect account holders from a “foreseeable” cyber attack two years ago. The fine totalled £23.4 million but due to an agreed early stage discount, the fine was reduced by 30% to £16.4 million.

Cyber attack?

It could be argued that this was not a cyber attack in that it was not a breach of Tesco Bank’s network or software but rather a new twist on good old card fraud. But for clarity, the FCA defined the attack which lead to this fine as: “a mass algorithmic fraud attack which affected Tesco Bank’s personal current account and debit card customers from 5 to 8 November 2016.”

What cyber rules did Tesco break?

Interestingly, the FCA does not have any cyber specific regulation. The FCA exercised powers through provisions published in their Handbook. This Handbook has Principles, which are general statements of the fundamental obligations. Therefore Tesco’s fine was issued against the comfortably generic Principle 2: “A firm must conduct its business with due skill, care and diligence”

What does this mean for Australian financial services?

APRA, you may recall from our previous blog. has issued a draft information security regulation CPS 243. This new regulation sets out clear rules on how regulated Australian institutions should be managing their cyber risk.

If we use the Tesco Bank incident as an example, here is how APRA could use CPS 234:

Information security capability: “An APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment”. –  Visa provided Tesco Bank with threat intelligence as Visa had noted this threat occurring in Brazil and the US.  Whilst Tesco Bank actioned this intelligence against its credit cards, it failed to do so against debit cards which netted the threat actors £2.26 million.

Incident management: “An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner. An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans)”.  – The following incident management failings were noted by the FCA:

  • Tesco Bank’s Financial Crime Operations team failed to follow written procedures;
  • The Fraud Strategy Team drafted a rule to block the fraudulent transactions, but coded the rule incorrectly.
  • The Fraud Strategy Team failed to monitor the rule’s operation and did not discover until several hours later, that the rule was not working.
  • The responsible managers should have invoked crisis management procedures earlier.

Do we think APRA will be handing out fines this size?

Short answer, yes. Post the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, there is very little love for the financial services industry in Australia. Our sense is that politicians who want to remain politicians will need to be seen to be tough on financial services and therefore enforcement authorities like APRA will most likely see an increase in their budgets.

Unfortunately for those of you in cyber and risk teams in financial services, it is a bit of a perfect storm. The regulator has a new set of rules to enforce, the money to conduct the investigation and a precedence from within the Commonwealth.

What about the suppliers?

Something that not many are talking about but really should be, is the supplier landscape. Like it or not, the banks in Australia are some of the biggest businesses in the country. They use a lot of suppliers to deliver critical services including cyber security. Under the proposed APRA standard:

Implementation of controls: “Where information assets are managed by a related party or third party, an APRA-regulated entity must evaluate the design and operating effectiveness of that party’s information security controls”.

Banks are now clearly accountable for the effectiveness of the information security controls operated by their suppliers as they relate to a bank’s defences. If you are a supplier (major or otherwise) to the banks, given this new level of oversight from their regulator, we advise you to get your house in order because it is likely that your door will be knocked upon soon.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

You get an Aadhaar! You get an Aadhaar! Everybody gets an Aadhaar!

On 26 September 2018, the Supreme Court of India handed down a landmark ruling on the constitutionality of the biggest biometric identity system in the world, India’s Aadhaar system.

The Aadhaar was implemented in 2016, and has since acquired a billion registered users. It’s a 12-digit number issued to each resident of India, linked to biometrics including all ten fingerprints, facial photo and iris scans, and basic demographic data, all held in a central database. Since being implemented, it’s been turned to a variety of uses, including everything from proof of identification, tracking of government employee attendance, ration distribution and fraud reduction, entitlements for subsidies, and distribution of welfare benefits. The Aadhaar has quickly become mandatory for access to essential services such as bank accounts, mobile phone SIMs and passports.

Beyond banks and telcos, other private companies have also been eager to use to the Aadhaar, spurring concerns about private sector access to the database.

In 2012, a series of challenges were levelled at the Aadhaar, including that the Aadhaar violated constitutionally protected privacy rights.

In a mammoth 1448 page judgement, the Court made several key rulings:

  • The Court ruled that the Aadhaar system does not in itself violate the fundamental right to privacy. However, the Court specifically called out a need for a ‘robust data protection framework’ to ensure pricy rights are protected.
  • However, the Aadhaar cannot be mandatory for some purposes, including access to mobile phone services and bank accounts, as well as access to some government services, particularly education. Aadhaar-authentication will still be required for tax administration (this resolves some uncertainty from a previous ruling).
  • The private sector cannot demand that an Aadhaar be provided, and private usage of the Aadhaar database is unconstitutional unless expressly authorised by law.
  • The Court also specified that law enforcement access to Aadhaar data will require judicial approval, and any national security-based requests will require consultation with High Court justices (i.e., the highest court in the relevant Indian state).
  • Indian citizens must be able to file complaints regarding data breaches involving the Aadhaar; prior to this judgment, the ability to file complaints regarding violations of the Aadhaar Act was limited to the government authority administering the Aadhaar system, the Unique ID Authority of India.

The Aadhaar will continue to be required for many essential government services, including welfare benefits and ration distribution – s7 of the Aadhaar Act makes Aadhaar-based authentication a pre-condition for accessing “subsidy, benefits or services” by the government. This has been one of the key concerns of Aadhaar opponents – that access to essential government services shouldn’t be dependant on Aadhaar verification. There have been allegations that people have been denied rations due to ineffective implementation of Aadhaar verification, leading to deaths.

It’s also unclear whether information collected under provisions which have now been ruled as unconstitutional – for example, Aadhaar data collected by Indian banks and telcos – will need to be deleted.

As Australia moves towards linking siloed government databases and creating its own digital identity system, India’s experience with the Aadhaar offers many lessons. A digital identity system offers many potential benefits, but all technology is a double-edged sword. Obviously, Australia will need to ensure that any digital identity system is secure but, beyond that, that the Australian public trusts the system. To obtain that trust, Australian governments will need ensure the system and the uses of the digital identity are transparent and ethical – that the system will be used in the interests of the Australian public, in accordance with clear ethical frameworks. Those frameworks will need to be flexible enough to enable interfaces with the private sector to reap the full benefits of the system, but robust enough to ensure those uses are in the public interest. Law enforcement access to government databases remains a major concern for Australians, and will need to be addressed. It’s a tightrope, and it will need to be walked very carefully indeed.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.

The week in review – Oct 1, 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

Week of: Sep 24-Oct 1

The round-up:

Multiple articles this week emphasise the rising financial cost of data breaches, particularly as a result of substantial regulatory fines. Major organisations such as Facebook, Equifax and Uber are all reportedly facing sizable penalties as a result of recent data breaches. The financial hit coincides with heightened discussion and reporting of privacy issues and complaints, likely the result of public awareness having increased in the wake of new legislation introduced over the past 12 months.

Key articles:

Uber will pay $148 million in connection with a 2016 data breach and cover-up

Summary: Uber paid hackers $100,000 to delete data that they had illegally accessed on 57 million customers and drivers, as well as to keep the breach quiet. Now they’re paying $148 million as a result of a legal settlement related to the breach.

Key risk takeaway: The large pay-out draws sharp focus to the poor quality of Uber’s initial response, which was to keep the breach quiet. Businesses are increasingly being judged not merely for having had a breach, but on how well they respond. To mitigate the risk of a poorly handled response, organisations should have well-rehearsed breach response plans and practice approaching public disclosure of security and privacy incidents with transparency and accountability.

Tags: #breach #response #comms

Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach

Summary: A European Union privacy watchdog could fine Facebook as much as $1.63 billion for a data breach in which hackers compromised the accounts of over 50 million users.

Key risk takeaway: A series of recent incidents – including the Cambridge Analytica scandal – continues to undermine Facebook’s public standing on privacy and security issues. The sizeable potential fine here demonstrates the significant financial penalties outlined under recently introduced privacy regimes, such as GDPR and the Notifiable Data Breach scheme. Given growing public expectations around privacy, regulators will likely be keen to visibly enforce these new regulations. Organisations should accordingly prioritise achieving a thorough understanding of their obligations under these regulatory regimes.

Tags: #breach #privacy #regulations #GDPR

Equifax fined maximum penalty under 1998 UK data protection law

Summary: Credit monitoring giant Equifax has been hit with the maximum penalty from the UK’s data protection agency for its actions related to the company’s massive data breach.

Key risk takeaway: While the credit monitoring company received the maximum penalty from the UK’s data protection agency relating to a 2017 breach, this was under the pre-GDPR regime. Businesses face significantly higher fines (as much as 4 per cent of global turnover) under GDPR, so would be well advised to understand their obligations.

Tags: #breach #privacy #regulations #GDPR

Facebook using 2FA phone number to target you with ads

Summary: Facebook confirmed it uses the phone numbers provided by users specifically for security purposes to also target them with ads.

Key risk takeaway: While Facebook defended this practice as using information provided by users to “offer a better, more personalised experience”, and pointed out that the practice was outlined in it data use policies, the tech giant has faced criticism for having acted unethically. This illustrates the importance not only of transparency around data use and collection, but ensuring it is carried out in line with customer expectations.

Tags: #privacy #security

Tech giants open up on privacy questions

Summary: Tech giants Apple, Amazon, Google and Twitter were in front of the US Senate Commerce Committee to outline their approaches to user privacy, and to persuade lawmakers on their preferred approach to regulation and legislation.

Key takeaway: Governments and regulators are looking to visibly respond to the growing public expectation around data protection, as evidenced by the introduction of new legislative regimes and conducting of hearings such as the one outlined in this article. Even in the US (which is often deemed less stringent on privacy) consideration is now being given to mirroring the EU’s GDPR, with California already having done so via its new digital privacy laws. The tech giants are reportedly advocating instead for federal privacy legislation which would supersede state legislation such as California’s, and which they would likely seek to influence. In light of this global patchwork of regulations, organisations should seek to understand the extent of their obligations under different regimes, particularly where they offer services to international customers.

Tags: #privacy

New IoT botnet infects wide range of devices

Summary: Researchers have unearthed new malware attacking a large number of Internet-of-Things (IoT) devices.

Key takeaway: There continues to be growing signs of cyber attackers targeting internet-connected devices, particularly routers. Organisations should conduct thorough inventory of their assets to understand the devices in their environment, and any vulnerabilities. Device security “hygiene” – such as patching devices and changing default passwords – is critical.

Tags: #security #IOT

Australia’s surveillance laws could damage internet security globally, overseas critics say

Summary: Australia’s Assistance and Access Bill – which the Government argues is necessary to bolster national security and law enforcement – is attracting concern from around the world over its potentially weakening effect on online security.

Key takeaway: Under the legislation, communications companies could be required to assist the Government to access encrypted communications. A broader takeaway from the criticism of the legislation by privacy advocates (as well as concerns raised by technology companies) is the underlying community expectation that organisations will protect customer data.

Tags: #privacy #government #security

France records big jump in privacy complaints since GDPR

Summary: Another European data protection agency reports a sharp rise in the numbers of complaints since the EU introduced GDPR.

Key takeaway: Increased noise around new privacy regulations is translating into increased consumer awareness, and subsequently, complaints. Given these trends, organisations must become more proactive on data protection matters.

Tags: #privacy

Don’t call me, I’ll call you

You’ve just pulled dinner out of the oven, the kids have been wrangled to the table, and you’re just about to sit down.

Suddenly, your miracle of domestic logistics is shattered by the klaxon  of your phone ringing. Juggling a hot plate of roast chicken and a small, wriggling child, you grab for the handset… only to be greeted by the forced enthusiasm of a long-suffering call centre worker who desperately wants you to tell you about simply fantastic savings on energy prices.

The Do Not Call Register has been in place since 2006. The DNCR Register allows Australians to place their phone number on a register indicating that they don’t wish to receive marketing calls or faxes, with fines applying for non-compliance.

The ACMA enables to organisations that want to conduct telemarketing campaigns subscribe to the Register and  ‘wash’ their calls lists against it. This helps organisation make sure they aren’t calling people who don’t want to hear from them.

Of course, that doesn’t help if you don’t bother to check the Register in the first place, like Lead My Way. Lead My Way received a record civil penalty of $285,600 today for making marketing calls to numbers on the DNCR Register. Lead My Way had actually subscribed to the DNCR Register, but for some reason hadn’t washed their call list against it. This led to numerous complaints to the ACMA, which commenced an investigation.

Lead My Way was calling people to test their interest in its clients’ products or services, then on selling that information as ‘leads’ – that is, as prospective customers. This kind of business model can also raise significant Privacy Act compliance issues. Do the people being called understand that their personal information is collected and will be sold? How are they notified of the collection (APP 5)? Have they consented to that use? Is that consent informed and valid? Is the sale of their personal information permissible (APP 6)? Are they able to opt out of receiving further marketing calls, and are those opt outs being respected (APP 7)?

Cutting corners on how you manage and use personal information may save you time and money in the short term. But, as Lead My Way discovered, in the long run it can create massive compliance risk, annoy your end users, and incur the wrath of the regulators. Were the (likely minuscule) savings of ignoring the DNCR Register worth a regulator investigation and the comprehensive trashing of Lead My Way’s brand?

Perhaps we should call them and ask.


If you enjoyed this and would like to be notified of future elevenM blog posts, please subscribe below.