Of the many lessons that can be learned from how the Optus data breach was handled, one stands out - Australia’s privacy laws are not equipped to support Aussie data breach victims.
To change this, the Australian Government is amending its Telecommunications Regulations 2021 Act. APRA-regulated financial entities can now be involved in efforts to mitigate financial fraud following a data breach. But involvement is only granted if APRA-regulated financial institutions align their security standards against the expectations of this amended regulation.
To learn how to comply with Australia’s amended Telecommunications regulation to support the fight against financial fraud following a data breach, read on.
Why Australia’s Telecommunications Regulations 2021 Desperately needs Amendment
Almost 2.1 million of the total 9.8 million victims of the Optus data breach had their government identification numbers - such as driver’s license numbers - compromised, opening the door to a host of fraudulent financial activities requiring 100 points of identification or a Document Verification Service (DVS) check.
After the breach, the best option for impacted customers hoping to reduce the threat of an identity breach was to physically attend a service center to apply for a new driver’s license number. A logistical nightmare ensued, with queues at service centers across the nation stretching beyond entrances and into streets. To make matters worse, the process of changing compromised identification records was long, convoluted, and unsympathetic to the potential victims.
In Victoria, many victims couldn’t change their license numbers until sufficient evidence of fraudulent use was detected, and in NSW, victims were denied a new license number unless their card numbers were also compromised.
These fractured response efforts expose the legacy mechanisms currently supporting Australia’s cyber defence efforts. In recognition of this, the Australian government is in the process of improving the nation’s security posture with initiatives like the recent critical infrastructure reform, the move to increase data breach penalties, and this much-needed telecommunications regulations update.
The scale of public disruption this Optus breach caused is a window into the potential chaos a cyber attacker can inflict on Australia if its data privacy regulations are not improved.
Overview of the Amended Telecommunications Regulation
The amended regulation supports a broader initiative of protecting Australian data breach victims from financial compromise. This updated data privacy initiative aims to achieve this through three primary objectives:
- Reduce the amount of effort victims are expected to undertake to secure their compromised data.
- Reduce the amount of time required to detect fraudulent financial activities.
- Remove the responsibility of monitoring for fraudulent financial activities from victims.
The amended telco regulatory framework consists of a symbiotic relationship between Australian telecommunication organizations that have suffered a data breach and APRA-regulated financial institutions.
This relationship would operate as follows:
- A telecommunications company suffers a data breach
- The telco organization temporarily shares approved government-identified information of impacted customers (driver's license, passport, Medicare numbers) with APRA-regulated financial entities.
- The regulated financial entity begins monitoring for fraudulent financial activities and deploys safeguards to protect impacted customers from financial fraud.
- The financial entity destroys all shared customer identifier data when it’s no longer required for fraud monitoring purposes.
"Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach. These new measures will assist in protecting customers from scams and in system-wide fraud detection."
- Hon Dr. Jim Chalmers MP (Treasurer)
The final stage of this process - the destruction of shared customer identifier data - is the most crucial component. The longer sensitive data remain in possession of financial entities, the greater the risk of further compromise through additional cyberattacks.
To ensure all shared customer data is protected from further compromise, the amended Telco regulation is likely to eventually enforce prompt data destruction with fines or other similar consequences.
Ensuring data breach victims are protected from financial fraud isn’t solely the responsibility of regulated financial entities. The amended regulation aims to establish a partnership between financial entities and government agencies to decrease data breach response times and, therefore, the potential impact on customers.
How Can Regulated Financial Services Comply with Australia’s Teco Regulation Amendments?
Regulated financial services will benefit from the increased business opportunities resulting from amendments to Australia’s telco privacy laws. But certain cybersecurity conditions need to be met to take advantage of these opportunities.
1. Compliance with the Principles and Requirements of the Prudential Standard CPS 234
The APRA Prudential Standard CPS 234 ensures financial institutions implement sufficient measures to defend against information security incidents and cyberattacks. The exemplary security posture the framework expects of regulated entities is achieved through the following set of security controls:
- Vulnerabilities and Threats Controls
- Lifecycle Management Controls
- Physical and Environmental Controls
- Change Management Controls
- Software Security Controls
- Data Leakage Controls
- Cryptographic Controls
- Technology Controls
- Third-Party and Related Parties Controls - Implementing a Vendor Risk Management solution is especially important in the current threat ecosystem where finance organizations are commonly targeted in supply chain attacks.
Of all the information security controls outlined in CPS 234, the most critical in relation to compliance with the amended telco regulation amendments are:
- Clearly defined cybersecurity roles and responsibilities for all individuals, governing bodies, senior management, and board members.
- Establish a cybersecurity protocol that's proportional to the degree of security risks across all customer data assets
Meeting the second requirement requires an appeal to a mechanism for evaluating risk severity followed by the design of an incident response plan that prioritizes critical risks. The following resources offer guidance for both of these efforts:
2. A Written Attestation is Required to Request Customer Data
Once a cybersecurity program supporting ongoing compliance with CPS 234 is implemented, regulated financial entities can begin requesting access to telco customer data impacted by a data breach. Each request should be submitted as a formal attestation to APRA, confirming that all of the security requirements for accessing data under this amended regulation are met.
Here’s an example of an attestation in relation to the Optus data breach that can be used as a template:
[Entity name] attests the following statements are true and correct:
- The information that is being acquired from Optus will be used for the sole purpose of taking steps to protect customers from fraud or theft; and
- The information will be stored, managed, and used in accordance with the principles and requirements of Prudential Standard CPS 234 Information Security, with appropriate information security controls relevant to protecting the information established.
Written attestations need to be signed and submitted to APRA via this email address:
3. Accessed Customer Data Can Only Be Used For Fraud Monitoring and Safeguard Purposes
When access to customer identifier data is granted, it can only be used for the purposes of applying monitoring and safeguard controls to prevent financial fraud. This narrow use case means that shared data is expected to have a very short lifecycle, an intended characteristic supporting the regulation’s prompt data destruction requirements.
4. Shared Customer Data Should Be Stored in a Manner that Prevents Unauthorised Access, Disclosure, or Loss
The amended telecommunications regulation doesn’t specify the security control required to prevent unauthorised access and compromise or loss of stored customer data. This is likely because a CPS 234-compliant entity is expected to have sufficient security controls in place to meet these requirements.
For additional guidance on meeting these data integrity requirements, refer to the following sources:
- What is Access Control?
- How to implement a Privileged Access Management Framework
- What is Data Loss Prevention?
- How to Prevent Data Leaks.
5. Secure all Outsourcing Processes
Outsourcing has become a critical component of operating a financial service. However, every newly onboarded vendor is accompanied by residual security risks that could be detrimental to compliance with CPS 234 and, therefore, the amended telecommunications regulation.
Regulated financial entities hoping to be included in Australia’s reformed telco data breach handling processes need an outsourcing policy that’s:
- Scalable - to effectively manage the increased business requests arising from the amended telco regulation, and
- Secure - to maintain eligibility to access customer data impacted by breaches.
Both of these conditions are most efficiently met with a Vendor Risk Management solution also offering managed services to help rapidly scale third-party risk management efforts.
A VRM solution, such as Vendor Risk by UpGuard, ensures all vulnerabilities across the third-party attacks surface are accounted for and addressed to significantly reduce the risk of third-party breaches. As a result of such an implementation, vendor security postures are improved, which supports compliance with some of the key data security expectations of the amended telco regulation, including:
- Storing customer data in a manner that prevents unauthorised disclosure - A VRM solution helps internal security teams detect and address third-party vulnerabilities and data leaks, placing internal data resources at a high risk of compromise.
- The implementation of third-party security controls - A VRM solution helps regulated financial entities comply with the third-party security requirements of CPS 234.
- The cyber threat assumptions influencing the rapid detection policy - The rapid customer data destruction policy of the amended telco regulation is based on the assumption that the risk of a data breach is proportional to the amount of time the data remains in possession of the regulated financial entity. A VRM solution helps regulated entities significantly reduce the potential of a data breach by securing all attack vectors facilitating these security incidents. By implementing a VRM solution, financial entities will reduce the risk of customer data compromise resulting from further breaches by adding the reduction of vendor security risks as a primary cybersecurity metric in addition to a reduced data storage lifecyle.
UpGuard Helps APRA-Regulated Australian Finance Entities Comply with the Amended Telco Regulation
UpGuard has developed a Vendor Risk Management solution that addresses the unique cyber threats impacting customer data security in the financial industry.
UpGuard can help APRA-regulated entities achieve compliance with the amended telecommunications regulation with the following features:
- A library of customizable vendor security assessments, including an ISO 27001 questionnaire capable of mapping detected risks to APRA CPS 234 requirements.
- Continuous third-party attack surface monitoring to detect emerging attack vectors across the third and even fourth-party network.
- Third-party data leak detection to detect overlooked exposures that could expedite data breaches.
- A managed vendor risk management service offering that can be augmented with an internal third-party security program to rapidly scale vendor security efforts.
- Executive reporting to efficiently communicate compliance efforts with assessors, executives, and stakeholders.