The Australian Securities & Investment Commission (ASIC) has published its report on security breaches at financial services firms. According to the regulator, financial services firms have failed in their duty to protect their users and to notify them when they fall short of their fiduciary responsibilities.
“Breach reporting is a cornerstone of Australia’s financial services regulatory structure. Many of the delays in breach reporting and compensating consumers were due to the financial institutions’ inadequate systems, procedures and governance processes, as well as a lack of a consumer orientated culture of escalation. Our review found that, on average, it takes over 5 years from the occurrence of the incident before customers and consumers are remediated, which is a sad indictment on the financial services industry. This must not stand.” [emphasis added]
Key findings of the report include:
- Financial institutions are taking too long to identify significant breaches, with the major banks taking an average time of 1,726 days (over 4.5 years).
- There were delays in remediation for consumer loss. It took an average of 226 days from the end of a financial institution’s investigation into the breach and first payment to impacted consumers. (This is on top of the average across all institutions of 1,517 days before the breach is discovered and the time taken to start and complete an investigation.)
- The significant breaches (within the scope of the review) caused financial losses to consumers of approximately $500 million, with millions of dollars of remediation yet to be provided.
- The process from starting an investigation to lodging a breach report with ASIC also takes too long, with major banks taking an average of 150 days.
Obviously, ASIC wants, and needs, to address these profound shortcomings in operations.
“…there is an urgent need for investment by financial services institutions in systems and processes as well as commitment and oversight from boards and senior executives to address these significant failings,” said Shipton. “
The findings “re-emphasise”the need to implement new and more intensive supervisory approaches.
ASIC said it will now be regularly placing ASIC staff on site in major financial institutions to closely monitor their breach management, governance and compliance with laws. This new program of work is called Close and Continuous Monitoring. But will it be enough? And why didn’t management handle the security breaches appropriately from the beginning?