๐—•๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐—บ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—ถ๐—ป ๐—š๐—ฒ๐—ป๐—ฒ๐—ฟ๐—ฎ๐—น ๐—œ๐—ป๐˜€๐˜‚๐—ฟ๐—ฎ๐—ป๐—ฐ๐—ฒ

  • Compliance Advocacy Solutions
  • Bills
  • Family
  • News
  • ๐—•๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐—บ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—ถ๐—ป ๐—š๐—ฒ๐—ป๐—ฒ๐—ฟ๐—ฎ๐—น ๐—œ๐—ป๐˜€๐˜‚๐—ฟ๐—ฎ๐—ป๐—ฐ๐—ฒ
  • June 24, 2024

Under-reporting of breaches continues to be an industry-wide issue

A business focus on incidents is key to successfully managing breaches

๐™๐™ค๐™˜๐™ช๐™จ ๐™ค๐™ฃ ๐™ž๐™ฃ๐™˜๐™ž๐™™๐™š๐™ฃ๐™ฉ๐™จ

An incident is something that has happened that shouldn’t have (this includes inaction)

All people across the business, Authorised Reps, distributors & anyone acting on your behalf should be trained in understanding, identifying & raising incidents

If you focus on breaches then you are expecting your people to know ‘000’s laws

Your obligations should be linked to key control(s) therefore control breakdowns are automatically an incident.

The training should include practical examples of what an incident(s) looks like within your business & for each business area.

If your incident management is inadequate, the incident will continue to grow & cause harm & detriment until such time that it manifests into a breach or a significantly larger breach than if immediately detected. There is also the risk that the breach will be identified by a customer. This suggests that your compliance arrangements are inadequate & may lead to a systemic issue investigation by ASIC or AFCA.

An incident & breach register should be maintained.

๐™๐™ง๐™ž๐™–๐™œ๐™š ๐™ค๐™› ๐™ž๐™ฃ๐™˜๐™ž๐™™๐™š๐™ฃ๐™ฉ๐™จ

It is important that you don’t allow the business to determine whether an incident is a breach. This analysis requires expertise.

An experienced compliance person should review all incidents periodically (frequency based on the size of the organisation) & determine whether (1) additional information is required (2) the incident is a breach & if so, (3) the law &/or Code that has been breached & (4) comply with breach reporting requirements

๐™Ž๐™ค๐™ช๐™ง๐™˜๐™š๐™จ ๐™ค๐™› ๐™—๐™ง๐™š๐™–๐™˜๐™ ๐™ค๐™—๐™ก๐™ž๐™œ๐™–๐™ฉ๐™ž๐™ค๐™ฃ๐™จ

Each Law/Code has its own requirements on what needs to be reported, to who & the timing

Chp 7 Corporations Act (AFS Licensees) – Section 912DAA – note that ‘financial services laws’ is defined widely (s761A) & include, for example, breaches of the Insurance Contracts Act & the ASIC Act.

Insurance Act (APRA regulated insurers) – Section 38AA

Privacy Act – Division 3 (notifiable data breaches)

GI Code of Practice – paragraph 181

Insurance Brokers Code of Practice – paragraph 11.2

Having separate processes for each law/code is impractical, adds complexity & creates gaps.

A single breach management process is paramount

๐˜ฝ๐™ง๐™š๐™–๐™˜๐™ ๐™ข๐™–๐™ฃ๐™–๐™œ๐™š๐™ข๐™š๐™ฃ๐™ฉ ๐™ฅ๐™ง๐™ค๐™˜๐™š๐™จ๐™จ

Your breach management process should incorporate RG 78 with pathways to incorporate the breach reporting requirements of all other laws/industry Codes.

The process should include:

  • timeframes
  • roles & responsibilities
  • information gathering
  • analysis
  • breach committee or similar
  • breach reporting
  • remediation & rectification
  • learning from the breach & continual improvement

Contact me for assistance with your incident & breach management process.

Previous Post
Newer Post
Press ESC key to close search