Under-reporting of breaches continues to be an industry-wide issue
A business focus on incidents is key to successfully managing breaches
𝙁𝙤𝙘𝙪𝙨 𝙤𝙣 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨
An incident is something that has happened that shouldn’t have (this includes inaction)
All people across the business, Authorised Reps, distributors & anyone acting on your behalf should be trained in understanding, identifying & raising incidents
If you focus on breaches then you are expecting your people to know ‘000’s laws
Your obligations should be linked to key control(s) therefore control breakdowns are automatically an incident.
The training should include practical examples of what an incident(s) looks like within your business & for each business area.
If your incident management is inadequate, the incident will continue to grow & cause harm & detriment until such time that it manifests into a breach or a significantly larger breach than if immediately detected. There is also the risk that the breach will be identified by a customer. This suggests that your compliance arrangements are inadequate & may lead to a systemic issue investigation by ASIC or AFCA.
An incident & breach register should be maintained.
𝙏𝙧𝙞𝙖𝙜𝙚 𝙤𝙛 𝙞𝙣𝙘𝙞𝙙𝙚𝙣𝙩𝙨
It is important that you don’t allow the business to determine whether an incident is a breach. This analysis requires expertise.
An experienced compliance person should review all incidents periodically (frequency based on the size of the organisation) & determine whether (1) additional information is required (2) the incident is a breach & if so, (3) the law &/or Code that has been breached & (4) comply with breach reporting requirements
𝙎𝙤𝙪𝙧𝙘𝙚𝙨 𝙤𝙛 𝙗𝙧𝙚𝙖𝙘𝙝 𝙤𝙗𝙡𝙞𝙜𝙖𝙩𝙞𝙤𝙣𝙨
Each Law/Code has its own requirements on what needs to be reported, to who & the timing
Chp 7 Corporations Act (AFS Licensees) – Section 912DAA – note that ‘financial services laws’ is defined widely (s761A) & include, for example, breaches of the Insurance Contracts Act & the ASIC Act.
Insurance Act (APRA regulated insurers) – Section 38AA
Privacy Act – Division 3 (notifiable data breaches)
GI Code of Practice – paragraph 181
Insurance Brokers Code of Practice – paragraph 11.2
Having separate processes for each law/code is impractical, adds complexity & creates gaps.
A single breach management process is paramount
𝘽𝙧𝙚𝙖𝙘𝙝 𝙢𝙖𝙣𝙖𝙜𝙚𝙢𝙚𝙣𝙩 𝙥𝙧𝙤𝙘𝙚𝙨𝙨
Your breach management process should incorporate RG 78 with pathways to incorporate the breach reporting requirements of all other laws/industry Codes.
The process should include:
- timeframes
- roles & responsibilities
- information gathering
- analysis
- breach committee or similar
- breach reporting
- remediation & rectification
- learning from the breach & continual improvement
Contact me for assistance with your incident & breach management process.