Skip to main content

Protecting What Counts

Fortifying Data Risk Management in Australian Financial Services

Introduction

In today’s rapidly evolving digital landscape, data breaches are at their highest levels since 2020, posing a growing concern for Australian financial services institutions. However, regulator expectations for data risk management are higher than ever, with sustainable and effective risk management involving more than merely preventing breaches.

Recent high-profile incidents have not only led to hefty fines and regulatory actions but have also tarnished reputations and imposed stringent capital requirements. For instance, Australian banks have faced enforceable undertakings due to deficiencies in their risk governance frameworks. These issues highlight an urgent call for comprehensive data risk practices.

This article explores the importance of establishing robust data risk practices, focusing on governance, data quality, oversight, and competitive advantages through informed decision-making.

I. The Shifting Landscape of Data Risk Management: Protecting Exposed Data under increasing complexity

Data risk management is more crucial than ever, with significant financial and reputational damage resulting from improper handling. Within Australia, the financial services industry has faced many high-profile incidents, leading to substantial fines and loss of customer trust. These incidents underscore the urgent need for strong data risk practices.

As APRA noted in their recent publication, "Data is key to many, if not all, the decisions an entity must make and as such is the 'crown jewels' for most entities." This emphasises the critical importance of protecting data assets. Adhering to enforceable regulatory standards such as CPS 230 is crucial for compliance, while following non-enforceable guidelines like CPG 235 aids in further mitigating risks and building organisational resilience.

II. Beyond Data Breaches: Governance and Regulatory Compliance

Effective data risk management goes beyond preventing breaches, addressing governance deficiencies and regulatory compliance. As the Australian Privacy Commissioner stated in a recent notifiable data breach report, "We are moving into a new era in which our expectations of entities are higher." This underscores the increasing scrutiny and higher standards expected from organisations.

Organisations must adopt proactive governance and compliance measures by implementing robust risk assessment frameworks, establishing clear accountability structures, and continuously monitoring compliance to mitigate risks and enhance resilience.

III. What Other Australian Organisations Are Doing

To gain insights into best practices, it is crucial to understand how other institutions address data risks. By exploring their approaches to data risk management and breach response, we can learn valuable lessons and adapt them to our own organisations. Many institutions are focus on four key areas to establish robust data risk management:

  1. Establishing Data as a Risk Type: Developing a data risk profile and understanding the organisation's risk appetite are crucial steps. Conducting comprehensive current state assessments helps baseline compliance with regulator expectations. This process includes building means to measure data risk, such as purpose-built dashboards linked to executive risk profiles. Integrating suitable technology and tools like Governance, Risk, and Compliance (GRC) systems, can streamline these processes and increase accuracy. Furthermore, establishing and prioritising enterprise data programs is essential to align data initiatives with the organisations strategic objectives.
  2. Data Discovery: Identifying Critical Data and Quality Assessment Institutions need a clear understanding of where critical data resides and its quality. This process involves mapping critical business processes and data lineage. A key part of this is reviewing existing controls. Implementing appropriate technology and tools, such as data catalogues, metadata management systems, and network scanning tools can further aid in precise data discovery and management.
  3. Lean Data Agenda: Minimising Over-Retention of Data Over-retention of data poses significant risks to institutions. Adopting a lean data agenda involves disposing of unnecessary data and retaining only what is needed. Organisations must adhere to data protection regulations, including but not limited to the Australian Privacy Principle (APP) 11.2, which requires reasonable steps to destroy or de-identify personal information no longer needed. Appropriate tools and technologies can help identify and monitor high-risk systems with excessive data retention, thereby reducing exposure to potential breaches.
  4. Third-Party Data Risk: Managing Data Held by External Partners Address the risks associated with third parties holding sensitive data. Conduct current state assessments to identify third parties with high data risk (e.g., those holding highly confidential or Personally Identified Information). Review and update policies and procedures to ensure they address third-party data risks appropriately. Additionally, review existing contracts to understand current arrangements for managing, retaining, or disposing of data. Leveraging advanced tools and technologies can help monitor and manage third-party data risk effectively.

IV. Competitive Advantages Through Informed Decision-Making

Robust data governance and risk management can offer competitive advantages. Effective data governance ensures high data quality and supports the transition to a data-led organisation, enabling informed and timely decision-making. This leads to improved operational efficiency, better customer experiences, and a stronger market position.

Conclusion

Establishing data risk practices is a critical priority for Australian financial services institutions. This initial article has highlighted the importance of data risk management and the need for organisations to adapt their strategies in response to the evolving threat landscape.

In upcoming articles, we will delve deeper into the four key areas discussed above, providing actionable insights and practical guidance based on further research and expert input. By prioritising data risk practices and learning from the experiences of other organisations, financial institutions can navigate the complex landscape of data breaches and safeguard sensitive customer information. Furthermore, effective data governance can support becoming a data-led organisation, enabling informed and timely decision-making that offers a competitive edge.

For a confidential discussion on how to enhance your data risk management strategy or to conduct a regulatory compliance assessment, please contact Simon Crisp, Partner, or Shannon Braun, Director.