Skip to main content

Looking back to look forward: a data-first approach to Breach Reporting

On 1 October 2021, AFSL and ACL holders across the Financial Services sector became subject to heightened regulatory requirements in relation to Breach Reporting. The aim of these requirements sought to address ASIC’s long-held concerns about delayed reporting of breaches and lack of transparency in relation to issue and incident rectification. In addressing these concerns, Treasury effectively broadened the scope of what is reportable to ASIC and shortened the time from identification to reporting of an issue or incident (irrespective of whether an investigation is ongoing). As the new year ticks over, organisations continue to bed down the changes and ask, what next?

Given much of the sweeping regulatory reform across the Financial Services sector is now live and operating under BAU, many organisations are turning their minds towards the regulator’s priorities as set out in ASIC’s 2021-25 Corporate Plan. Of particular note is the regulator’s intention to expand its use of data and digital technology to inform markets and support faster, better regulatory outcomes. As part of this, ASIC intends to develop a solution for the bulk upload of breach reports. This will provide efficiencies for the industry to meet its regulatory reporting requirements but is underpinned by ASIC’s vision to more effectively handle and prioritise information reported and appropriately monitor incident and issue management. 

While many organisations recognise the efficiencies that will be gained with having bulk upload functionality, this is balanced with concerns over the ease of transmission and the current limitation to adequately understand and process this information prior to submission (or at a minimum, ahead of ASIC’s own assessment).

For a lot of dedicated breach reporting teams, the work is proving to be relentless. The broadened scope and tighter timeframes are reducing capacity, increasing the risk of poor data quality, and leaving little time in between to allow for analysis of what has been reported and is being rectified for continuous improvement. There are concerns that tactical decisions made to achieve compliance may not be sustainable over the long-term, with inadequate consideration of root causes or emerging risks and themes. 

Some of the key challenges as a result of this include:

  • Lack of awareness or understanding as to the quality, accuracy or completeness of data available for use – particularly as between the GRC and manual reporting of information to ASIC.
  • Lack of deep root cause analysis over the reported data to draw out clear, actionable insights for the business.
  • Lack of clear understanding of data lineage across the end-to-end breach reporting value chain.
  • Lack of identification of systematic issues related to breaches being identified.
  • Under-resourced or under-funded data teams, including deficiencies in the capability of existing teams.
  • De-prioritisation or inadequate buy-in from senior stakeholders within the business.
  • Ambiguity as to what is possible or what the end solution may look like for the organisation in the context of overarching regulatory reporting obligations.

Consequently, many are now looking for data-led solutions for this critical business problem. Deloitte suggests four core phases of work that organisations can consider.

Solutions…

1. Process and policy uplift

The focus of this phase is process and policy uplift. While organisations made the required changes to existing frameworks, policies and procedures prior to go-live, many recognise that the changes represented only a short-term solution and came at considerable cost through increases in head count. The reliance on tweaking existing ways of working in BAU is not sustainable from a resource, efficiency or output perspective. By reviewing frameworks, policies and procedures through the lens of continuous improvement, rather than meeting compliance obligations, organisations will be better placed to produce accurately and timely outputs. For some this will include taking the learnings from the manual triage process being applied to create rules-based breach libraries. And updating the GRC system to better align with the information required by ASIC so better information is captured earlier. 

2. Quick wins

The focus of this phase is the quick wins. Leveraging data that is already available within the organisation and assessing the availability, quality and conformity in order to be able to better identify reportable situations and assess for any missed reportable situations caused by incomplete data or coverage. Once that is understood, determining those priority metrics that will provide a view on where reportable situations may arise and how that metric has performed over time. In addition, monitoring for similar cohorts (customers, product types etc) will identify outliers, systemic issues and priority areas to focus on initially. Given the simple nature of this stage, it’s likely organisations will take a single-product view and apply the behavioural analysis in isolation to identify, monitor and mitigate potential breaches.

The outcome will be earlier and more efficient identification of reportable situations, including trends based on the available data. Data conformity will provide insights that can be leveraged to improve data quality and process efficiencies.

3. Data integration

The focus of this phase is integration. Leveraging the data that is already available and augmenting with additional internal and external sources of information ( for example, events and complaints) will allow for organisations to build out enhanced data models. A detailed data quality gap assessment will assist in identifying and resolving gaps in historical data as well as informing potential future datapoints to begin capturing. In addition, integration with customer and product data will provide a holistic view on the issues and incidents at both the customer and portfolio level. In doing so, organisations will be better able to identify thematic and systemic issues and incidents as they arise and analyse the potential root cause. 

4. Prevention and prediction

The focus of this phase is automation and predictability. The pivot from detecting and fixing issues of the past to preventing issues in the future is a shift we are starting to see across many organisations within the Financial Services sector. This next phase is an evolution of the existing solutions, which leverages the existing data models and utilises emerging technology solutions such as artificial intelligence, voice analytics and machine learning to be able to prevent potential breaches, minimise systemic issues and efficiently triage the issue or incidents based on historical data.

Despite the challenges currently facing the industry, breach reporting will continue to remain at the top of the regulator’s agenda and therefore should remain a focus for industry. Knowing what you have told the regulator about your business and having genuine insights into what the breaches mean and how they will be addressed aligns with the actions of a responsible licensee. With ASIC focussing on improvements to internal data capabilities and portal functionality, a reciprocated effort from organisations will support in the management of issues and incidents while mitigating potential reputational damage. We recommend taking a pragmatic approach to the next phase of work – running with the quick wins where possible, while planning through investment and resourcing for broader uplift and future-focussed solutions.

To learn more about how regulators are building capability in big data, machine learning and predictive analytics, read here.

Recommendations