Insight,

Preparing for the unpreparable: what can Non-Bank Lenders do to manage the risk of a cyber security incident?

GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

In light of recent high profile cyber-security breaches in the financial services sector, how to reduce the risk of a cyber security incident occurring and how best to mitigate the impact of an incident if one does occur is at the forefront of the minds of boards and executive teams of financial institutions across the country.  

In our experience this is certainly the case for boards and executive teams at non-bank lenders that, in the ordinary conduct of their businesses, hold large amounts of sensitive information on their customers.

But how do non-bank lenders prepare for an incident that, by its very nature, is completely unpredictable in terms of when and how it might occur and how it may impact a particular lender and its customers?

Based on our experience advising clients in this area, we think there are set of questions that boards and executives at non-bank lenders can and should be asking to ensure that their businesses are as prepared as practicable for a cyber incident and its consequences. We set out these questions below.

Are our governance structures as robust as they can be to prepare for (and respond to) a cyber incident?

Cyber-Security Sub-Committee

We would recommend that boards resolve to put in place a separate cyber security sub‑committee (either as a sub-committee of the board’s risk committee or a separate sub‑committee of the board itself) to oversee a non-bank lender’s management of cyber risk.

Assessment of spend on cyber-security

One of the key roles of this sub-committee should be to assess the adequacy of a lender’s capital expenditure on cyber security and its IT capability generally. The types of questions the sub-committee should be asking in this regard include:

  • How much capex has been committed by the lender to cyber security year on year over the last, say, 5 years? Has this amount incrementally increased with the increased risk?
  • How does the quantum of the lender’s capex on cyber security compare to the lender’s peers?
  • Where are the lender’s systems potentially most vulnerable and what is being done to address these specific vulnerabilities? In other words, “where are we most exposed and what we are doing about that?”
  • Is the lender’s cyber-security capex being directed to address these principal vulnerabilities?

It follows that the discussions and decisions on issues such as this at the sub-committee level should, in our view, be communicated to the main board as a standing board agenda item.

Preparing a response manual and appointing a response team in advance of an incident

We would advise all non-bank lenders to prepare a cyber breach response manual and, as part of the processes reflected in that manual, to put in place a cyber-breach response team that would have principal responsibility for responding to a cyber breach.

The cyber-breach response team should schedule regular simulation exercises to stress test the processes and procedures outlined in the lender’s response manual and implement a process of continuous improvement as any vulnerabilities or weaknesses are identified through the simulations.

Identifying (and potentially appointing) external advisers

Thought should also be given by the cyber-breach response team to what external advisers the team wants to have in the event of an incident and how the lender can ensure its preferred advisers will be available when required. (The pool of experienced advisers in this space remains small and it is too late to be turning one’s mind to the suite of advisers and support required once an incident has actually occurred.)

Preparing for the disclosure challenges

Listed non‑bank lenders will already be fully aware of the nuances associated with the ASX trading halt and suspension regimes. However trying to navigate these regimes in the context of a cyber security incident when things are moving very quickly and not all the facts around the nature or scale of the risk posed by an incident are immediately evident is fraught to say the least.

We would recommend that boards and/or the continuous disclosure committees of listed non-bank lenders do what they can to prepare for the continuous disclosure challenges they may face with a cyber incident including, for example, preparing draft outline announcements covering various scenarios and perhaps going to the effort of simulating a real time disclosure response to a cyber incident with external advisers.

Is our data governance consistent with our regulatory obligations around data retention and are our data retention policies structured to mitigate the consequences of a cyber-attack?

Boards of non-bank lenders should be asking whether the data protection regimes and policies at their organisations are up to date and consistent with all regulatory obligations applicable to that lender.

In particular, boards should be asking whether their business is (either deliberately or inadvertently) retaining data it is not required by law to hold (whether due to the effluxion of time or otherwise) and whether any data that is being held can be purged.

Do we have cyber insurance in place and what is the level of coverage? Are there actions we should (or should not) take in responding to a cyber-incident that may impact our coverage?

To the extent a board or executive team of a non-bank lender has not recently undertaken a review of its current cyber insurance policy position, we would strongly recommend that a review be undertaken. What is covered and what is not and where might costs be incurred by a lender where the coverage position under a policy is ambiguous?

Non-bank lending boards and executive teams also need to be cognisant of the terms in a company’s cyber insurance policy and ensure that compliance with those terms is reflected in the company’s cyber breach response manual mentioned above. For example, what does the policy say about obligations on an insured to notify its insurers if a cyber security event occurs? It is preferable to have this information at one’s fingertips rather than be trawling through policies to find the answer once an incident has occurred.

What protections do we have with our third party service providers who have access to our systems?

Many non-bank lenders rely on third party service providers for mission critical services and often these third parties require access to a lender’s systems to provide those services. If these third party arrangements are long-standing, it may be that they are founded on contracts with the service provider that are now quite old and that were drafted at a time when cyber security was not at the forefront of the draftsperson’s mind. We would recommend that any contracts with third parties that involve that third party having access to a lender’s systems be checked to ensure that the obligations on the third party service provider (and the associated contractual liability regime applying to those obligations) is appropriate for modern day cyber risks.

In addition to undertaking contract reviews, boards and executive teams should consider undertaking regular vulnerability testing with critical third party service providers to identify points of weakness between the two organisations that may be exploited by cyber criminals.

Do our funding arrangements have carve-outs to provide us with some flex on covenants in the event of a cyber incident?

The funding arrangements of most non-bank lenders will include covenants on the part of the non-bank lender to ensure, for example, the performance of collection activities and obligations around originations. Some funding arrangements may also include covenants or triggers relating to servicing by a non-bank lender of its receivables portfolio. Covenants of this nature may simply not be capable of performance by a non-bank lender impacted by a cyber security incident.

These covenants are also often coupled with highly prescriptive reporting obligations in relation to portfolio performance and composition. In addition (particularly in the case of a warehouse facility or securitisation vehicle where the SPV trustee is a “captive” member of the originator’s corporate group) a cyber security incident could foreseeably impact the bank accounts of the SPV trustee which may, in turn, impact its ability to make payments to financiers.

Non-bank lenders should be pressing for grace periods and materiality (and other) thresholds in their funding documents to mitigate the risk that a cyber security incident inadvertently leaves a non-bank lender exposed to a ‘hair trigger’ default (or other adverse consequence) under its funding lines at the most inopportune time when trying to respond to a cyber incident.

Making some of the hard calls in advance of a breach

Dealing with cyber incidents is inevitably challenging and stressful to even the most experienced of boards and executive teams. The stakes could not be higher and there is literally a myriad of issues that boards and executive teams will need to deal with real time in a constantly changing and dynamic environment. It is definitely not an environment conducive to making nuanced judgement calls. To the extent it is sensible to do so, we would recommend that boards and executive teams think about some of these tricky judgement calls in advance with the benefit of time and ‘clear air’ for decision making.

A good example of the kind of judgement call a board may need to make in the event of a cyber breach is around whether or not the company is willing to pay a ransom to a cyber-criminal. There is an array of inter-related considerations on this issue alone ranging from, if a company is minded to pay a ransom to mitigate the risk to its business, how to ensure any payment is made in compliance with sanctions laws, financing terrorism laws and proceeds of crime laws through to assessing the implications of paying a ransom on a company’s relationships with regulators and key federal and state government stakeholders. We advise boards and executive teams with whom we work to think about (and obtain advice on) issues such as this in advance of an incident actually occurring so that companies already have certain policy parameters in place rather than having to consider them ‘on the run’ while trying to respond to the cyber incident itself.


Regrettably boards and executive teams cannot completely plan for cyber incidents but putting in place a strong framework and asking some of the questions noted above in advance will hopefully leave non-bank lenders as equipped as is practicable to respond to an incident and to mitigate the potential consequences for the lender if a cyber breach does occur.

Please do reach out to us to discuss any of the issues mentioned in this piece, particularly if you have any questions on cyber risks and your business, or if you want to explore the wider opportunities our non-bank lender team could present for you and your business.

KWM’s non-bank lender team is at the cutting edge of developments in the sector and are well placed to work with any client on their future needs from established players to new entrants from the fintech industry.

KWM DIGITAL FUTURE SUMMIT

17 - 25 October 2023 | Virtual

Join our four-day summit to discover a wide range of perspectives on the future of digitisation and regulation of data and emerging technologies.

LATEST THINKING
Insight
The Australian Treasury has released a long-awaited consultation paper on Australia’s implementation of the Crypto-Asset Reporting Framework (CARF) and amendments to the Common Reporting Standard (CRS) (OECD Crypto Rules).

03 December 2024

Insight
Federal Parliament has today passed legislation to establish a new mandatory and suspensory merger clearance regime.

29 November 2024

Insight
The Guarantee of Origin Scheme will encourage decarbonisation and investment in Australian industry by providing mechanisms to verify low emissions products and to certify electricity generated by renewable sources.

29 November 2024