Regulators are short of patience with directors reluctant to meet their obligations by implementing effective cybersecurity protocols, writes Professor Pamela Hanrahan.
Cybercrime and data security rank first among issues keeping directors awake at night. Financial regulators here and overseas share that anxiety and are ramping up enforcement actions against companies that fail to address cyber risks with sufficient focus and urgency.
Recently, in New York, cruise company Carnival Corporation & PLC (Carnival) was fined US$5 million in connection with four significant cyber breaches that occurred between 2019–21. Carnival, which is listed in New York and London, controls half the global cruise market through brands including P&O, Holland America, Princess and Cunard. In 2019, its revenue exceeded US$20b. In normal times, it carries 13 million customers a year and has more than 100,000 employees. All of them provide the company with sensitive, non-public personal information.
The fine was imposed on Carnival by the New York Department of Financial Services (DFS) under New York State cybersecurity legislation that dates from 2017. The Cybersecurity Regulation (23 NYCRR Part 500) has been a model for similar laws adopted elsewhere in the United States, including by other states, the US Federal Trade Commission, the National Association of Insurance Commissioners, and the Conference of State Banking Supervisors. The Cybersecurity Regulation applies to banks and insurers, and captured Carnival because it was licensed to sell life insurance, accident and health insurance, and variable life/variable annuities insurance in New York State. Carnival surrendered its insurance licence as part of its settlement with the DFS.
The DFS found that Carnival experienced four major cybersecurity events between 2019–21, including two ransomware attacks. Sensitive customer and employee data was stolen. This included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some instances, national identification (social security) numbers. The DFS found that Carnival breached the law by failing to implement multi-factor authentication (MFA) as required by the Cybersecurity Regulation, and by failing to report the breaches in a timely way and to conduct adequate cybersecurity training for its staff. Carnival’s delay in implementing MFA, together with the training and reporting failures, left its information systems — and its customers’ non-public information — “extremely vulnerable to bad actors”.
Carnival and the DFS agreed to consent orders in June. The orders explain the DFS approach to its consumer protection function, which includes “the critical protection of individuals’ private and personally sensitive data from careless, negligent, or wilful exposure” by regulated entities. They emphasise that the “importance of securing consumer non-public information is paramount, especially in the current digital age as criminals seek to steal consumer data and utilise the data to cause financial harm”.
New York law provides clear guidance on what was required of Carnival and others in its position. The consent orders note that, to comply with the Cybersecurity Regulation, “cybersecurity programs must, at a minimum: (1) include effective controls and secure access privileges; (2) include systems and policies in place for conducting thorough and routine cybersecurity risk assessments; and (3) provide for comprehensive training and monitoring for all employees and users, including independent contractors and vendors”. And as the consent orders go on to say, regulated entities “must have well-grounded governance processes in place, with adequate board reporting, to ensure senior management’s attention to securing and protecting” consumer non-public information and preventing cybersecurity breaches.
Shortly after settling with the DFS, Carnival agreed to pay a further US$1.25m in penalties to settle actions brought by 45 other states based on a failure to notify affected customers of the 2019 data breach in a timely way. The terms of settlement require Carnival to strengthen security and notification protocols across the business.
Recognising cyber risk
The Carnival actions are part of an escalating trend of enforcement against cybersecurity laggards, particularly in financial services. It is happening here, too. Six weeks before Carnival settled with the DFS in New York, the Federal Court of Australia approved a settlement in proceedings brought by the Australian Securities and Investments Commission (ASIC) against RI Advice Group Pty Ltd (RI Advice) for inadequate cyber risk management. Unlike the DFS proceedings, the Australian case did not arise under specific cybersecurity legislation. Instead, it was based on laws requiring Australian financial services licensees, such as RI Advice, to do all the things necessary to ensure retail financial services are provided efficiently and fairly and to have adequate risk management systems.
RI Advice — originally owned by Australia and New Zealand Banking Group and sold to IOOF Holdings in 2018 — operates a retail financial services business through a network of practices operated by corporate or individual authorised representatives (AR). ASIC’s proceedings against RI Advice concerned nine serious cybersecurity incidents involving AR practices between 2014–20. These included ransomware attacks, theft and misuse of clients’ personal information, phishing and client scams.
Over the relevant period, RI Advice covered about 60,000 Australian retail clients, all of whom provided sensitive information to AR practices. This included “full names, addresses and dates of birth and in some instances health information; contact information, including contact phone numbers and email addresses; and copies of documents such as driver’s licences, passports, and other financial information”.
Documented causes of the cyber breaches at RI Advice included “computer systems which did not have up-to-date antivirus software installed and operating; no filtering or quarantining of emails; no backup systems in place, or backups not being performed; and poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties”.
The Federal Court recognised that RI Advice stepped up its efforts to improve its cyber resilience after 2018, but it was too little, too late. RI Advice admitted “it took too long to implement and ensure [improved] measures were in place across its AR practices. RI Advice accepts it should have had a more robust implementation of its program so that the measures were more quickly in place at each AR Practice and the majority of the AR network was confirmed as operating pursuant to such cybersecurity and cyber resilience measures” before 2021.
ASIC had asked for civil penalties to be imposed, but in the end agreed to settle on the basis that RI Advice would implement further cyber securities measures and pay $750,000 for ASIC’s costs. In approving the settlement in ASIC v RI Advice Pty Ltd  FCA 496, Justice Helen Rofe observed: “Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time... It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
As these enforcement actions in New York and Melbourne demonstrate, regulators’ patience with companies that fail to invest in adequate cybersecurity controls is wearing thin.
Already a member?
Login to view this content