Josh Moorman
Head of Financial Crime and Privacy, BT
Michele Bahari
Executive Manager, Privacy, BT
Simon Brown
Head of Cyber Strategy & Advice, Westpac Group
Q: How is the cyber crime landscape changing?
Josh: I've seen increases in both the volume of activities and the sophistication of cyber crime. The organised crime groups who are perpetrating some of these attacks have gone from trying it on with someone who's a low value target, or who might not be well protected, to attacking big entities. Things have shifted from someone trying to get your details over the phone so they can steal your credentials and your money, to sophisticated large data exploitations, where those packages of data are sold multiple times.
Previously those organised crime groups did the whole process end to end. Now we're increasingly seeing a lot of domain specialisation: people who are very good at ransomware, or who are very good at cyber attacks, who then hand off the data to someone who specialises in perpetrating the actual fraud. Then they find someone else to launder the money that they've gained from that fraud, and so on. In effect, you now see a value chain of services – cyber crime is its own industry.
In effect, you now see a value chain of services – cyber crime is its own industry.
There is a strong public/private relationship where we share threat intelligence so we can better protect the community, ourselves and each other.
Q: What is being done to combat this?
Josh: We’re seeing a lot of good work domestically, especially around the big four banks (BT is part of the Westpac group), partnering to share intelligence with law enforcement and intelligence agencies such as the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). There is a strong public/private relationship where we share threat intelligence so we can better protect the community, ourselves and each other. When we find a way to respond to a threat we share that very quickly, which helps to not only keep our customers and our systems safe, but it also helps the broader industry, which is important to us.
BT Panorama is a wealth platform in Australia that’s part of a major banking organisation, so we get all the benefits of Westpac’s technology, IT infrastructure, and cybersecurity capabilities – a defence in depth and due diligence that is strong. We need to comply with more stringent group standards. And we've got a huge array of experts on call immediately to jump to our assistance.
Q: Can you tell us more about how this works?
Simon: Cybersecurity is a key focus area for Westpac – and we know it’s important to our customers, and the broader community. We have a dedicated cybersecurity function which leads this work, with support from across the organisation. Our executive team and board take an active interest in the Westpac group’s cybersecurity work.
Westpac deploys and maintains modern security technologies and procedures to protect information, which are monitored and reviewed to ensure they remain relevant and operate effectively. We use technical and process controls to protect the confidentiality and integrity of information, and to ensure our systems are available. We also train our people to protect the security of information and to make informed cybersecurity decisions. Those cyber security controls are monitored and reviewed for appropriateness – and we actively test the security of our controls and systems.
All that is underpinned by policies and standards, which are also instrumental to demonstrating how we comply with legal and regulatory requirements.
Our executive team and board take an active interest in the Westpac group’s cybersecurity work.
We are always improving our privacy and security processes.
Q: How can advisers and customers be sure their information is held privately and securely?
Michele: We take our privacy and security obligations very seriously, and are always improving our privacy and security processes, with a focus not only on regulatory compliance but also best practice standards. BT is subject to the Australian Privacy Act 1988. That Act regulates how and why we collect personal information, the reasons we're allowed to collect it, keep it, and store it, how we protect it and how and when we delete it. There are also specific obligations with respect to individual rights. For example, individuals have the right to access and correct their personal information.
Q: What are you allowed to do with customer data?
Michele: The important thing to note here is that personal information belongs to the person it’s about; BT are the custodians of that information, and it’s very important to us that we uphold that obligation responsibly and ethically.
Our practices on personal information use are, of course, guided by the law. We have to collect personal information for a specific, stated purpose, in a fair and upfront way. We also have to be transparent about the personal information we’re collecting and why, and what we plan to do with it.
We take these obligations very seriously and the best place to understand how we use personal information is the BT Privacy Statement, and for certain products, the product disclosure statement (PDS).
BT are the custodians of that information, and it’s very important to us that we uphold that obligation responsibly and ethically.
Some of the more typical uses you’ll see listed there include providing the product or service the customer is signing up for, ID verification and fraud prevention, meeting our legal and regulatory obligations. We take great care to ensure that the Privacy Statement and our PDSs are up-to-date and accurate, so that our customers know up-front how and why we use personal information.
The same rules apply for how we are allowed to share personal information; that is, the reason must be linked to our original purpose for collecting the information and customers must be aware. Practically speaking, that means the reason for sharing is listed in our Privacy Statement and/or, in certain circumstances, the PDS. Our Privacy Statement in particular lists the reasons that we might be required to share personal information, and the type of recipient we are sharing it with. One common example is sharing personal information with a third-party provider that is required to provide the service to the customer. Or, to take a different example, where we are required by law to share personal information with law enforcement bodies, we will of course, do so. However, even in those circumstances, we will always consider customer privacy when meeting those requests by ensuring that the information provided does not exceed what is required by law.
To learn more about cyber security, including how advisers can play their part in keeping customer details safe, please visit our cyber and financial crime hub or request a call back.
Disclaimer
Important information
Information current as at 28 November 2023. This paper has been prepared by BT, a part of Westpac Banking Corporation ABN 33 007 457 141 AFSL & Australian Credit Licence 233714 (Westpac). The views expressed in this paper are those of the individuals alone unless otherwise quoted, and do not reflect the views or policy of any company in the Westpac Group It has been prepared for the information of licensees and financial advisers only. The information contained in this paper provides an overview or summary only and it should not be considered a comprehensive statement on any matter nor relied upon as such. The paper does not contain, and should not be taken to contain, any financial product advice, and has been prepared without taking into account any personal objectives, financial situation or needs, and you should consider its appropriateness with regard to these factors before acting on it. © BT - Part of Westpac Banking Corporation 2023
