Julian Plummer, managing director of Kamino Cyber Security and Midwinter Financial Services said that the Australian data notification laws which are set to receive royal assent in February will also affect offshore administrators or service providers used by Australian firms.
The recently introduced laws specify that all businesses with an annual turnover of $3 million or higher will be required to notify individuals and the regulator (OAIC) when cyber security incidents compromise personal information, Mr Plummer explained. You can learn more about the new laws and how they apply to you here.
Firms dealing with high-net-worth clients, like SMSF clients, should be particularly wary.
“Any SMSF firms that are using offshore administrators or service providers must also study the obligations closely as the mandatory data breach legislation also impacts overseas located service providers,” he said.
“So if you've got an SMSF administrator located overseas, and you're offshoring that work, and they get hit by a data breach, you will have to report on behalf of them. That's something that SMSF advisers may not be aware of.”
Mr Plummer said SMSF firms here in Australia that outsource work to offshore firms should ensure they have robust security processes in place.
“There are advantages to dealing with companies that are located in Australia as they are obliged to obey Australian laws, but generally there are ways to ensure that your partners have security front of mind, and that's to ensure that they have ISO security certification and that information is generally pretty easy to get,” he said.