ASIC Breach Reporting Obligations

As with any regulatory change, there is a lifecycle – Design, Development, Implementation, and Transition to BAU. The time is nearly over for the first three stages… but it is the fourth that history suggests is often the time when things go wrong.

Below are 3 things to consider – as the “project” transitions to BAU:

1. Accountability

Have roles from Executive to the Frontline been articulated and assigned including the delineation of responsibilities between those who make findings of fact (Reporting), and those who have authority to assess whether there has been a breach (Governance)?

2. Enablement

Have policies, processes, procedures been updated or documented?
Training – have you included an assessment of understanding and kept records?

3. Management

Monitoring – observations of what is happening – many of the obligations span wide areas of businesses. Are all the bases covered? Is there the capacity to measure what is happening across that span?
Reporting – an assessment/analysis of what is happening + recommendations for action as required.
Are the means to detect each of the required breaches set up including the means of recording the necessary data? Have sufficient resources been allocated to undertake necessary analysis within the timeframe needed to meet the overall reporting timeline? Are those resources aware of how to determine what is significant and what is not? Some of which is ‘automatically considered significant’ by its nature – such as gross negligence and serious fraud; and
Governance – decision making and oversight to ensure that what needs to be done is in fact done.
Breach reporting is much more than telling the regulator you made a mistake or have an issue. You must also explain how it happened and what is being done or will be done about it… and all that needs to be done in a challenging timeframe. Are those charged with oversight clearly aware of their duties, and the timeframes? And are they comfortable all that is needed to support them is in place and sufficiently resourced (in terms of both skills and quantity), required to operate within the timeframes?

Remembering you need records to prove things are okay, you can’t rely on just saying we have no records of breaches therefore we are compliant. There is a requirement to have evidence of compliance… evidence of all the above in place and functioning effectively.

Key timeframes

Extended reporting period – reports must be lodged within 30 calendar days (compared to 10 business days); but
The clock starts ticking earlier – 30 days will commence when you know, (or should know) whether a reportable situation has arisen.

ASIC Breach Reporting obligations. Are you set up for sustained success?