The Australian Cyber Security Centre (ACSC) has reported that over 2020–21, it received more than 67,500 cybercrime reports — an increase of nearly 13 per cent from the previous year. This increase equates to one report of cyber attack every eight minutes compared to one every 10 minutes in the previous year. The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. Nearly half of reported incidents were categorised as having ‘substantial’ impact.
All sectors of the Australian economy — government agencies, large organisations, critical infrastructure providers, SMEs, individuals — were targeted.
The ACSC identified the exploitation of the pandemic environment as one major cyber security trend seen in 2020–21. In addition, business email compromise continues to present a major threat to Australian businesses and government enterprises, especially as more Australians work remotely. In 2020–21, the average loss per successful event was more than $50,600 — more than 150% higher than the previous year.
Note: October is Cyber Security Awareness Month.
Tax professionals are amongst those who have shifted their operations from the office to their homes for extended periods, particularly in Victoria, NSW and the ACT. This has inevitably been accompanied by a need to address online security matters for the practice as a whole, for each practitioner or employee working via their home internet networks, and for their clients.
The ATO website contains cyber security guidance to protect practitioners’ businesses and clients. In addition, protecting client data is an obligation of registered agents, regardless of work restrictions, and a revisit of the TPB’s longstanding guidance on cyber security insurance is particularly timely.
While there is an end in sight to protracted stay-at-home orders, remote work arrangements and the online exchange of sensitive client information will not be disappearing. Cyber security guidance remains relevant and tax practitioners need to ensure their security systems and policies remain robust to address ongoing and emerging threats.
The ATO has developed some resources to assist tax professionals with improving their cyber security.
It recommends that tax professionals:
The advice is developed in consultation with the Cyber Security Stakeholder Group (CSSG), a group of tax practitioner industry associations and other industry partners, such as software developer associations.
In addition, an online security self-assessment tool for businesses and tax professionals is available on the ATO website.
A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.
Examples of data breaches include but are not limited to:
An unlawful acquisition of client information can occur not only from cyber attacks conducted remotely, but also from an in-person theft of tangible equipment and paper documents.
The ATO notes that reports of stolen equipment and data are a regular occurrence. Methods of theft include dumpster diving, letterbox theft, unattended paper or electronic files, theft from wallets, and theft of briefcases or laptops.
The ATO has reported that in one instance, a tax agent had their laptop and documents containing confidential client information stolen from their car. Subsequently, it appeared that the stolen data was used to commit identity theft and to lodge fraudulent PAYG summaries using the clients’ accounts.
Where a client has been a victim of a data breach, options can include one or more of the following depending on the severity of the breach and any resultant fraud attempts:
Other government bodies with relevant guidance and information include the following:
Implementing strong cyber security controls is not only good business practice, it is also one way for registered agents to meet their statutory obligations to their clients.
One of the key sources of obligations is the Code of Professional Conduct (the Code) in the Tax Agent Services Act 2009 (the TASA). In particular, registered agents must be mindful of Code item 6 (confidentiality) which provides that a registered practitioner must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.
TPB Practice Note TPB(PN) 1/2017 sets out the TPB’s practical guidance to registered agents in relation to their obligations under the Code in respect of the use of cloud computing.
Relevant factors to consider in ensuring compliance with Code Item 6 include, among other things:
If a registered practitioner breaches the Code, including in the context of cloud arrangements, the TPB may impose one or more administrative sanctions, including issuing a written caution or order or suspending or termination of a registered practitioner’s registration.
There may also be commercial and other legal consequences such as an action for damages.
The Privacy Act sets out a number of Australian Privacy Principles (APPs) which govern the use, storage and disclosure of personal information. Information is available on the OAIC website. The TPB encourages practitioners to seek advice as to whether the provisions of the Privacy Act apply to them.
The Privacy Act also contains the NDB scheme which mandates the reporting of eligible data breaches that occur on or after 22 February 2018.
The NDB scheme requires organisations covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach. Advice must include recommendations about the steps that should be taken in response to the data breach.
The TPB and the ATO do not have oversight of these requirements — which are administered by the OAIC — but tax practitioners must be aware of their obligations.
The TPB in its NDB guidance material notes that a failure of a registered agent that to comply with the NDB rules may be considered in determining whether the agent has breached the TASA, including the Code. In particular, factors to be considered in the context of Code item 6 include:
The TPB has released Practice Note TPB(PN) 4/2021 to provide practical guidance in relation to using and disclosing a client’s TFN and TFN information in email communications. An email may be vulnerable to unauthorised access during transmission from sender to recipient.
Laws to which a tax practitioner may be subject in relation to TFNs include:
In the Practice Note, the TPB notes that whether a disclosure by a practitioner of a TFN in an unsecured email would amount to an offence under the TAA would be determined by the surrounding circumstances, including the steps taken by the practitioner.
The Practice Note also sets out some suggestions of practical security measures and procedures which tax practitioners may consider to protect the security of TFN information in email communications.
If a registered agent fails to protect the TFNs or TFN information of clients, there may be implications in relation to the TASA — in particular, Code item 6.
A registered tax agent, BAS agent or tax (financial services) agent is required to maintain, or to be able to maintain, professional indemnity (PI) insurance that meets the TPB’s requirements in order to maintain registration eligibility.
Failure to maintain appropriate PI insurance may result in sanctions which range from written cautions to suspension or termination of the agent’s registration.
The TPB’s PI requirements are outlined in Explanatory Paper TPB(EP) 03/2010.
Adequate cover is cover that will both:
Whether PI insurance is ‘adequate’ depends on the nature of the agent’s business. Relevant factors may include the volume of business, the number and kind of clients, the types of services provided, the number of employees and the degree of risk.
While the law does not prescribe the specific features of an adequate policy, the Explanatory Paper sets out the TPB’s recommendations on policy features. This list of features includes cyber insurance cover. Relevantly, once an agent has assessed the risk of a cyber-attack, the TPB recommends they consider whether they require additional protection against cyber threats, including losses that an agent may suffer from a cyber-attack.
These losses are known as ‘first party losses’. First party losses resulting from a cyber-attack that an entity may suffer include ‘denial of service’ attack, costs of rectifying harm done (such as repairing and restoring systems that have been damaged by malicious acts), the costs of improving cyber security, undertaking forensic investigations to identify the source of a cyber-attack, reputational damage and the costs of managing a reputational crisis and extortion costs.
PI insurance policies are limited to responding to losses stemming from a deficiency in the tax agent services provided by the tax practitioner. Therefore, PI insurance policies will generally cover tax practitioner liability for cyber-related events or incidents if the liability arises in relation to the tax practitioner’s provision of tax agent services. This is in contrast with cyber insurance cover, which generally covers for events such as third party cyber liability, first party hacker damage, cyber extortion, data breach notification costs and public relations costs.
Accordingly, the TPB recommends that tax agents and BAS agents obtain additional cyber insurance, in addition to maintaining PI insurance that meets the TPB’s requirements.
Need to catch up on the current tax landscape? We offer online tax training on a monthly basis – join us for a general Tax Update or a more in-depth special topic or presentation.