Can you prevent a hack?

Clarke McEwan Accountants

Can you prevent a hack?


In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?


Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?


If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.


The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.


Lessons from RI Advice


Australian Competition and Consumer Commission v RI Advice Group Pty Ltd was a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC are willing to pursue not just companies that breach their duty of care but the directors and officers involved.


RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:


  • Computer systems which did not have up-to-date antivirus software installed and operating
  • No filtering or quarantining of emails
  • No backup systems or back-ups being performed; and
  • Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.


RI Advice took steps to manage their cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement.


RI Advice was ordered to pay $750,000 towards ASIC's costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”


Scams and how to avoid them


I got a text the other day “Hi Mum, I have broken my phone and I am using this number.” The “Hi Mum” scam has exploded with more than 1,150 Australians falling victim to the ploy in the first seven months of 2022, with total reported losses of $2.6 million. Once the scammer establishes contact, they start requesting money for an urgent bill or a replacement phone etc. For those with children or dependant family members, it is not that hard to believe. According to the Australian Consumer and Competition Commission (ACCC), two-thirds of family impersonation scams were reported by women over 55 years of age.


Another common scam is the lost or unable to deliver package texts and voicemail. With Christmas just around the corner, we can expect to see another escalation of this scam where tracking links purportedly from Australia Post, Toll, or Amazon etc., are used to instal malware. Once accessed, the malware will access your contacts and spread the malware and potentially access your personal information and bank details.


In July, the Australian Taxation Office (ATO) reported a new wave of ‘Tax refund SMSF scams’. The texts purported to be from the ATO stating that the individual had a tax refund and to click on the link and complete the form. Another scam purporting to be from the ATO advised that the recipient was suspected of being involved in cryptocurrency tax evasion and requested that they connect their wallet. At which point the wallet was accessed and any assets stolen.


The ACCC’s Targeting Scams report states that in 2021, nearly $1.8bn in losses were reported but the real figure is likely to be well over $2bn. 


 The largest combined losses in 2021 were:


  • $701 million lost to investment scams with 2021 figures significantly increased by cryptocurrency scams - more scammers are seeking payment with cryptocurrency and losses to this payment method increased 216% to $84 million.
  • $227 million lost to payment redirection scams.
  • $142 million lost to romance scams.


Protecting yourself from scams


Help educate older relatives. The over 55s are the most likely to fall victim to a scam.

  • Always use the primary website or app of your suppliers not a link from a text or email.
  • Don’t click on links from emails or text messages unless you are (absolutely) certain of the source. For email, if the sending email domain is not clear or hidden, hover over the name of the sending account to check if the email is from the company domain.
  • For Government services, use your MyGov account. Any messages to you from the ATO or other Government services need will be published to your MyGov account. Never click on links purporting to be from a bank, ATO or Government department.


Protecting your business from scams


Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million.

Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers

 

 impersonate people using a registered email address that is very similar to one from a legitimate business.


  • Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
  • Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure and it is too easy for staff to inadvertently send data to the wrong person.
  • No shared login details or passwords.
  • Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
  • Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
  • Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
  • Use multifactor authentication on your systems and third-party systems.
  • Update software and devices regularly for patches
  • Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
  • If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled and your business has taken all reasonable steps to enforce the Australian Privacy Principles. Your business is responsible for how the overseas recipient utilises your customer’s data.
  • Only collect the customer data you need to provide the goods and services you offer.
  • Ensure protocols are in place for accounts payable.
  • Don’t forget the hardware – laptops, computers, phones. 

Save your business time and money using cloud accounting

By Clarke McEwan October 28, 2025
Accounting tasks don’t have to eat into your business time. With the right cloud accounting software and setup, you can save time and money – while also getting tighter control over your finances. #accounting #software #finance

Trust Resolutions – Why Timing and Evidence Matter

By Clarke McEwan October 10, 2025
As the trustee believed the income was classified as interest (this was challenged successfully by the ATO), the trustee assumed that the income would be subject to a final Australian tax at 10%, under the non-resident withholding rules. This was clearly more favourable than having the income taxed in the hands of Australian resident beneficiaries at higher marginal rates. However, the ATO argued that the distribution resolutions were invalid and the Tribunal agreed. Why? The main reason was a lack of evidence to prove that the distribution decisions were made before the end of the relevant financial years. While there were some documents that were purportedly dated and signed “30 June”, the Tribunal wasn’t convinced that the decisions were actually made before year-end and it was more likely that these documents were prepared on a retrospective basis. The evidence suggested the decisions were probably made many months after year-end, once the accountant had finalised the financial statements. The outcome was that default beneficiaries (all Australian residents) were taxed on the income at higher rates. Timing of trust resolution decisions is critical For a trust distribution to be effective for tax purposes, trustees must reach a decision on how income will be allocated by 30 June each year (or sometimes earlier, depending on the trust deed). It might be OK to prepare the formal paperwork later, but those documents must reflect a genuine decision made before year-end. For example, let’s say a trust has a corporate trustee with multiple directors. The directors meet at a particular location on 29 June and make formal decisions about how the income of the trust will be appointed to beneficiaries for that year. Someone keeps handwritten notes of the meeting and the decisions that are made. On 5 July the minutes are typed up and signed. The ATO indicates that this will normally be acceptable, but subject to any specific requirements in the trust deed. If the ATO believes the decision was made after 30 June (or documents were backdated), the resolution can be declared invalid. In that case, you might find that one or more default beneficiaries are taxed on the taxable income of the trust or the trustee is taxed at penalty rates. This could be an unexpected and costly tax outcome and could also lead to other problems in terms of who is really entitled to the cash. Broader lessons – it’s not just about trust distributions The timing issue is not confined just to trust distribution situations. Other areas of the tax system also turn on when a decision or agreement is actually made, not just when it is eventually recorded. For example, if a private company makes a loan to a shareholder in a given year, that loan must be repaid in full or placed under a complying Division 7A loan agreement by the earlier of the due date or lodgement date of the company’s tax return for the year of the loan. If not, a deemed unfranked dividend can be triggered for tax purposes. If a complying loan agreement is put in place then minimum annual repayments normally need to be made to avoid deemed dividends being recognised for tax purposes. A common way to deal with loan repayments is by using a set-off arrangement involving dividends that have been declared by the company. However, in order for the set-off arrangement to be valid there are a number of steps that need to be followed before the relevant deadline. The ATO will typically want to see evidence which proves: · When the dividend was declared; and · When the parties agreed to set-off the dividend against the loan balance. If there isn’t sufficient evidence to prove that these steps were taken by the relevant deadline then you might find that there is a taxable unfranked deemed dividend that needs to be recognised by the borrower in their tax return. Documenting decisions before year-end The key lesson from cases like Goldenville is that documentation shouldn’t be an afterthought — lack of contemporaneous documentation can fundamentally change the tax outcome. What normally matters most is when the relevant decision is actually made, not when the paperwork is drafted. In practice, this often means: · Check relevant deadlines and what needs to occur before that deadline. · If a decision needs to be made before the deadline, ensure that a formal process is followed to do this. For example, determine whether certain individuals need to hold a meeting or whether a circular resolution could be used. · Produce contemporaneous evidence of the fact that the decision has been made. You might consider sending a brief email to your accountant or lawyer explaining the decision that has been made before the relevant deadline , basically providing a time-stamped record of the decision. · Finalise paperwork: formal minutes of meetings can sometimes be prepared after year-end, but they must accurately reflect the earlier decision. Thinking carefully about timing — and building a habit of producing clear evidence of decisions as they are made — is often the difference between a tax planning strategy working as intended and an expensive dispute with the ATO.

Accessing superannuation funds for medical treatment or financial hardship

By Clarke McEwan October 10, 2025
Superannuation is one of the largest assets for many Australians and offers significant tax advantages, however, strict rules apply to when it can be accessed. While super is most commonly accessed at retirement, death or disability, there are limited situations where earlier access may be possible. Early access is generally available in two situations: · Financial hardship – where you are receiving a qualifying Centrelink/DVA payment for a minimum period and cannot meet immediate living expenses. · Compassionate grounds – Funding for certain specific scenarios which include preventing a mortgage foreclosure or meeting medical expenses for a life-threatening injury or illness or to alleviate severe chronic pain. Compassionate grounds access requires an application to be made to the ATO which needs to be accompanied by relevant medical certificates or mortgage information. If approved the ATO will provide instructions to the individual’s superannuation fund to release an amount to cover the expense. We have included some ATO links with more detailed information on compassionate grounds and financial hardship below. When accessing superannuation under compassionate grounds you would usually collect the relevant supporting documentation and personally make the application for approval using your MyGov account. It has come to the ATO’s attention that there may be medical and dental providers exploiting this access and assisting super fund members to access amounts for cosmetic reasons (you may have even seen advertisements pop up on your social media showing people with a new sparkling smile – and a lower super balance). The ATO’s concerns are discussed in Separating fact from fiction on accessing your super early. Superannuation fund members and SMSF trustees should be aware that there can be substantial penalties applied when super is accessed outside of the legislated conditions of release. You should never provide another party with access to your MyGov login or allow a third party to make applications on your behalf. Penalties may also apply for making false declarations. Should you have any questions or concerns relating to proposed access to your superannuation please reach out to us. Related links Accessing superannuation under compassionate grounds Accessing superannuation due to financial hardship

Government Review of Supermarket Unit Pricing: What It Could Mean for Your Business

By Clarke McEwan October 10, 2025
Submissions closed just a few weeks later on 19 September 2025, marking the end of a very short opportunity for stakeholders to have their say. A Quick Recap Unit pricing is what allows shoppers to compare costs per standard measure (e.g. $/100g or $/litre) across different pack sizes and brands. Since 2009, large supermarkets have been required to display this information to help customers spot value. While compliance has been relatively low-cost and penalties limited, the Government’s review signals that much tighter rules could be on the way. Why Now? The ACCC’s recent supermarket inquiry highlighted that while unit pricing helps, there are still gaps. The big concern is shrinkflation—when pack sizes quietly reduce while prices remain the same or higher. With cost-of-living pressures dominating headlines, the Government is looking at clearer, fairer pricing to rebuild consumer trust. What Might Change? Proposals considered in the consultation paper include: · Shrinkflation alerts – supermarkets may need to flag when a product becomes smaller without a matching price cut. · Clearer displays – larger, more prominent unit prices both in-store and online. · Wider coverage – expanding the rules beyond major supermarkets to smaller retailers and online sellers. · Standardised measures – eliminating confusing “per roll” vs “per sheet” comparisons. · Civil penalties – introducing fines for non-compliance. The Commercial Impact For suppliers, packaging decisions could come under closer scrutiny. For retailers, costs might arise from updating shelf labels, software, or e-commerce systems. But there are also opportunities: businesses that embrace transparency could build loyalty and stand out in a competitive market. What You Should Do Now that the consultation period has closed, Treasury will consider submissions and the Government is expected to announce its response later this year. Businesses in food, grocery, and household goods should stay alert—the final shape of the rules could affect pricing, packaging, and compliance obligations across the sector. At Clarke McEwan, we can help you model potential compliance costs, assess financial impacts, and prepare for upcoming regulatory change. Reach out to discuss how this review might affect your business.

ATO Interest Charges Are No Longer Deductible – What You Can Do

By Clarke McEwan October 10, 2025
Leaving debts outstanding with the ATO is now more expensive for many taxpayers. As we explained in the July edition of our newsletter, general interest charge (GIC) and shortfall interest charge (SIC) imposed by the ATO is no longer tax-deductible from 1 July 2025. This applies regardless of whether the underlying tax debt relates to past or future income years. With GIC currently at 11.17%, this is now one of the most expensive forms of finance in the market — and unlike in the past, you won’t get a deduction to offset the cost. For many taxpayers, this makes relying on an ATO payment plan a costly strategy. Refinancing ATO debt Businesses can sometimes refinance tax debts with a bank or other lender. Unlike GIC and SIC amounts, interest on these loans might be deductible for tax purposes, provided the borrowing is connected to business activities. While tax debts will sometimes relate to income tax or CGT liabilities, remember that interest could also be deductible where money is borrowed to pay other tax debts relating to a business, such as: · GST · PAYG instalments · PAYG withholding for employees · FBT However, before taking any action to refinance ATO debt it is important to carefully consider whether you will be able to deduct the interest expenses or not. Individuals If you are an individual with a tax debt, the treatment of interest expenses incurred on a loan used to pay that tax debt really depends on the extent to which the tax debt arose from a business activity: · Sole traders: If you are genuinely carrying on a business, interest on borrowings used to pay tax debts from that business is generally deductible. · Employees or investors: If your tax debt relates to salary, wages, rental income, dividends, or other investment income, the interest is not deductible. Refinancing may still reduce overall interest costs depending on the interest rate on the new loan, but it won’t generate a tax deduction. Example: Sam is a sole trader who runs a café. He borrows $30,000 to pay his tax debt, which arose entirely from his café profits. The interest should be fully deductible. However, if Sam also earns salary or wages from a part-time job and some of his tax debt relates to the employment income, only a portion of the interest on the loan used to pay the tax debt would be deductible. If $20,000 of the tax debt relates to his business and $10,000 relates to employment activities, then only 2/3rds of the interest expenses would be deductible. Companies and trusts If a company or trust borrows to pay its own tax debts (income tax, GST, PAYG withholding, FBT), the interest will usually be deductible if it can be traced back to a debt that arose from carrying on a business. However, if a director or beneficiary borrows money personally to cover those debts, the interest would not normally be deductible to them. Partnerships The position is more complex when it comes to partnership arrangements. If the borrowing is at the partnership level and it relates to a tax debt that arose from a business carried on by the partnership then the interest should normally be deductible. For example, this could include interest on money borrowed to pay business tax obligations such as GST or PAYG withholding amounts. However, the ATO takes the view that if an individual who is a partner in a partnership borrows money personally to pay a tax debt relating to their share of the profits of the partnership, the interest isn’t deductible. The ATO treats this as a personal expense, even if the partnership is carrying on a business activity. Practical takeaway Leaving debts outstanding with the ATO is now more expensive than ever because GIC and SIC are no longer deductible. Refinancing the tax debt with an external lender might provide you with a tax deduction and might also enable you to access lower interest rates. The key is to distinguish between tax debts that relate to a business activity and other tax debts. For mixed situations, you may need to apportion the deduction. If you’re unsure how this applies to you, talk to us before arranging finance. With the right strategy, you can manage tax debts more effectively and avoid costly surprises.

Measuring the health of your business with ratio measures

By Clarke McEwan October 3, 2025
Business ratios
More Posts