Financial services industry over confident and ill prepared when it comes to cyber security


Julian Plummer

A survey of the financial services industry conducted by Kamino Cyber Security in October 2017 has revealed that most financial advisers, accountants and superannuation funds are not adequately prepared when it comes to cyber security – particularly in regard to the new Data Breach Notification Laws which came into effect in February 2018.

The laws state that:

  • Where a suspected unauthorised access occurs, the organisation must undertake an assessment of whether the incident is an “eligible data breach”.
  • As part of that assessment process, the organisation must decide whether the incident is “likely to result in serious harm” to any individuals.
  • If an “eligible data breach” has occurred then the organisation must provide notification of the incident to the Office of the Australian Information Commissioner (OAIC) and take steps to notify affected individuals.

Only 32% of survey respondents were aware of the mandatory data breach notification laws with the remaining 68% either completely unaware or only somewhat aware.

Managing Director of Kamino, Julian Plummer said these results were highly concerning, particularly since the survey uncovered at 45% of the those surveyed within the industry had experienced at least one cyber security incident (both successful and unsuccessful).

Mr Plummer stated that “These laws will have a huge impact on the businesses affected. This lack of awareness of the laws most likely translates to an overall lack of preparedness for the changes now in effect, which is worrying considering the ramifications of a cyber breach incident on a financial planning or accounting practice.”

“Most respondents appeared to have a very good understanding of what is at stake in the face of a cyber incident. Customer information is of the utmost importance, and the survey revealed that business owners realise that their brand must be protected from being tarnished by cyber incidents, which could lead to direct revenue loss. However, this has not been reflected in the preparations and processes which should be set in place to protect advisers, accountants and superfunds from potential cyber-attacks”

Only 46% of survey respondents said they would be adequately prepared to deal with a cyber attack on their business, with 25% stating their business was not doing enough to adequately protect its systems from cyber threats and the remaining 29% were unsure.

Alarmingly, only 28% of survey respondents had full confidence in their staff’s cyber security hygiene, which Mr Plummer said is “particularly concerning considering that ‘human error’ is one of the biggest weaknesses in enterprise security defence.”

Overall key findings of the survey include:

  • There appears to be over-confidence especially with business owners when it comes to dealing with cyber threats. Many believe that they are well protected against threats, relying only on their own expertise or general computer technicians.
  • Most are not aware of their responsibilities with the incoming mandatory data breach notification laws. Ignorance of cyber security risks could be become a very costly for those who are affected (all accountants, and any business that stores TFN data or with a turnover over $3M).
  • The most common cyber incidents are caused by malware or phishing emails, indicating that there is a lack of basic security hygiene in the industry, and some very basic blind spots around user education.

You must be logged in to post or view comments.