CPD: Protecting your most valuable assets

From

The federal government is offering small businesses the opportunity to apply for up to $2,100 in funding to help get their cyber security tested.

The clients of a financial advisory practice are arguably its most valuable asset; a failure to protect client data may not only have legal ramifications, it’s also a question of ethics. Failing to provide a safe physical and online environment for sensitive financial information could expose clients to fraud, identify theft and financial loss. Another valuable asset easily lost and hard to regain is your good name. This article examines the importance of protecting one of your most valuable assets – your clients’ data.

Australia is under attack. Every day there are thousands of attempts to access private information held by individuals and businesses, institutions and government departments. Some are of a scale to make the news, others become newsworthy when personal information has been compromised.

There are a number of ways a cyberattack might harm an individual or business, including:

  • integrity breaches – the manipulation of correct data
  • confidentiality breaches – theft of personal information
  • availability breaches – such as shutting down critical infrastructure and online services.

Cyber security is critically important to all organisations that hold confidential information, such as financial planning practices. It is essential to maintaining trust between your business and your clients.

During National Scams Awareness Week, held in August 2019, the Australian Competition and Consumer Commission’s (ACCC) claimed that Australians are set to lose more than half a billion dollars in scams this year, with investment scams one of the costliest offenders.

This projection follows the release of the ACCC’s Targeting Scams report[1] in May 2019; it found Australians lost $489.7 million to scams in 2018, a 44 percent increase from the $340 million reported in 2017. In fact, in the first six months of 2019, Australians lost more than $58 million to scams; of this amount, $23.7 million was lost to investment scams[2]. In 2018, the ACCC tracked $4.5 million in losses across over 3,000 small businesses.

According to the ACCC, investment scams are particularly sophisticated and convincing and tend to have the most significant financial losses. Interestingly, many scams aren’t focused on the gullible; instead they target confident people, those who believe they wouldn’t fall for a scam. People that might be just like your clients. It’s in your clients’ best interests to be made aware of scams that may attempt to part them from their money. It’s not just a question of good business practice, it’s a matter of ethics, of doing everything possible to put your clients’ best interests at the heart of what you do. After all, ethical standards hinge on meeting the best interests test.

The global landscape

Cybercrime is big business worldwide. Whether it’s being used to spread disinformation and influence voters, hold individuals’ computers to ransom in exchange for a bitcoin payment, or crippling businesses, cyberattacks are becoming common place.

In an interview ahead of this year’s Berkshire Hathaway Annual Shareholders meeting, Warren Buffett said one of his biggest concerns is cyberattacks. In the United States over the 12 months ending 31 March 2019, 25 percent of cyber-attacks targeted banks and finance institutions, while there was a 212 percent increase in hacking credit cards[3].

Investment scams are prevalent in every country. The UK’s Financial Conduct Authority announced Britons lost more than £200 million to investment scams in 2018 and in the US, seniors lost more than US$2.9 billion to scams, largely by people impersonating the Internal Revenue Service (IRS).

Cybersecurity

Protecting your client data is essential. It’s important for your clients’ security, it’s important for your reputation, it’s good business practice and it’s in your clients’ best interests.

It is now a legal requirement for businesses to carry out an assessment whenever you suspect there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information you hold. If serious harm is likely to result, you must notify affected individuals so they can take action to address the possible consequences. You must also notify the Office of the Australian Information Commissioner (OAIC).

The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any practice—transparency and accountability.

In February 2018, the Notifiable Data Breaches scheme (NDB scheme) was launched. It introduced new obligations for organisations, such as financial planning practices, that have existing information security obligations under the Privacy Act 1988 (Cth).

In the year ended 31 March 2019, the NDB scheme recorded[4] 964 data breaches:

  • 60% of those were criminal or malicious attacks
  • 153 cyberattacks were attributed to phishing
  • 83% of data breaches effected fewer than 1,000 people

In the finance sector, human error accounted for 41% of data breaches, compared with an average of 35% for all sectors. As the holder of important and sensitive personal client information, protecting your clients’ data is essential.

Strategies for data protection

The breakneck speed of advancements in technology introduces a number of complexities. While we laud the accessibility of information and the ease of doing business that technology delivers, it can be a double edged sword. The comprehensive move to being connected, always and everywhere, by computer, smartphones and tablets, creates vulnerabilities that can be exploited by criminals.

Securing your clients’ data is as much about behaviour as it is hardware and software. It’s imperative to adopt good security practices and ensure every member of your team understands and follows those practices. Data needs to be protected wherever you do business – in your office, at home, and anywhere offsite that client data may be accessed or used. Data security should form part of your business’s overall risk management strategy.

Data security plan

As with many things, the adage – fail to plan, plan to fail – is an apt reminder here.

In the first instance, your practice should develop a data management and cybersecurity plan to ensure you have considered and covered all potential sources of data breach. Involving your team is important; an effective way to do this can be planning for different scenarios. That way each team member can think about data as it relates to their role – how it could be breached and therefore, how to best protect it.

A data security plan should detail your firm’s security practices and include policies for your employees to read and acknowledge; it’s also important that data security forms part of the induction for your new employees.

The plan should also include how you collect and store clients’ personal information. It is good practice to review your privacy policy and data usage and collection documentation on a regular basis. It’s common practice to share such documents publicly, via a link from your website, which is a good accountability process.

Finally, as with any good plan, it should not be set and forget. Technology changes rapidly and your plan needs to keep pace. Whether it’s a new type of cyber threat, a system change, new software or a move to new mobile devices, the plan – and your responses – must be kept up-to-date and relevant.

There are several steps you can take to create a data security plan. These include:

Step one: Identify and locate your data

Identify all sources of information that your practice handles; client’s personal information, bank account and investment details, CHESS and managed fund data, as well as details about investment portfolios, insurance and more.

Importantly, you need to know where the data is located – hard copy, internal systems or on third party systems your practice uses.

List out your service providers; you need to consider financial planning software, dealer group portals, any cloud services you use. Ultimately, you are responsible for ensuring that any third parties who handle your clients’ data have appropriate security measures in place; indeed that should form part of any due diligence undertaken on third parties.

Step two: Evaluate business and data management processes

Consider how data is collected, stored, accessed and distributed by the different team members in your business. Are there gaps that need to be addressed? Some of the issues that could be addressed include:

  • The use of email in your business – is sensitive information sent by email? If so, how can you protect it? Can you provide a link to a secure web portal or send the information using a password protected PDF document?
  • Are all documents, including email, kept behind a firewall that will protect them from cyber threats?
  • Does your business retain hard copy files; if so, are they secured so they cannot be accessed by unauthorised people?
  • Do you review passwords across the business to ensure they are changed with reasonable frequency? It’s also important to ensure they are ‘strong’ passwords and unlikely to be guessed. The top three passwords of 2018 were 123456, password and 123456789. While it is not ideal to keep records of passwords, where it’s necessary, it’s important to make sure they’re stored securely – not on post-it notes attached to the computer screen or under the keyboard!
  • The advent of the cloud has made secure data storage and access simpler and less expensive; who has access to your cloud data and have data management protocols been established?

These days, it’s rare for anyone to work offline, so you need to ensure each staff member understands how to stay safe online. While many of your staff will probably believe they know this, the number of people who fall prey to phishing scams (responding to emails) or who click links that expose their computer (and potentially, the whole network) to malware suggests not everyone is security savvy. It is important to reinforce the need to protect client information and data.

Step three: Check out your service providers

While it’s important to conduct due diligence on all new service providers, you should ensure existing providers have procedures to manage and secure your clients’ data. Some of those you need to consider include:

  • Platforms and managed account providers
  • Financial planning software
  • Providers of software and tools that use client data
  • Web hosting and management services
  • Cloud services
  • Your email provider.

If, like many businesses, you store information in the cloud, you need to be cognisant of where you and your team store company documents. Where in the cloud is it, who has access to what files and most importantly, who is responsible for removing access once an employee departs your business?

Step four: Review your technology and security systems

It’s really important to keep all devices and their operating systems up-to-date. Often an update might include protection against a new cyberthreat. Maintaining and updating all electronic devices – computers, tablets and smartphones – will help reduce the risk of infection or intrusion. Older software will continue to have the same bugs and issues with code that allow hackers and cyber criminals to get up to good. This is made more serious by the fact that most exploitable software ‘holes’ are made public once an update is released.

As quickly as software providers find ways to fix vulnerabilities in their software, hackers have found new ones, which is why internet security software is essential. It should also be regularly updated to protect against the latest threat. Most provide real-time alerts should you receive a dangerous file, email, or attachment, and block them from reaching you.

The best way to keep everything up-to-date is to ensure all software is set to update automatically. Similarly, computers should be set to auto-update for operating system patches. You can also pen test; penetration testing is a process by which software is deployed against your digital infrastructure to find and expose any weaknesses in your setup. This way, you can address any areas of vulnerability before someone with criminal intent is able to exploit them.

As well as putting client data at risk, poor internet security could see a virus spread to your suppliers, clients and other contacts, exposing them to risk. This could be costly in terms of both reputation and reparation, depending on the severity of the attack.

Step five: Develop an incident response plan

Although you can plan for the best, the worst can sometimes happen. If your systems are hacked or someone in your practice has unwittingly passed on a piece of malware, you need a plan to deal with it. Ideally, this plan should have been created in advance and not on the hop.

Most importantly, if your clients are impacted in any way at all – their data has been comprised, or they may receive an infected email – they need to be informed. Data breaches must also be reported to the OAIC.

Step six: Review your plan

Regular reviews, coupled with having the good systems and procedures in place, will help you mitigate the risks of a cyberattack and help to keep your client data safe. Because of the constant evolution of cyber threats, the plan needs regular review.

Once established, you should communicate the security measures you have implemented to your clients and prospects. They will be reassured to know you have an established plan and implemented procedures to protect their data.

After all, the last thing you want to have to do is call your clients to tell them your practice has been hacked and their personal information compromised. Fixing problems caused by cyber threats is bad enough; winning back client trust after a serious breach can be significantly more difficult.

ASIC good practice

ASIC has created a series of cyber resilience good practices[5] to help businesses operate ‘good practice’ adaptive and responsive cyber resilience processes. ASIC notes that the good practices it observed in relation to cybersecurity strategy and governance were characterised by board (or management team) ‘ownership’, and responsive and agile governance models.

Good practice 1: Board engagement

A company’s board – or for many smaller practices, the management team – should take ownership of the cyber strategy. It needs to be developed and reviewed on a regular basis to assess progress against success measures outlined in the strategy. Measures may include time to detection, speed of response and recovery process.

Good practice 2: Governance

In a rapidly changing cyber-risk environment, today’s policies and procedures are often quickly superseded. Adjustments may be driven by events and incidents rather than reviewing at fixed time periods.

ASIC links cybersecurity governance to other governance processes and procedures; the documented strategies, rules and procedures should be consistent with your overall governance framework.

Good practice 3: Cyber risk management

Business should access available intelligence and automation to enhance their cyber risk management processes.

Good practice 4: Third-party risk management

Organisations should develop risk-based assessment methods and tools to ensure third-party suppliers and partners are regularly assessed to guarantee compliance with required security standards.

Good practice 5: Collaboration and information sharing

Collaboration and information sharing with like businesses can help inform good practice.

Good practice 6: Asset management

Visibility of critical assets across the organisation is important and supports management of software versions and security patches.

Good practice 7: Cyber awareness and training

Development of organisation-wide programs and strategies to ensure staff awareness and education, including for contractors and partners, is important. Cyber risk management strategies should be based on a program of continuous development of knowledge and awareness, so that through active vigilance, staff become an effective defence against malicious cyber activities by preventing incidents arising from attempted phishing attacks and other forms of social engineering.

Good practice 8: Protective measures and controls

Proactive measures and controls for cyber risks are characterised by implementation of the Australian Signals Directorate’s (ASD) Strategies to mitigate targeted cyber intrusions (or equivalent), as well as a range of additional controls.

Good practice 9: Detection systems and processes

Continuous monitoring systems should be implemented to monitor cyber events on the organisation’s network and systems. Good practices are characterised by the use of company-wide continuous monitoring systems and the use of data analytics to integrate sources of threats in real time.

Good practice 10: Response planning

Response planning for cyber risks is different from standard business continuity planning because the scenarios are not as predictable because of the range of threat sources and the speed at which the sophistication levels of attacks are changing.

Good practices we observed included routine and detailed scenario planning, war gaming, proactive reporting to the board and well-developed communication plans.

Good practice 11: Recovery planning

In the event of a data breach, organisations have actively determined when and how to notify customers – there is a well-defined communication plan in place for managing stakeholders.

Educate your clients about cybersecurity

As well as protecting their data, advisers should help their clients understand the threats they may face. After all, most scams seek to part individuals from their money, a poor outcome for both you and your client. Educating your clients about known scams and keeping them up to date when you hear of something new is acting in the clients’ best interests.

Although scams and cyber attacks evolve over time, there are consistent approaches that you can make your clients aware of, including:

Phishing

Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, generally through email. The visual identify of Australia’s big four banks, Australia Post and the Australian Tax Office have all been used in phishing scams in recent years.

The goal is to steal sensitive data – credit card or login information, tax file number or details to establish identity for identity theft. It’s also commonly used to install malware on the victim’s computer. Phishing is an increasingly sophisticated and common cyberthreat.

To avoid a phishing attack, advise your clients to:

  • Be suspicious of emails received from trusted entities such as their bank, particularly if they don’t personally address the client (most real emails will, phishing attacks generally won’t)
  • Likewise, be suspicious of calls purporting to be from well known organisations wanting login details, personal data or access to their computer
  • If an email contains a link, it should not be clicked – instead, the client should visit the business’s website directly to see if there is something that requires attention
  • Check the email address of the sender – often it is masked by an official looking address, but behind that is something very different
  • Look out for common phishing language such as ‘Verify your account’

Importantly, remind your clients that a legitimate business will not send them an email to request personal information or inform them of suspicious activity on their account.

Malware

Malware is a term used to describe malicious software. This might include spyware, ransomware or viruses. Malware generally infiltrates when a user clicks a link or email attachment which then installs the malicious software. Once inside the system, malware can do several things, including:

  • Block access to information or the operating system – known as ransomware, this has been on the rise, with perpetrators demanding payment, usually in bitcoin, to release the system and/or files
  • Install harmful software that can destroy documents and information
  • Install spyware, which covertly obtains information by transmitting data (such as banking login details) from the hard drive.

Identity crime

According to the Australian Criminal Intelligence Commission, identity crime is a key enabler for serious and organised crime groups. Identity crime generally involves the theft of personal identity information or financial information. This this might include bills, bank statements, tax file numbers or license information, whether via hard copy or email.

Criminals then assume the false identity for a range of fraudulent purposes such as:

  • Applying for credit in the false identity and rack up debt in another’s name
  • Producing false identity papers and financial documents to enable other crimes
  • Establishing business structures and companies to facilitate other crimes such as money laundering or insider trading
  • Undertaking national or international travel without being identified or traced by law enforcement agencies.

Investment scams

Although you’d hope your clients wouldn’t fall for an investment scam, the sheer volume of money lost each year suggests it might happen. Forewarned is forearmed, and ensuring your clients are aware of the tactics used may well protect them.

According to the ACCC’s Scamwatch, common types of investment scam include:

  • Investment cold calls – a caller purporting to be a stockbroker or other investment adviser calls with (usually) a low risk, high return investment offer
  • Share promotions – calls offering fabulous opportunities to get into local and overseas shares that are about to take off
  • Investment seminars – often costly and yield little
  • Superannuation schemes – sometimes offering ‘no-fail’ SMSF advice, early access or a free assessment.

ASIC’s MoneySmart website has a list of companies to avoid dealing with, which is continuously added to – a blog post about avoiding investment scams could included a link to this list. [link to: https://www.moneysmart.gov.au/scams/companies-you-should-not-deal-with]

Romance scams

Second only to investment scams in terms of money lost in 2018, this is something that has caught up a large number of older Australians, particularly those who have found themselves single in their later years. Scammers take advantage of people looking for romantic partners, often via dating websites or apps by pretending to be prospective companions. They play on emotional triggers to get their victim to provide money, gifts or personal details. They often have a hard luck story to gain sympathy and financial support – someone close needing lifesaving surgery is the top of the list.

Staying safe on the move

One of the most common attacks on smartphones occurs through mobile apps rather than mobile web browsers and increasingly, through SMS attacks. Because so many people use their phones to manage financial operations or handle sensitive data outside the security of their home network, this can become a significant risk. Encourage your clients not to login to their banking or transact using public wi-fi and be sceptical of in-app competitions and surveys that request personal information.

Useful tips

Other useful tips for your clients (and business)

  • Suggest your clients regularly check that their email address hasn’t been compromised. The site Have I been pwned [link to: https://haveibeenpwned.com/] – this will let you know if your email address has been compromised. If so, it’s advisable to change the password immediately
  • Use strong passwords and avoid using the common ones described earlier in this article; a strong password will contain a mix of characters, alphanumeric and symbols, not using real words and mixing up capitals and lowercase letters
  • Don’t click on links whether via SMS or email; mobile devices are used so often for banking and other financial transactions; the wrong click could expose sensitive information to the wrong people
  • Secure paper-based information – identity theft is increasing and can come about through theft from letter boxes, bins and recycling. Encourage your clients to shred old bills and statements before throwing out and keep the letter box locked. In the home or office, information that could be useful to a thief should be kept locked up.

Case study

There is a strong link between protecting your clients’ data and ethics. Failure to protect data, one of your clients’ most important assets, can have disastrous results – for both the client and your business. While new threats continually emerge, a solid plan to protect data is acting in your clients’ best interests. Failing to protect their data is not.

 

 

Case study – email fraud

SA Financial Planning (SAFP), an Adelaide-based practice had six financial advisers, two para-planners and four administrative staff. The office was staffed by the four admin staff and two para-planners during business hours, with the others partly working in the office and partly on the road visiting clients.

Their IT was outsourced to Kingdom IT, a small local business with three employees. Kingdom had built SAFP’s network and set up anti-virus software on the desktop computers in the office, as well as the laptops used by the advisers. Although there was a network, the firewalls established were not particularly robust and Hugh, one of the financial advisers, had his email system hacked.

From here, the hacker emailed everyone in Hugh’s address book, primarily clients, with an investment offer that seemed too good to be true…but because it came from a trusted source and was a limited time offer, quite a few of his clients acted.

The email was sent out after business hours on a Tuesday and Hugh did not become aware of it until he received a call from a client late morning on Wednesday. The client queried why the bank account details included in the email were different to those he’d used previously.

Hugh panicked. He had no idea what the client was talking about. Hugh asked the client to forward him the email so he could see what had been sent out. He tried to recall the emails and wasted time trying to figure out where the email had come from.

It was some hours before Hugh spoke to his partners, by which time more clients had signed up – and paid for – shares in the investment opportunity. By 3.00pm, all team members were on the phone, contacting Hugh’s clients.

In all, 65 clients lost an average of $50,000 each, over $3 million in total. Although the group was able to stop any further clients from acting on the email, Hugh’s slow response meant many more clients lost money and highlighted the firm’s lack of incident response plan.

Although being hacked may well have been out of Hugh’s control – the firm had sought to protect themselves from cybercrime – his response was not. Would he have been in breach of FASEA ethical standards by not acting more quickly to mitigate the email’s damage?

A case could be made that he was in breach of S2.

 

 

Financial advice businesses are responsible for collecting and managing a lot of data and sensitive information. It’s not unreasonable to expect to be the subject of a cyberattack at some time. The important thing is to assess your business risk and prepare an appropriate defence.

You need to understand where privacy risks lie within your business, to address the human and cyber elements that could contribute to a data breach and prevent or minimise harm to your clients. Failure to do so could reasonably be seen as a failure to act in your clients’ best interest.

Naturally, prevention is better than cure. While you may not be able to prepare a defence for every eventuality in the fast evolving world of cybercrime, a reasonable effort to mitigate the risk is much better preparation that hoping it won’t happen to you. Because, according to the statistics, it probably will.

Need some help with your cyber security?

The federal government is offering small businesses (those with less than 19 staff) the opportunity to apply for up to $2,100 in funding to help get their cyber security tested. The government has committed $10 million to the grant scheme, designed to address digital security shortcomings among small firms.

Applications are open until 30 June 2020, or until the funding is committed. The grants will cover half the cost of a cyber security health check, which will be run by approved Council of Registered Ethical Security Testers (CREST) service providers.

More information.

 

Take the quiz to earn 0.5 CPD hours:

 

———

[1] ACCC, Targeting Scams, May 2019
[2] https://www.scamwatch.gov.au/about-scamwatch/scam-statistics
[3] https://au.finance.yahoo.com/news/warren-buffett-cyber-attacks-131445079.html
[4] Notifiable Data Breaches Scheme 12‑month Insights Report, April 2019
[5] https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/cyber-resilience-good-practices/

2 comments

  • Lindon Turnbull says:

    A good article, but was hoping to earn points in “Ethics”
    Any chance you can do some articles with Ethics points?

  • Brian Chapman says:

    Agreed!

You must be logged in to post or view comments.