CPD: Cyber risk – governance implications for Australian financial advisers

From

Cyber resilience involves elements of risk management, consumer protection, and regulatory compliance.

A cautionary tale….

Imagine, just briefly, a small financial planning practice in Australia. And imagine that firm was infiltrated by an invisible cybercriminal, possibly from overseas, who gained unauthorised access to that firm’s network server, containing highly sensitive personal information on their clients, including account details, passwords, tax file numbers. Imagine, further, that cybercriminal spent close to a full week logged on to those servers, and for three months, nobody even realised it had happened.

Unfortunately, this tale isn’t an imaginary one, it actually happened. And the incredible risks that the firm and its clients were exposed to, and the subsequent penalties sought by ASIC, demonstrate why cyber risks represent one of the most critical governance issues facing financial advisory firms today.

Failing to protect your customers’ data can ruin their lives and your business

The client/adviser relationship is built on trust; clients will share information and insights into their lives (including financial, medical and relationship information) which puts advisers in a unique position, more so than other professionals. Clients entrust financial advisers with more than their wealth, they entrust their dreams, their futures. The existence of penalties, like the example above, for not adequately protecting client data is a direct reflection of the extremely serious consequences that data loss can have. From relatively orthodox financial theft (where funds may not ever be recovered) to the more insidious identity theft (where someone’s lives are essentially hijacked), it is no exaggeration to say that data loss that leads to cybercrime can ruin lives.

Consumers understand this and hold companies responsible for data security. And they are likely to abandon a business entirely, and take legal action, if they suffer a data breach – regardless of whether it leads to any personal loss – according to a study by Global cybersecurity firm Gemalto[1]. Their Customer Loyalty 2018 Report found Australian consumers are more likely than their global counterparts to walk away from a company (retail, financial, healthcare) that experiences a breach, with over two-thirds (70 per cent) admitting they would look elsewhere if financial and sensitive information such as card details and bank accounts were stolen. Over half (55 per cent) admitted they would also walk if passwords alone were stolen.

Case study: identity theft in Australia – up to $10m stolen

In late 2019, the Australian Federal Police revealed that up to $10 million of dollars had been stolen from personal superannuation and share trading accounts using hijacked identity credentials. A criminal syndicate used stolen identity information acquired on the dark net, as well as single use SIM cards and fake email accounts, to commit identity takeover before siphoning money from the accounts.

These identities, fraudulently created to mimic real individuals who unknowingly had their identities compromised, were then used to open bank accounts at various Australian banking institutions.
Once the false identities and accounts were established, the syndicate committed cybercrime offences to illegally steal money from the superannuation accounts of these victims, and from their share-trading accounts in ASX-listed companies.

The syndicate also allegedly laundered the stolen funds overseas to buy jewellery and other “untraceable assets”, before transferring the money back to Australia through cryptocurrencies.[2]

Cyberspace can be a dangerous place

Our increasingly digitalised, interconnected world is one in which technology continues to deliver significant benefits to businesses, allowing them to improve their customer experience whilst at the same driving meaningful efficiencies. The trend towards increased digital/online interactions between consumers and businesses was already well underway before Covid 19 turbocharged it, and it is remarkable to think how quickly zoom calls and online shopping have become a normal part of life for many of us.

But not every aspect of this digital nirvana is positive.

Criminals are still trying to steal things from businesses and individuals – money, secrets, data, reputations. However, unlike the thieves of yesteryear, who often relied on brute force to break into your premises, leaving a visible trail of damage to be cleaned up, today’s cybercriminals are much smarter and far more efficient, able to take more from your business in much less time. Even scarier, they are invisible, often out of arm’s reach, and in many cases, you won’t even know a crime has happened, until it’s too late.

The scale and scope of cybercrime

Cybercrime is one of the most pervasive threats facing Australia, and one of the most significant threats in terms of overall volume and impact to individuals and businesses. While the true cost of cybercrime to the Australian economy is difficult to quantify, industry estimates have previously placed cyber security incidents as high as $29 billion annually[3].

Australia’s relative wealth, high levels of online connectivity and increasing delivery of services through online channels make us very attractive and profitable for cybercriminals from around the globe.

Indeed, according to the Department of Foreign Affairs[4], the vast majority of cybercrime targeting Australia originates overseas. Cybercrime is a global threat, but our region is particularly vulnerable. Countries in our region lose a third more business revenue to cybercrime than those in the European Union or North America.

Well known cybercrime hubs include Russia (regarded as the most sophisticated), China, and Brazil, meaning perpetrators are usually well beyond the reach of Australian authorities.

Bank accounts, email systems and business devices, including computers and mobile phones, are just a few of the critical business assets that face compromise from malicious cyber activities, ranging from denial of service (DNS) attacks to malware, ransomware, phishing, social engineering and other more sophisticated (and harder to detect) incursions.

The increase in remote working, in response to Covid 19, has seen an explosion in the use of videoconferencing and use of personal technology to access business systems, ramping up the risk exposure further. And the increased use of networked devices such as digital assistants (Alexa, Google), TVs, fridges, printers and security systems will create even more vulnerabilities in networks.

Alarmingly, a recent survey[5] of businesses by the Australian Cyber Security Centre found that half of sole trader/microbusinesses – and a staggering three quarters of small to medium sized businesses – had suffered a suffered a cyber incident at some point.

The costs – both direct and indirect – to an individual business can be debilitating.

According to the Australian Government’s ‘Stay Smart Online’ initiative[6]:

  • The average cost of a cybercrime attack to a business is $276, 323
  • 53% of that cost is in detection and recovery
  • The average time to resolve an attack is 23 days (51 days if the attack is by a malicious insider/employee)
  • Indirect costs include business disruption, data loss, revenue loss and productivity loss.

The financial sector is particularly vulnerable

The nature of the cyber threat, and its potential consequences, is magnified within the financial sector. Indeed, the Australian Government’s June 2020 report[7] on notifiable data breaches revealed the finance sector to be second only to the health sector in reporting major breaches.

And Covid seems to have further increased the attraction of the sector to cyber criminals. Cyber risk specialists McAfee reported[8] that attacks targeting the financial sector globally had increased by around 32% in just one quarter (Q4 2019 to Q1 2020).

Australian financial services businesses are key targets for data breaches, as the client, staff and commercial records held (including account details, tax and payroll data, passwords and other sensitive personal information) can be used to commit a variety of crimes, including tax fraud, identity theft and superannuation related frauds. (The superannuation early release scheme introduced during Covid coincided with a 323% increase in superannuation scams[9] reported to the ACCC in the year ended October 2020).

Little wonder then, that both ASIC and APRA call out cyber risk management – ‘cyber resilience’ – as key priorities for monitoring and supervision.

A regulatory perspective

One of the challenges we face when controlling cybercrime within the financial sector is the interconnectedness of the financial market ecosystem.

As APRA Executive Board member Geoff Summerhayes observed when launching the APRA Cyber Security Strategy last year[10]: “At the heart of the new strategy is recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers. APRA only directly supervises around 680 of these, yet we know that a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system”

APRA’s Cyber Security Strategy will see them apply a broader set of regulatory tools and techniques to cyber, acting in concert with peer regulators and other government agencies, and imposing greater accountability on entities that fail to adequately comply with their prudential obligations.

ASIC, themselves the victim of a cyberattack in January this year[11], state their goal[12] as being to ‘improve the cyber resilience of all entities operating in Australia’s financial markets’, and has made available a series of resources to assist in this regard (these will be explored in more detail below).

Financial advisers are particularly at risk

Financial advisers and financial advice practices are at heightened risk of cyber-attacks for a number of reasons:

  • The financial sector itself is disproportionately attractive to cyber criminals because of the data handled and online services provided (especially those using platforms and transacting on behalf of their clients).
  • Many advisers operate in small businesses, who lack the financial resources, knowledge, and IT capabilities to make cyber security a priority.

Advisers’ cyber obligations

In addition to broad Corporations Act and consumer protection requirements to act in a client’s best interests, and have the technology and skills to ensure compliance with law, Financial Advisers have a number of specific legal and ethical obligations relevant when considering cyber risk issues, including:

  • Data privacy obligations under the National Privacy Principles
  • Mandatory reporting of data breaches to the OAIC (for businesses over a specified turnover threshold)
  • Obligations under the Anti Money Laundering Act around collecting and verifying customer identity information and asset ownership
  • Rules which may apply if a client is transacting whilst overseas (for example the European Union’s General Dara Protection Regulations)
  • Indirect/internal obligations such as contractually agreed customer service standards

Not following guidelines and laws leaves planners open to fines, penalties, enforceable undertakings, licensing conditions, licence suspension or even cancellation. ASIC’s determination to act on these matters was reinforced recently when they took a high profile AFSL to court, as explained below.

Case study: ASIC takes AFSL holder to court over poor cyber security

In August 2020, ASIC took a well-known financial advice group to court, for their alleged failure to have adequate cybersecurity systems in place for its almost 300 financial planners, thereby breaching provisions of the Corporations Act.  The Australian Financial Review[13] reported ASIC as seeking a court-imposed penalty against the group and compliance orders that it implement better systems.

The incidents prompting the ASIC action – and a potential penalty of up to $12 million – included a ransomware attack in late December 2016 against one of the group’s member practices, which hacked an office computer, encrypting files and making them inaccessible. A number of other practices within the group also suffered cyber-attacks between 2016 and 2018.

(At the time of publishing this article, the ultimate outcome of the ASIC action wasn’t publicly known).

ASIC and cyber resilience

In March 2015, ASIC released report 429, which highlighted the importance of cyber resilience for entities regulated by ASIC[14], including Australian Financial Services Licence holders, Australian Credit Licence holders and listed entities. In that report, they set out

the measures they believed regulated entities should already have implemented, in order to meet their compliance obligations relating to privacy of stored data and cybersecurity generally.

Subsequent to that report, they have issued reports 555 and 651, representing periodic updates on the cyber resilience of the Australian financial sector. (The good news is that it is improving).

Through this work, ASIC has been able to develop and refine a series of questions for financial firms to ask themselves about their cyber health, including:

  • Are the board and senior management aware of cyber risks, and the extent to which management has oversight of legal and compliance obligations in relation to cyber security?
  • Have they assessed what information and business assets are essential to the operation of the business, and how such operational assets are protected and valued?
  • Are they exposed to cyber risk from third party providers, and aware of how such risks may be minimised?
  • To what extent does cybersecurity form part of their risk management procedures, and what level of awareness of cyber risk exists in the business generally?
  • Do they have effective detection, response and recovery systems in place in the event of a cyber-attack?

ASIC measures and reports on cyber resilience using a framework developed by the US National Institute for Standards and Technology (NIST). The framework sets out 5 core functions for cyber resilience procedures:

  1. Identify
    Identification of the firm’s most critical assets and data, and an understanding of potential areas of exposure to cyber risks across the business (including third party suppliers such as platforms and cloud service providers).
  2. Protect
    The protect function involves preventative measures aimed at minimising opportunities for cybersecurity events to occur. Examples include user access management, training and awareness programs, mandatory security requirements for third party providers, and data protection policies and procedures.
  3. Detect
    Monitoring and time to detection of a cybersecurity event is critical to the success of a response and recovery strategy. If a cybersecurity intrusion is not detected early, it may operate undetected and access sensitive information and/or cause damage to an organisation’s internal assets. Firms should put in place the technology, procedures and resources to detect a breach. This may include baselining normal operations so that anomalies may be detected (for instance a spike in online posting or transactions).
  4. Respond
    Businesses should have a response plan which addresses the roles of internal and external stakeholders, communication to impacted persons (staff, customers, suppliers), how events may be contained or mitigated and a method of analysing the breach to determine its extent and cause.
  5. Recover
    Businesses should have a plan which works towards timely reinstatement of systems and services impacted by a cybersecurity event, and ensures lessons are learned and applied so that overall cyber resilience can be improved. Cyber risk insurance could be one mechanism that allows the business to recover with minimal disruption.

The future of financial advice is dependent on cyber resilience

Cyber resilience isn’t something you can outsource. Even if you are part of a larger licensee, ultimate responsibility for protecting your client’s data and your business assets rests with you. But whilst this article makes it clear why advisers need to be across the practicalities of cyber risk management within their business, there is a bigger issue at stake – the very future of the advice profession.

It may seem like a big call, but if the advice profession is to address the constant elephant in the room – the challenge of making advice more affordable and accessible – then the role of technology in streamlining processes, improving the customer experience and driving efficiency, is critical. A future where health records, tax records and other highly sensitive information is accessible to financial advisers – in the way accountants and tax agents can access the ATO portal right now – could be a game changer for the advice profession in terms of financial dynamics, consumer experience and public reputation.

But with that comes new levels of cyber exposure. And to the extent that building cyber resilience involves elements of risk management, consumer protection, and regulatory compliance, it is undoubtedly one of the most crucial governance challenges advisers and advice firms of all sizes.

Take the quiz to earn 0.5 CPD hour:

 

 

———-

References:
[1] https://www.cmo.com.au/article/650497/report-consumers-prepared-walk-away-due-data-breaches/
[2] Source: itnews.com.au, ‘Cybercrime fraud hits superannuation, share accounts’ July 2019.
[3] https://www.cmo.com.au/article/650497/report-consumers-prepared-walk-away-due-data-breaches/
[4] Australian Cyber Security Centre, Annual Cyber Threat Report, July 2019 to June 2020, Australian Government.
[5] https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/part_3_cybercrime.html
[6] Stay Smart Online, The cost of cybercrime to Australia, https://www.communications.gov.au/sites/default/files/Cost%20of%20cybercrime_INFOGRAPHIC_WEB_published_08102015.pdf
[7] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2020/
[8] McAfee Labs Covid 19 Threats Report, July 2020.
[9] https://www.moneymanagement.com.au/news/superannuation/323-increase-super-scam-reports
[10]https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services
[11]https://www.moneymanagement.com.au/news/policy-regulation/asic-hit-cyber-attack
[12]https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/
[13] https://www.afr.com/companies/financial-services/ioof-hit-with-lawsuit-alleging-cybersecurity-failure-20200821-p55o27
[14] https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-429-cyber-resilience-health-check/

You must be logged in to post or view comments.