There are practical steps advisers can take to better secure their client’s data.

2022 will be remembered as a watershed year on many fronts, not least as the year when the pervasiveness, complexity, and disruptive power of cybercrime rose to prominence. But, while for many people, the Medibank and Optus incidents are – deservedly – the events that will stay in the memory the longest, for financial advisers, 2022 should be seen as the year where the cyber risk landscape saw four major developments unfold:

• ASIC concluded its cases against RI Advice and set out its expectations for how advisers should protect their client’s data from cyber crime and privacy breaches
• the Medibank and Optus incidents heightened regulator focus on cyber crime, and made clients more alert to the risks and devastating consequences of their data being compromised
• courtesy of a report by the Actuaries Institute, the spotlight was shone on evolving challenges in the cyber insurance market, and
• the passing of legislation locking in a massive increase in penalties and stricter reporting requirements for customer data breaches (criminal or otherwise).

These developments will continue to have major ramifications for advisers and the way they serve their clients, protect their data and manage the sustainability of their practice. In this article, we will examine these developments in more detail, and explore the practical steps advisers can take to better secure their clients’ data.

ASIC v RI Advice, what all advisers must learn

In what is believed to be the first legal judgement relating to the cyber security obligations of financial firms, the Federal Court of Australia ruled against RI Advice in May 2022^[1], finding they had breached the law by failing to protect against nine cyberattacks that put confidential client data at risk.

In the view of Justice Helen Rofe, RI Advice (owned by ANZ at the time most of the incidents occurred) had breached its licence obligations and contravened the Corporations Act, failing to provide services “efficiently and fairly”^[2].

While the court ordered the defendant to pay $750,000 to cover ASIC’s legal costs, it opted not to impose a penalty against RI Advice (a penalty in the millions would have been permitted under existing rules).

Instead, it ruled that RI Advice engage a specialist cyber security firm to conduct a review of the firm’s risk management protocols relating to cyber security and cyber resilience, and report their findings back to the regulator within 30 days.

There are a few key lessons the case provides for financial advisers.

Firstly, the regulator takes this seriously, and the financial penalties can be business-cripplingly harsh (and as we will explain below, they have recently been made even harsher).

Secondly, the actual details of the nine incidents should provide a real wake-up call about just how much damage can be done by cyber criminals. These incidents, which took place over a seven-year period from 2014, included payment fraud, business email compromise, and a ransomware attack where one practice had its files encrypted and made inaccessible. But perhaps the most disturbing incident was a brute force attack by a malicious actor that gave them access to the file server of an authorised representative, and which went undetected between December 2017 to April 2018^[3].

Thirdly, and perhaps most importantly, while this case put RI Advice under the spotlight, the reality is that no practice and no business is immune from attack, and putting in place processes and controls to mitigate the risks is no longer a ‘nice to have’. As one cyber security expert told a gathering of licensees, most advice practices can be hacked within half an hour^[4].

Medibank and Optus have done us all a favour

The Medibank and Optus data breaches made front page news for weeks. The scale of these incidents, and the attention they garnered, probably did a better job of raising awareness of the disruptive powers of cyber crime than anything that had come before.

Thousands of individuals felt violated and rushed to change their bank details and get new passports. State governments around the country were forced to introduce special measures for those seeking to change their driver’s licence numbers after their existing details had been published all over the dark web.

Some experts have predicted that Medibank alone will face a damages bill of around $1 billion^[5], including the likely class action on behalf of customers, and the brand damage done to both them and Optus will likely be harder to recover from.

Many advisers will likely have felt the immediate ramifications of these events, as clients updated their details, or sought assurances about the processes in place to protect their own data.

The National Seniors articulated what many advice clients were probably thinking when they posed the question “is your financial adviser risking your cyber security?”^[6].

One thing is certain, clients are likely to be more cyber risk aware. And with research^[7] suggesting around two-thirds of clients would walk away from a trusted service provider if their data was exposed, robust data protection procedures could actually become a competitive differentiator for advisers.

Actuaries reveal cyber insurance gaps

FY 21 data from the Australian Cyber Security Centre suggests cyber attacks cost the Australian economy over $33 billion per year, and are reported at the rate of one every eight minutes^[8]. Within this context, the need for appropriate insurance is obvious. And yet, according to research released by the Actuaries Institute in late 2022, the cyber insurance market is characterised by massive gaps and fundamental misunderstanding.

The Institute’s new green paper^[9] Cyber Risk and the Role of Insurance analyses the vulnerability of organisations and the role of insurance in setting best practice standards for cyber resilience.

Among their research findings was the fact that only 20% of small to medium enterprises (SMEs) held cyber insurance, despite accounting for three-quarters of all ransomware attacks.

The research also estimated that around 50% of SMEs were spending less than $500 per year on cybersecurity protections.

The other gap alluded to in the paper is the capacity gap emerging in the market.

Around the world, the explosion of ransomware, coupled with increased fines and tightening privacy legislation has seen cyber insurance become a loss-making proposition, seeing some insurers walk away while those who remain are hiking premiums. So steep have the increases been that some organisations are baulking at the cost and choosing to self insure (a decision Medibank no doubt regrets^[10]).

As we will discuss below, the trends playing out here have practical implications for financial advisers.

Government introduces massive new privacy penalties

Spurred on by the Optus and Medibank breaches, December 2022 saw the passing of legislation giving rise to massive new privacy penalties and greater powers for authorities to resolve privacy breaches and quickly share data about those breaches^[11].

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increased the maximum penalties for serious privacy breaches from the previous $2.2 million to the greater of:

• $50 million
• three times the value of any benefit obtained through the misuse of information, or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The eye-watering scale of these penalties should leave no business in doubt as to how seriously they must take cyber security.

Why are financial advice practices at heightened risk?

Financial advice practices are attractive targets for cyber criminals on a number of fronts:

• due to the deeply sensitive (financial and health) data held and access to large financial sums, the financial sector overall is a frequently targeted sector, accounting for around one-third of all attacks.
• the fragmentation of the advice landscape and the proliferation of small, self-licensed practices means many advice businesses are too small to have dedicated IT resources and cyber expertise, making them softer targets.
• the economics of a modern advice practice is forcing an increased reliance on third-party technology providers, including video meeting platforms and other cloud-based applications. As a service-based business, financial advice also lends itself to higher-than-average rates of remote working, increasing the number of exposure points.

Practical steps to protect your clients’ data and privacy

There are three categories of steps advisers can take to secure their clients’ data:

• introduce first-line defence processes and protocols to minimise the risks,
• educate staff and customers on how to be more cyber secure, and
• have a recovery plan, including cyber insurance, for when an attack gets through the defences.

Processes and protocols

One of the most basic but powerful steps one can take is around passwords. Weak passwords (names and numbers), and the use of the same password across multiple platforms make a hacker’s job easy.

Three easy steps here are:

• use a password manager to generate and store complex, hard-to-guess passwords,
• turn on multi-factor authentication across all platforms that offer it. This means in addition to a password an additional level of authentication is required in the form of a code sent to the registered user by email or text, and
• avoid unsecured networks, especially if working remotely.

Email remains one of the greatest points of vulnerability. Emails can be easily intercepted, allowing access to any sensitive data they might contain, and creating the opportunity for crimes such as invoice fraud (where you are sent a genuine-looking invoice, and the payee details have been changed ever so slightly, resulting in payments being sent to criminals rather than legitimate recipients).

As financial adviser Adele Martin told Professional Planner, there are several flaws when it comes to using email as a communication vehicle.

“If a client requests a withdrawal, how do you know if it’s coming from the client? It’s so open to being hacked and there have been numerous examples of where emails have been hacked for advisers.”^[12]

Martin is one of many experts who believes sensitive communication with clients should instead be done via a secure portal.

Whilst it is recognised that the use of portals and multi-factor authentication introduces a small element of inconvenience for clients, the majority are likely to understand and even appreciate the fact that these processes are helping protect them and their data.

Another step advisers are encouraged to take is to use cloud-based storage and software rather than local storage. A secure cloud-based workflow is not only more efficient and secure, but it also allows quicker recovery from an incident and means small businesses can benefit from the millions that major cloud providers invest in securing their systems.

When using a cloud-based service, it is important to check where the data will be stored. Storing data in Australian-based data centres not only ensures that it falls under Australian legislative protections, but also that these protections can be enforced in case of a breach.

Practices should also review their backup strategy. A report by Business Health found that while 93 per cent of Australian advisers now back up their critical data daily or in real time, around one-third said they haven’t tested these backups in at least six months^[13].

Educating staff and clients

A chain is only as strong as its weakest link. The most secure processes will only be effective if they are followed by everyone in your team, which is why cyber security training for your staff should be a given. Topics to cover in that training might include:

• practice protocols around password creation and storage
• secure use of mobile devices and hardware
• how to identify phishing and other scams
• use of spam filters and anti-virus software
• knowledge testing.

Refresher training should also be held on a regular basis to ensure staff are kept up to date with the latest developments and cyber threats.

Human error continues to play a significant role in cyber incidents, contributing approximately 30% of loss payouts under cyber insurance globally^[14], and insurers place great importance on staff cyber training when assessing any application for cover.

In terms of clients, educating them about the processes they need to follow when interacting with you and/or their portfolios, and the steps your practice is taking more generally to secure their data, will almost certainly be very well received and will help you stand out as someone who is protecting their interests.

Cyber insurance

Despite the rising cost, cyber insurance shouldn’t really be considered optional, especially for smaller practices for whom the impact of a cyber attack may feel proportionately greater than for larger businesses.

Crucially, whereas cyber was once included as an extension within existing policies (such as business interruption or professional indemnity), this is no longer the case, and the only way cyber coverage can be obtained is through specialised, dedicated policies.

There are several factors to be aware of when seeking cyber coverage.

Firstly, not all policies are the same in terms of the breadth of their coverage, and advisers will need to decide which of the following types of protection they need:

• data confidentiality breaches – covering costs associated with restoring systems and data, incident management and notification costs, and regulatory, legal and compensation costs
• network security liability – covering legal and defence costs together with compensation to third parties who incur losses because of a cyber attack against you
• communication and media liability
• technology disruptions – business interruption coverage together with technology restoration costs (for example you will likely want to throw all compromised laptops in the bin!)
• cyber extortion – covers costs of restoring data, hardware and software compromised due to a ransomware attack
• cyber fraud and theft – covering financial losses where assets are stolen due to a cyber incident.

A common trap when seeking cover is that not all policies cover incidents emanating from third-party suppliers, so it is important to check, as this can be an area of significant exposure.

Whilst every business is different, specialists in this area suggest that $500,000 should be considered the bare minimum amount of coverage sought, but that $1 million is likely to be more appropriate^[15].

Insurance coverage will be most valuable and effective when it is included as part of an overall recovery plan. Such a plan should address the roles of internal and external stakeholders, communication to impacted persons (staff, customers, suppliers), how events may be contained or mitigated and a method of analysing the breach to determine its extent and cause. The plan should work towards the timely reinstatement of systems and services impacted by a cyber security event and ensure lessons are learned and applied so that overall cyber resilience can be improved.

The Australian Cyber Security Centre offers a number of templates for recovery plans, available for free download from their website^[16].

Summary

The Medibank and Optus data breaches raised community awareness of the growing presence and disruptive impact of cyber crime and prompted a significant increase in the financial penalties faced by businesses that suffer client data breaches. By its nature, finance is an attractive sector for cybercriminals, and as small business owners in this space, often lacking IT resources, financial advisers – and their clients – are at heightened risk.

In order to meet the expectations of their clients and regulators, and to help ensure the sustainability of their practice, financial advisers and practice owners should take steps to shore up their cyber resilience, including the introduction of cyber security processes and protocols, staff, and client education, and holding appropriate types and levels of cyber insurance cover.

——–

References:
[1] https://www.afr.com/companies/financial-services/insignia-wealth-firm-failed-to-fend-off-cybercrime-court-finds-20220505-p5aite
[2] Ibid.
[3] https://www.digitalnationaus.com.au/news/asic-v-ri-advice-ruling-sets-new-precedent-for-cybersecurity-accountability-579864
[4] https://www.professionalplanner.com.au/2022/06/most-practices-can-be-hacked-in-30-mins-cybersecurity-expert/
[5] https://www.smh.com.au/business/companies/medibank-hackers-release-1500-more-sensitive-medical-records-20221120-p5bzpk.html
[6] https://nationalseniors.com.au/news/latest-in-finance/is-your-financial-adviser-risking-your-cyber-securityquestion
[7] https://www.adviservoice.com.au/2022/11/advisers-given-new-tools-to-counter-the-rise-in-cyber-attacks/
[8] https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2020-june-2021
[9] https://actuaries.asn.au/public-policy-and-media/thought-leadership/green-papers/cyber-risk-and-the-role-of-insurance
[10] https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/medibank-cyberattack-exposes-australia-s-resiliency-gap-73507118
[11] https://www.ashurst.com/en/news-and-insights/legal-updates/australias-massive-new-privacy-penalties-become-law-but-will-be-clarified/
[12] https://www.professionalplanner.com.au/2022/08/the-death-of-email-why-advisers-need-to-change-for-security/
[13] https://www.ifa.com.au/opinion/31372-five-simple-ways-to-improve-cyber-security-in-your-advice-practice
[14] https://www.headsure.com.au/insight/cyber-lessons-and-the-billion-dollar-price-of-failure/
[15] https://www.thecybercollective.com.au/understanding-insurance-cover-for-financial-advisers/
[16] https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-incident-response-plan

The post 4 cyber developments advisers must understand and respond to – a practical guide appeared first on AdviserVoice.