9 March 2018
Cyber criminals target unprepared advisers
According to the Australian Transaction Reports and Analysis Centre, cyber-enabled fraud is the financial-advice sector’s most frequently reported suspected crime – and it’s on the rise.
Examples of cyber-fraud include theft of clients’ email history in order to impersonate them, hacking of clients’ social media account to learn more about them, and hacking of clients’ emails to instruct their adviser to transfer funds into an external bank account.
Between April 2014 and March 2016, AUSTRAC received 273 reports of suspicious matters relating specifically to financial advice – half of which involved cyber-fraud.
International statistics paint a similarly sobering picture. For instance, a report by British adviser software firm Intelliflo revealed that, of 220 advisers surveyed, 44 per cent had experienced cyber-crime. Even more concerning, 82 per cent of 500 clients surveyed said they would have changed advisers or not engaged them in the first place had they known they had been the target of a cyber-attack.
Financial advisers face specific vulnerabilities due to the nature of their work as they make use of new technology in their search for efficiencies, making their businesses vulnerable to such cyber-attacks and breaches.
The vulnerability of the financial-advice sector
The financial-advice sector holds sensitive personal data of 20 per cent of adult Australians and generated $4.6 billion in revenue in 2016. The Australian Prudential Regulation Authority recently warned Australia’s financial sector to stay vigilant against the threat of cyber-attacks as Australia remains the top target of malicious software in the Asia-Pacific region.
Financial advisers deal with a wide client base. They move large volumes of money across complex financial products and, sometimes, international jurisdictions. This makes them attractive targets for hackers.
Individual advisers and small advisory firms that use referral partners or third-party vendors are also more at risk if any of their partners or vendors are not adequately protected. And advisers whose administrative staff collect their clients’ personal data could be vulnerable if their staff security training is inadequate.
The mobility of a financial advice office – the use of apps, mobile sign-in to client portals, the use of smart devices to engage with clients – opens up client data and the financial planning business to the kind of cybersecurity threats outlined above. The horror of losing a briefcase with a client paper file in it pales to insignificance when faced with a security breach where your entire client list and all of their information is hacked.
Keep in mind that clients themselves, especially those less technically savvy, such as older retirees, may be more vulnerable to cyber-fraud than other client groups. Being less experienced with technology, these clients may be unaware of cyber-hacking techniques such as phishing, or may underestimate the importance of computer-security updates.
Having a robust plan of action: opportunities for change
Cyber-security breaches have the potential to further damage the precarious reputation of the financial services industry. What’s more, with mandatory data-breach-reporting laws coming into effect last month in Australia, various organisations that have the obligation to secure personal information under the Privacy Act 1988 (Cth) must publicly notify cyber breaches likely to result in serious harm to relevant authorities and affected customers. So having a robust, actionable cyber-security plan has never been more important.
Despite the mandatory reporting laws, a recent study by security firm Cyber Ark found that thousands of Australian small businesses remained unprepared for the new laws, with 44 percent admitting they hadn’t done enough to be ready.
A major part of the problem is how the business sector at large continues to not take cybersecurity as a serious, accelerating risk in an increasingly digital environment. A 2017 report by the Australian Securities Exchange found that nearly two-thirds of Australian companies see cyber breaches as an "IT issue" rather than as a significant reputational and business-related risk.
Rising to the challenge: prevention and protection
Advisers’ best weapons against cyber-attack are prevention and protection. All advisory firms need to ensure they have an effective cyber-risk strategy that covers people, processes and technology. It should include the following elements:
Prevention strategies: Small and medium firms need to embed cyber-security training and procedures into their processes. This should include identification, storage and protection of valuable data, and adequate user permissions for data access. Advisers must work closely with partners and referral firms to protect their mutual clients with agreed cyber-security procedures.
Appropriate insurance: Firms must have a cyber-insurance policy in place, as general business-liability insurance policies do not include cyber-liability.
Secure storage: Individual advisers and small advisory firms without an IT department should consider leveraging the economies of scale of cloud storage. However, because they are ultimately responsible for the safety of their data, they should understand their service level agreement and how their data will be stored.
Client education: Advisers must educate their clients on the importance of cyber-security, and help them to balance their need for convenience with appropriate security.
The continued digitisation of the financial-advice sector will introduce even more complex technologies and delivery channels. While this process will undoubtedly create more convenience and service, it also opens the financial services industry to greater risk that requires clear and proactive strategies in place to combat the threat of cybersecurity.
This material is intended for the use of financial advisers only and is distributed by OnePath Life Limited (OnePath Life) (ABN 33 009 657 176, AFSL 238341).
The information, opinions and conclusions in articles ("information") are current as at the date articles are written as specified within but are subject to change. The articles are provided and issued by OnePath Life unless another author is specified in the article, in which case it is provided and issued by that author. The views expressed are those of the authors only and do not necessarily reflect the opinions or views of OnePath Life, its employees or directors. Whilst care has been taken in preparing this material, OnePath Life and its related entities do not warrant or represent that the information is accurate or complete. To the extent permitted by law, OnePath Life and its related entities do not accept any responsibility or liability from the use of the information.
The information is of a general nature and has been prepared without taking into account a potential or existing investor’s objectives, financial situation or needs. Investors should consider whether the information is appropriate for them having regard to their objectives, financial situation or needs. For any product referred to above, OnePath Life recommends that investors read any relevant offer document or product disclosure statement and consider if the product is appropriate to them. For products issued by OnePath Life, these documents are available at www.onepath.com.au.
Past performance is not indicative of future performance and any case study shown is for illustrative purposes only. Neither are a prediction of the actual outcomes which will be achieved. Where tax or technical information is included, the information is our interpretation of the law and does not represent tax advice. An investor is advised to obtain professional advice relevant to their individual circumstances.