Monday 23rd May 2022
Cybersecurity the latest challenge for stressed advice industry
Cybersecurity has become the latest battle facing the under pressure, stressed financial advice industry following a landmark court ruling.
Cybersecurity has become the latest battle facing the under pressure, stressed financial advice industry following a landmark court ruling. News last month that ASIC had fined licensee group RI Advice more than $750,000 for cyber security breaches likely sent a shiver down the spine of many practice managers.
In an environment where spam calls and email phishing attempts are commonplace, a generally ageing industry is faced with a difficult challenge. Financial advisers are privy to some of the most important and confidential information about our clients, yet many processes within practices remain manual, whilst technology ‘stacks’ look more like spider webs.
According to the ruling, RI Advice ‘failed to have adequate risk management systems to manage its cyber security risks” resulting in a “significant number” of cyber incidents occurring between June 2014 and May 2020. This included a brute force attack which allowed unauthorised access to an authorised representatives file service for an extended period of time.
The result of these events was a “potential compromise of confidential and sensitive personal information for several thousand clients”. The regulator had little choice but to take action with ASIC Deputy Chair saying “these cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information” reiterating that it is imperative for all entities, including licenses, to have “adequate cyber security systems in place”.
The question of course, is what ‘adequate’ is and how it relates to the varying businesses sizes and types. Advisers like most firms outsource these tasks to major providers but it is clear they will need to be more hands on a fit for purpose, meaning another task of running a business risks dragging them away from advising clients.
When handing the judgement, Justice Rofe said: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.
“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
Drew is editor of The Inside Network's publications and a principal adviser at Wattle Partners.
