Online attacks on financial services and other sectors have grown in number, size, and sophistication. PwC notes that fraud incidents, both online and offline, increased by more than 130 per cent during 2017, resulting in significant monetary and reputational losses for financial institutions.
The number and range of vulnerabilities is growing as companies outsource internal processes, shift computing to the cloud, having platforms owned and managed offshore and connect to customers through more channels. Engaging contractors and temporary workers can also increase exposure and businesses need to protect against nefarious behaviour and identify workers who may have been unknowingly compromised or simply make mistakes.
While cases involving multinationals being victims of hacking and fraud are popularised in the media, it is far more common for smaller organisations to be targeted. High profile attacks often involve the use of ransomware which threatens to publish the victim’s data or block access to it unless a ransom is paid and also whaling or spear-phishing which uses media to find out when CFOs and CEOs are travelling and then send phony invoices to businesses with request for urgent payment. Financial planners are often employed in small and medium-sized enterprises (SMEs). SMEs often face different challenges than large enterprises in regard to cyber security. One recent study found the top challenges faced by SMEs to be: finding the finances to engage suitable cyber security experts, regulatory compliance and finding professionally available talent.
Working from home during the COVID-19 crisis has presented further cyber security risks such as working on unsecured Wi-Fi networks, lack of appropriate back up, failure to update security software just to mention a few. In addition to the cyber security concerns of business operators in general financial planners need to be particularly aware of their digital and online security and here are three reasons why:
1. Ensuring your client’s records are kept secure is a legal requirement. Specifically:
Standard 1 says: “You must act in accordance with all applicable laws, including this Code, and not try to avoid or circumvent their intent.”
Applicable laws include the Corporations Act 2001, Privacy Act 1988 and Tax Agent Services 2009 (Act). Of critical importance in the context of data security are the requirements of the Office of the Australian Information Commissioner (OAIC) that oversees the Notifiable Data Breaches scheme that commenced on the 22 February 2018. The scheme does not impact most SMEs as Privacy Act 1988 and Australian Privacy Principles only apply to organisations with annual turnover over $3 million however any recipient of Tax File Number information regardless of their turnover is covered. The Notifiable Data Breaches scheme requires Australian businesses to “notify affected individuals and the OIAC when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach”. The maximum penalty for non-compliance is $2.1 million.
Planners who are registered with the Tax Practitioners Board (TPB) who fail to report a data breach would fail to comply with the TPBs Code of Professional Conduct. If a breach has occurred the TPB will take into account if practitioners have not taken appropriate steps to minimise the risk of cyber-attack. Of particular concern for accountants is AUSkey, which provides access to the ATOs Tax Agent Portal.
In addition, the FASEA Standards Guidance Note (FG002 Financial Planners and Advisers Code of Ethics 2019 Guidance) issued in November 2019 is relevant in terms of data security. Specifically:
Standard 8 “You must ensure that your records of clients, including former clients, are kept in a form that is complete and accurate.”
The explanatory statement indicates that Standard 8 requires that a relevant provider keep complete and accurate records of the advice and services provided. Example 23 of the Guidance Note notes that with regard to digital record keeping, “A long-term financial adviser is transitioning their client files from paper based to electronic. As part of this process the adviser invests in a document management system that has adequate levels of data security and functionality to ensure compliance with relevant legal obligations. Importantly for the adviser, the electronic file keeps all records in one place similar to hard copy files, allowing them to easily locate important documents such as final versions of advice documents and client consent forms.” Hence there is an explicit requirement that digital records be kept secure and security processes and protocols are in place.
2. Lack of security can cost you time and money
Lack of appropriate digital security and management can cost considerable time and money. The Australian government Staysmartonline.gov.au website provides figures which indicate the extent of cyber crime in Australia. The site indicates that 40 per cent of those involved in a cyber attack noted business interruption, 29 per cent noted information loss, 29 per cent indicated productivity loss and 25 per cent noted revenue loss. The website notes that the average cost of attack was estimated at $276,323 and that was in 2014! Further, Smartonline noted that 50 per cent of all costs caused by web based attacks are by insiders.
3. Do you do any estate planning work – then take notice
Many issues exist with respect to digital assets and deceased estates not the least of which is access to these assets by an executor or administrator. In Australia and most other jurisdictions the terms of service of digital service providers (such as email, social media sites) dictate whether an executor or administrator can access such assets. Advising clients that they should make a record of all usernames and passwords and leave this for an executor, administrator or family member to use in the event of death or disability could lead to significant legal issues and complications. In part, the terms of service are driven by legislation aimed at protecting the privacy of clients (for example the Privacy Act 1988 Australia), however in a number of cases digital asset and digital service providers terms of service are silent on the issue of what happens in the event of client death or disability. Further, it is important as a business operator that you appreciate that if you pass or become disabled you need to be aware of your own digital assets that you use in your business. Your business colleagues or family members may not be legally able to access your digital assets and this may compromise you business and its ability to service its clients.
What should you do next?
The internet is full of advice in data security. The Australian government’s Australian Signals Directorate has prepared a Small Business Cyber Security Guide, which contains some good advice. The guide and other like it provide many useful tips to prevent cyber attack but this is only part of the story. Loss of data and systems problems are also about accidents and mistakes. Hence what is needed is good practice which involves creating a suitable framework and following it.
The US National Institute of Standards and Technology (NIST) has a framework for developing a cyber security program. There are five key areas in the framework:
1. Identify: what your business needs to track/monitor/mitigate. What risks are there, the probability of those risks occurring and the cost of those risks e.g. phishing, whaling, ransomware, accidental loss and so on. Document your hardware and software and consider where you data goes and who has access to it.
2. Protect: Develop appropriate safeguards for your data such as using appropriate passwords and updating security patches periodically. Backup files, do not open suspicious email or suspicious files. Decide on which staff have access to what systems and revoke their log in access when they leave your employment. If you are working from home ensure your Wi-Fi connection is secure to guarantee people in the near vicinity can snoop your traffic.
3. Detect: Implement activities to identify an actual breach by running anti-virus software regularly. Mysterious passwords, emails and logins as well as a slow down in system speed can all be signs of actual cyber security breaches.
4. Respond: What is the plan to recover data, mitigate damage and report when a breach has occurred to clients and the appropriate authorities are required?
5. Recover: Recording events is necessary to improve operations and reduce the impact of a successful breach.
No one has a monopoly on digital advice, but applying the framework and adopting the advice above will assist you in discharging your duties as a digital fiduciary and operating efficiently in the digital environment.
Adam Steen, professor of practice, Deakin Business School
Want more content on advice strategy? Register here for ifa's Business Strategy Day 2021.
Advice businesses continue to evolve, shifting from responding to regulatory change to focusing on opportunities to ...
The advice industry’s all-talk, no-action approach to the intergenerational wealth transfer is turning this golden ...
The future of financial advice is digital – it has to be. With the average cost of receiving financial advice currently ...
Never miss the stories that impact the industry.
Get the latest news! Subscribe to the ifa bulletin