Your Business

Cyber criminals target unprepared advisers

9 March 2018

Failure to manage emerging risks, as financial advisers embrace new technology, can be devastating, writes Virat Nehru.


According to the Australian Transaction Reports and Analysis Centre, cyber-enabled fraud is the financial-advice sector’s most frequently reported suspected crime – and it’s on the rise.

Examples of cyber-fraud include theft of clients’ email history in order to impersonate them, hacking of clients’ social media account to learn more about them, and hacking of clients’ emails to instruct their adviser to transfer funds into an external bank account.

Between April 2014 and March 2016, AUSTRAC received 273 reports of suspicious matters relating specifically to financial advice – half of which involved cyber-fraud.

International statistics paint a similarly sobering picture. For instance, a report by British adviser software firm Intelliflo revealed that, of 220 advisers surveyed, 44 per cent had experienced cyber-crime. Even more concerning, 82 per cent of 500 clients surveyed said they would have changed advisers or not engaged them in the first place had they known they had been the target of a cyber-attack.

Financial advisers face specific vulnerabilities due to the nature of their work as they make use of new technology in their search for efficiencies, making their businesses vulnerable to such cyber-attacks and breaches.

The vulnerability of the financial-advice sector 

The financial-advice sector holds sensitive personal data of 20 per cent of adult Australians and generated $4.6 billion in revenue in 2016. The Australian Prudential Regulation Authority recently warned Australia’s financial sector to stay vigilant against the threat of cyber-attacks as Australia remains the top target of malicious software in the Asia-Pacific region.

Financial advisers deal with a wide client base. They move large volumes of money across complex financial products and, sometimes, international jurisdictions. This makes them attractive targets for hackers.

Individual advisers and small advisory firms that use referral partners or third-party vendors are also more at risk if any of their partners or vendors are not adequately protected. And advisers whose administrative staff collect their clients’ personal data could be vulnerable if their staff security training is inadequate.

The mobility of a financial advice office – the use of apps, mobile sign-in to client portals, the use of smart devices to engage with clients – opens up client data and the financial planning business to the kind of cybersecurity threats outlined above. The horror of losing a briefcase with a client paper file in it pales to insignificance when faced with a security breach where your entire client list and all of their information is hacked.

Keep in mind that clients themselves, especially those less technically savvy, such as older retirees, may be more vulnerable to cyber-fraud than other client groups. Being less experienced with technology, these clients may be unaware of cyber-hacking techniques such as phishing, or may underestimate the importance of computer-security updates.

Having a robust plan of action: opportunities for change

Cyber-security breaches have the potential to further damage the precarious reputation of the financial services industry. What’s more, with mandatory data-breach-reporting laws coming into effect last month in Australia, various organisations that have the obligation to secure personal information under the Privacy Act 1988 (Cth) must publicly notify cyber breaches likely to result in serious harm to relevant authorities and affected customers. So having a robust, actionable cyber-security plan has never been more important.

Despite the mandatory reporting laws, a recent study by security firm Cyber Ark found that thousands of Australian small businesses remained unprepared for the new laws, with 44 percent admitting they hadn’t done enough to be ready.

A major part of the problem is how the business sector at large continues to not take cybersecurity as a serious, accelerating risk in an increasingly digital environment.  A 2017 report by the Australian Securities Exchange found that nearly two-thirds of Australian companies see cyber breaches as an "IT issue" rather than as a significant reputational and business-related risk.

Rising to the challenge: prevention and protection

Advisers’ best weapons against cyber-attack are prevention and protection. All advisory firms need to ensure they have an effective cyber-risk strategy that covers people, processes and technology. It should include the following elements:

Prevention strategies: Small and medium firms need to embed cyber-security training and procedures into their processes. This should include identification, storage and protection of valuable data, and adequate user permissions for data access. Advisers must work closely with partners and referral firms to protect their mutual clients with agreed cyber-security procedures.

Appropriate insurance: Firms must have a cyber-insurance policy in place, as general business-liability insurance policies do not include cyber-liability.

Secure storage: Individual advisers and small advisory firms without an IT department should consider leveraging the economies of scale of cloud storage. However, because they are ultimately responsible for the safety of their data, they should understand their service level agreement and how their data will be stored.

Client education: Advisers must educate their clients on the importance of cyber-security, and help them to balance their need for convenience with appropriate security.

The continued digitisation of the financial-advice sector will introduce even more complex technologies and delivery channels. While this process will undoubtedly create more convenience and service, it also opens the financial services industry to greater risk that requires clear and proactive strategies in place to combat the threat of cybersecurity.