If cybersecurity hasn’t shot up towards the top of the list of identified risks in your financial services business, you may want to revisit your risk register. The global COVID-19 pandemic and the attendant work-from-home upheaval tilted the scales heavily in favour of cyber crooks.
And financial services businesses are, particularly at risk. Why? Put simply, it’s where the money is. Why beat around the bush if you are a fraudster? Why not go straight to the source instead!
Cyber breaches can lead to financial and reputational loss and damage to your clients as well as you and your business. Hard-won trust and reputations can be trashed overnight if a client suffers damage because of a successful cyberattack on you.
Cyber risks are everywhere and come in a range of forms. Fraudulent activity can stem from:
Fraudsters are determined, smart and nimble. They will probe all manner of defences to identify areas of weakness they can take advantage of. Your next cyber threat could literally come from anywhere. Being prepared is the best way to ensure you (or your clients) don’t become the next victim.
You may have heard that ASIC is taking RI Advice Group Pty Ltd to court, alleging that RI Advice failed to have adequate cybersecurity systems. ASIC brought the legal action following a number of alleged cyber breach incidents at certain authorised representatives (AR’s) of RI Advice. ASIC alleges that, as the AFS licensee responsible for the compliance and conduct of the AR’s under its AFSL, RI Advice failed to have implemented (including by its AR’s) adequate policies, systems and resources that were reasonably appropriate to manage cybersecurity and cyber resilience risks.
ASIC has made it clear that it expects all financial services participants to have adequate cyber arrangements. It has also made it clear that cyber threats and risks will continue to be a priority supervisory issue for the regulator.
One of our clients had discussed the issue of cybersecurity and cyber insurance at Board level. There was a lot of reluctance and scepticism from many on the Board but ultimately the decision was taken to purchase cyber insurance for the first time. And not a second too late. Within two months, a cyber incident had taken place at one of the licensee’s corporate authorised representative businesses, leaving the business and clients alike potentially exposed to untold damage, expense and loss.
But because the cyber insurance was in place, this small business was able to avert a substantial six-figure loss claim and hefty legal, IT and forensic fees. It was still a stressful time and took valuable management time and focus away from business-as-usual. But this paled compared to what may have been.
So, how did the breach occur? As seems to be more and more common, one of the financial adviser’s client’s email accounts had been compromised. Through a series of emails, the fraudster, posing as the client, weaved a story about not being able to talk or meet in person for a variety of reasons and then took advantage of this ‘grooming’ to then provide account details for receipt of substantial payments. The adviser was expecting to receive payment instructions (the fraudsters knew this of course, having trawled their way through the hacked client’s email account) and when received proceeded to issue instructions to a third party to make the requested payments. Of course, the receiving account turned out to belong to the fraudsters and not the client. Luckily as the payments were made via a bank many of the payments were able to be recovered. But not all. And not before a lot of investigation was undertaken to identify if any other personal information of the client or any other client accounts had been compromised.
Several years ago, another client experienced a similar fraud. The fraudster, having gained access to the client’s email, issued genuine-looking payment instructions to an adviser. Again, the fraudster spun a compelling story about not being contactable but requiring an urgent payment. Knowing the client was due to head overseas (which the fraudster also knew, having been through the client’s emails), the request presented to the adviser as having the ring of truth. Unfortunately, the adviser ended up $10,000 out of pocket after compensating the client. Needless to say, it could have been much worse.
We could present many more examples. But what is important to recognise is that:
Unfortunately, our experience is that many licensees simply are not doing enough to manage this insidious risk.
Start at the start! It is not possible to forge a proper path forward until you know where you currently are. Keep your cybersecurity arrangements fit and healthy. imac legal’s compliance business, complifit®, offers a comprehensive cybersecurity risk assessment, designed to give small-to-medium financial services businesses a clear picture of the strengths and weaknesses of your current cybersecurity controls and arrangements so you can forge a confident path forward.
Available here, the complifit® Cybersecurity Risk Assessment is yours for only $30 (plus GST)*. It could save you a small fortune!
*Price subject to change without notice.
Ian McDermott, Financial Services Lawyer and Compliance Consultant
Like politicians, the prospect of completely re-written financial services laws promises so much. But will…
It should be such an easy thing to do – after all, it’s what financial…
Download a PDF of our latest Regulatory Wrap here. Summary: Westpac Loses Personal Advice Case…
INSIGHT LINES how to nail advice reviews We have, over the years, reviewed thousands…
The Role: Financial services lawyer (plus compliance consulting) Permanent part-time (min. 0.6 FTE) or FULLTIME…
The Role: Financial services lawyer. Permanent part-time. 0.4 to 0.6 FTE (i.e. 15 to 25…