Vincent Holland

Advice practices need to consider the various points of entry (i.e. password strength) that leave them vulnerable to cybersecurity threats, according to Plutosoft co-founder Vincent Holland.

Holland tells Professional Planner, advisers are a “hot target” because of the sensitive and confidential nature of the data they hold.

“Identity data and investment data that advisers manage underscores why it’s important to exercise caution.”

Holland says in the age of remote working it’s important to make sure all employees are across organisational cybersecurity policies.

“It’s not possible to reduce cyber risk to zero but it is possible to materially reduce the risk by taking certain precautions, including using the antivirus and firewall protections on all devices, and using passwords with sufficient strength.”

Where data is being stored also needs to be a consideration, Holland says. “A lot are being stored on the cloud and firms should understand where it’s being stored as a software vendor sells.”

At the latest Professional Planner Licensee Summit, cybersecurity specialist Michael Connory highlighted how most practices could be hacked in 30 minutes, even at companies where CEOs claim to take cybersecurity seriously.

Connory stressed that most employees still have weak passwords.

“They’ve got five different versions of the same password. Somebody you love, your partner, your football team, your favourite food, a date,” he said. “If it has to have a capital letter it’s first and if it has to have a special character it will be an exclamation point at the end. Pretty easy to be able to guess.”

All eyes on RI

Cybersecurity came into the spotlight earlier this year after RI Advice was fined $750,000 for breaching its licensee obligations by failing to adequately manage cybersecurity risks.

RI Advice CEO Peter Ornsby told Professional Planner in May their case would become a test case for the industry.

“We had staff in tears because of the stress of trying to do the right thing and being placed on the stand. No one wants that, everyone goes into work to try and do their best.”

Holland says the RI Advice case is important for three reasons.

“First it shows licensees have an obligation to make sure they have adequate cybersecurity frameworks in place. [Secondly] It shows you must be proactive in managing risks and need to act quickly particularly when risks are identified. Finally, it shows that in the battle against cybersecurity, common sense is often your best protection.”

Holland says it’s a good reminder to be “doing the things you know you should be doing”.

“Unfortunately, in this cyberworld, financial planning firms and licensees are targets. The alarming thing about the [RI Advice] case is that it could’ve happened to anyone without adequate measures in place. This case has really highlighted that.”

Join the discussion