Fraser Jack

While product providers are building out new platforms to help better service advisers, advisers could be doing to help prepare to gain access to the consumer data right (CDR).

Currently advisers are classified as “other participants” in the CDR framework and may gain access to CDR data through an accredited data recipient, with their client’s consent. The regime started with Open Banking

Cyber Collective founder Fraser Jack tells Professional Planner these other participants have “trusted adviser” status according to the regulations.

“Putting my cyber security hat on, when I think of the word ‘trusted’ what I think of is the trust clients place in sharing their personal and financial data with advisers,” Jack said. “To be a trusted recipient of this data, there will need to be evidence around the strength and ability to receive and protect data the way clients would expect it to be protected.”

Jack noted trust is complicated and subjective, but behaviours, authenticity, reliability and acting in someone’s best interest are essential parts to it.

“With these four areas in mind, how can an adviser demonstrate that they are trustworthy in receiving client data from accredited data recipients? To demonstrate trust requires the establishment of a history of trusted behaviours, a history of staff awareness training, a history of reliability, a history of investing in cybersecurity, and taking client data security seriously.”

Establishing trust

Jack said cyber audits will be an essential part of establishing trust which will demonstrate past and current compliance for accredited data recipients to agree to share such valued personal information.

“There will be no room for error, as clients will not tolerate breaches,” Jack said. “Nor will accredited data recipients who are generally larger brands that will not appreciate finding themselves on the wrong side of bad press and client comments on social media, should they let advisers have access to information that is later breached.”

RI Advice was fined $750,000 earlier this year for breaching licensee obligations around cybersecurity and the case highlighted the need for strict security measures. Chief executive Peter Ornsby has warned the industry against not being proactive, otherwise risk being put in the same position.

The sensitive and confidential nature of the data held by advice practices makes advisers a hot target and lacking robust risk management systems, including for cybersecurity, can also impact professional indemnity insurance premiums.

Cyber experts have noted how unprepared the industry is for cyber protection and even using email for client correspondence gives a broad opening for malicious actors.

“Every client in Australia deserves to have the data they share with their trusted financial professionals treated with the highest possible levels of security from every entity in the process, to protect trusted client relationships, reputations and business valuations,” Jack said.