A few years ago, a restaurant not far from home was targeted by the NSW Food Authority, which closed it down for a couple of weeks while it addressed issues around food handling and wildlife in the kitchen. When the restaurant re-opened, many people stayed away.
But this makes no sense: after a thorough clean-up and being signed off by the authority, the restaurant surely would be among the cleanest in the city.
Customers who abandon Optus in the wake of that company’s cybersecurity fiasco may be making the same error. Optus’s cybersecurity has been exposed as inadequate but customers moving to another telco may simply expose themselves to another organisation whose security is just as bad, or maybe worse. Who actually knows? What we do know is that if Optus gets through this issue, its cybersecurity is likely to be among the world’s best.
The point is, customers will potentially react quite irrationally to bad news. Bad news is what a cybersecurity breach is, to be sure, and it seems like every day brings news of a fresh breach and client data stolen.
The financial advice industry had its own mini-Optus moment a little while ago when hackers got into an advice practice’s computers and stole client information, even getting as far as setting up fake bank accounts in clients’ names.
This event may have an adverse effect on the practice and on its licensee in question, but thanks to the action taken against the licensee in the Federal Court by ASIC, and the work the licensee has done subsequently to improve things, it’s probably safe to say its cybersecurity is now industry leading.
All licensees should be closely reviewing this case because it makes it clear exactly how cybersecurity is a licensee’s responsibility. It’s worth noting that the licensee was the sole defendant in the action brought by ASIC, and the advice practice that actually experienced the cybersecurity breach didn’t appear.
Even so, cybersecurity should also be front-of-mind for all advisers. A lot of the information financial advisers collect about clients is sensitive, a lot of it relates to financial details, and a lot of it can also be used to mimic the individuals concerned to, for example, set up bank accounts and transfer funds without the actual individual’s knowledge or consent.
For a sufficiently competent hacker, or even just a lucky one, the information gathered by advisers can be a goldmine and it makes advisers potentially lucrative targets.
It doesn’t really matter to a client if a cybersecurity breach occurs and an advice practice points to the licensee and blames it for poor practices or policies. At the end of the day the client’s relationship is with the adviser not the licensee and a cybersecurity breach at practice level, even if it’s ultimately the licensee’s responsibility, will invariably sully the adviser-client relationship.
Sometimes, however, advisers are their own worst enemies. Consider the adviser who resisted co-operating with his licensee’s cyber security requirements on the basis that he wasn’t a cybersecurity risk because he turned off his PC every evening when he left the office. As we all know, hackers only operate at night.
In the normal course of doing business, financial advisers collect personal information about clients, including full names, addresses and dates of birth and in some instances health information; contact information, including phone numbers and email addresses; and copies of documents such as driver’s licences, passports and other financial information.
In the recent action brought against a licensee by ASIC, it emerged that in the space of about six years from 2014 to 2020, nine serious cybersecurity breaches occurred, the most serious of all being when, according to Federal Court documents, “an unknown malicious agent gained unauthorised access to an AR practice’s server for a period of several months between December 2017 and April 2018”.
“This event compromised the personal information of several thousand clients, a number of which reported unauthorised use of the personal information,” the documents say. That use included setting up new bank accounts.
The documents set out how access to the practice’s server was achieved through a brute force attack over a 10-day period, when there were 27,814 unsuccessful login attempts using 2,178 different usernames, launched from 10 different countries.
It was a pretty concerted effort but it was made a lot easier by lax cybersecurity: the overwhelming majority of the advice practices’ desktops did not have up-to-date antivirus software and it was not running regular virus checks; it had no offsite backups of important data; and passwords and other security details could be found in text files on the desktop.
As the extent of the cybersecurity issues across the licensee’s practices became apparent, the licensee, in conjunction with its cybersecurity consultants, determined that all advice practices should immediately implement, as a minimum:
- Password management;
- Multifactor authentication (MFA); and
- Password protection of sensitive data sent by email.
These are relatively simple first steps for all practices. While its common for practices to outsource IT support to specialist providers, that’s not a guarantee that cybersecurity measures are effective or that they even necessarily exist at all.
ASIC’s action on the cybersecurity front reinforces the fact that licensees are ultimately responsible for the cybersecurity practices of their advisers. But it also illustrates just how advisers themselves clearly play a pivotal role in protecting their clients by properly following and implementing cybersecurity measures at the coalface.
