No one wants to entertain the idea of an email breach impacting their business, but for advice practices, it’s important to have the right protocols in place before an event happens.
Finura Group joint managing director Peter Worn says email breaches are relatively common for financial firms.
Worn revealed in a webinar on cyber security recently that what’s worrying about that is that the majority of cyber instances within the financial services sector aren’t being reported.
“I don’t think that we will ever have a handle on just how widespread the cyber issues are across the industry,” Worn says.
“But we do know that most of the licensees we’ve worked with have had at least 10 cyber breaches in their firms in the past 12 months.”
At the Professional Planner Licensee Summit last month in the NSW Blue Mountains, a straw poll showed 53 per cent of agreeing they had suffered a cyber breach in the last year.
Worn argues financial advice firms should stop sending sensitive documents over email altogether.
“So many clients who come to Finura are on the wrong end of tech decisions that could have been avoided with some due diligence,” Worn says.
The days of exchanging sensitive documents between clients are coming to an end due to the rise in the usage of wealth management systems utilising a client portal, but putting a roadmap in place can create a significant amount of change to avoid cyber catastrophes, Worn says.
But the pace of change is slow. In fact, he labelled Australia a laggard by continuing to email sensitive documents, which countries such as the UK stopped doing years ago.
“The days of exchanging sensitive documents between our clients are fast coming to an end,” Worn says.
“Advisers need to put steps in place so that if they stop emailing clients altogether, there’s a better option in its place, whether it’s a document sharing system or a fully-fledged client portal.”
In 2019, business email compromise scams were responsible for $132 million in business losses, according to the Australian Competition and Consumer Commission’s ‘Targeting Scams’ report.
Some of these scams involved emails originating from financial advice firms being manipulated and sensitive information getting into the wrong hands.
The Cyber Collective founder Fraser Jack says advisers should be having cyber conversations with clients every meeting, so clients feel like the advice firms invests in their security.
“If they don’t and they have an incident, clients to feel like the firm never took cyber seriously and will be more likely to leave,” Jack says.
Practices must also make sure their internal teams are properly trained and know what to do in the event of an email breach. A forensic specialist should examine digital logs to determine which clients may have been compromised and what they’ve had access to.
“If you find out the breach was in your client’s email, keep helping them work through it,” Jack says.
Advisers will also need a lawyer, who can help determine whether identifiable information has been compromised and whether the matter needs to be reported to authorities. Also, expect it to be made public once you notify your clients, he says.
Meanwhile, the Federal government’s recommends advisers to report to the Australian Signals Directorate’s Australian Cyber Security Centre, which will go directly to the relevant police jurisdiction.
It also recommends reviewing account security protocols, even if there is no indication there has been a systems breach. This includes changing your password, signing out of other sessions and enabling multi-factor authentication.
Incidents should also be reported to the National Anti-Scam Centre’s Scamwatch hub, detailing how the incident occurred, and any losses suffered.