Every licensee and advice firm is a potential target for cyber-criminals and the only way to know a business has robust front-line cyber-defences in place is to verify the controls in real time, the Professional Planner Licensee Summit has heard.
Rhombus Advisory chief executive Darren Whereat said advice businesses “are sitting on identifiable information that’s personal in nature and connected to finances. You are a target”.
Graeme Hibbert, head of cyber-security governance at Westpac, owner of the BT Panorama platform, said the Australian Signals Directorate’s 2024-25 Annual Cyber Threat report recorded a cybercrime event every six minutes, or more than 85,000 events across the year, spanning every industry and every size of organisation from Optus and Medibank down to two-person firms.
“The threat’s pervasive, and it impacts everybody across the industry,” Hibbert said.
Advice practices hold medical, personal and superannuation information that criminals could exploit. Akumin CEO Matt Lawler described situations where a “bad actor” sat inside a practice’s systems for a prolonged period and was watching interactions between client and adviser waiting for an opportunity to exploit the situation.
“This stuff is real, and it’s happening,” Lawler said. Advice firms need to behave “like the bank vault” of our clients’ information.
Whereat said these enterprises are “sophisticated, they have money, they are patient”.
“We all have to continue to evolve our defences, and that evolution will come in awareness, education and training at every layer as well as utilising defensive and detective technologies,” he said.
In all instances the licensee carries the consequences, not the managed services provider (MSP) or any other supplier in the cyber-security chain.
“The AFSLs are on the hook,” Whereat said.
Hibbert said a practice could work up from a minimum of five of the ASD’s so-called “Essential Eight” baseline mitigation strategies: patching applications and operating systems, restricting privileged access, multi-factor authentication everywhere, tested backups and a practised incident response plan.
“The last thing you want to do is be practising your incident response during an incident,” he said.
| The Essential Eight |
| Application control |
| Patch applications |
| Configure Microsoft Office macro settings |
| User application hardening |
| Restrict administrative privileges |
| Patch operating systems |
| Multi-factor authentication |
| Regular backups |
Test and controls
Lawler said AFSLs broadly would have a range of controls in place, but without a specific standard, they are exposed to a high-level test that ASIC could apply which is whether a licensee had acted “efficiently, honestly and fairly”, and that left the question of sufficiency open.
“AFSLs need more certainty around the expectations given cybercrime is evolving so quickly,” he said.
The profession had no agreed answer because it had set no minimum standard of its own and didn’t have its own version of the Essential Eight specific to financial advice practices.
“This is a serious issue and all AFSLs have the right intentions about protecting their business and their clients’ information,” Lawler said.
“It makes sense for us as a profession to work collaboratively with the regulator and other government agencies to set standards that all financial advice firms can implement, balancing the risk with business commerciality.”
AZ NGA chief operating officer Nathan Jacobsen said a military approach helps explain an effective way to build cyber-resilience.
“There’s an expression the special forces have, which is ‘slow is smooth, smooth is fast’. If you want to get fast, you’ve got to practise things slow, make it smooth, become fast.”
What is workable differs across advice firms by size, and it is clearly easier for larger organisations to throw resources at the problem.
“If I’m Westpac, I can resource this, I can have head of cyber, I can put in teams, I can have penetration testing,” Jacobsen said. “If I’m a small business, I’m reliant on my partners, and I’m kind of busy.”
The market was roughly 6000 practices, most of them small businesses, and the harder task was interpreting the standards at that scale. Hibbert said ISO 27001 and ISO 27002 certification scaled up to larger organisations while the Essential Eight was simpler, and that firms should ask technology providers to demonstrate certification such as ISO or SOC 2 Type II reports.
Hibbert said a policy signed off on paper did not guarantee the controls existed in practice.
“The audit of the checklist approach is fine until it’s not fine, until you realise people will just check yes for everything,” he said. “You do need to trust, but verify.”
Jacobsen traced an incident at his group to a managed service provider that was patching, but only every few months. “This stuff’s real-time,” he said, and a fully patched environment could change within 24 hours of a deployment.
Whereat said an attestation “will only take you so far”. After mandating that practices upgrade to Microsoft 365 Business Premium, which offers enhanced security measures, Rhombus audited the managed service providers’ work to ensure the system controls were accurately configured.
Third-party oversight
Lawler said even a practice that did everything right could be undone by a third party, including the product providers it interacts with regularly. The larger product providers and platforms have encryption and client portals in place, but smaller providers including some insurers and industry funds “don’t do the basics” and often transmit sensitive client data over email.
Lawler said a licensee’s accountability extended well beyond its advisers to the staff of the practice and third-party technology support such as MSPs.
“AFSLs need to be conscious of the broad and decentralised nature of looking after advice firms where staff and third parties also need to be brought into the loop of awareness, education and the adherence to AFSL policy,” he said.
Jacobsen said his group installed verification scoring tools across the Essential Eight criteria, prioritised remediation at the lowest-scoring practices, and built its own provider capability, moving about 20 per cent of the network into it.
Hibbert said a scoring system motivated firms through peer-group pressure.
“Nobody wants to be the slowest gazelle, nobody wants to be the one picked off by the lion,” he said. “I would never discount how much having a scoring system helps people get motivated to not be the lowest scorer.”
Jacobsen said that if a business is “not real-time monitoring all the points of risk across your group, how do you know? The truth is you don’t”.
Monitoring had to be continuous. Attackers “will come in, and they’ll sit there for months and wait for the moment, and if you don’t see that moment, then it all deteriorates rapidly”, he said. However, the tools to monitor in real time are available to buy and “it’s not as hard as it sounds”.
Lawler said Akumin is introducing a monitoring service to every practice to populate live dashboards, because a point-in-time audit” might be okay today, but then something might happen a week later”.
“We need to move closer to a real-time solution to reduce the risk.”
Whereat said cyber insurance should be mandatory, with forensic investigations into any potential cyberbreach often running into tens of thousands of dollars.
Hibbert said the ASD would help firms that report an incident.
“Don’t be afraid to report it to cyber.gov.au because they will help you, that’s their job,” he said.
Hibbert said the industry should co-operate on cyber-resilience issues.
“Anywhere where you can share information, you can collaborate with your peers,” he said. “The cyber-criminals collaborate a lot.”
Lawler said a big part of the answer was a profession-wide standard the sector set for itself.
“There is no competitive advantage in this, the profession as a whole needs to be seen as a place where our clients have a high degree of confidence that their data is respected and protected,” he said.
Leave a Comment
You must be logged in to post a comment.