When businesses are winning clients, launching new services and scaling through M&A, it’s exciting. Strong business momentum can make teams feel unstoppable. However, growth and momentum can be curbed in an instant, and even reversed, if risks are not adequately managed.
One of the biggest risks facing advice businesses is cybersecurity. While this risk is not unique, the industry’s exposure to cyber security risk is arguably greater because it remains fragmented and many businesses are subscale.
This is true of the wealth management sector in general.
Last month, the Australian Prudential Regulation Authority ordered superannuation funds to urgently implement basic user authentication tools by the end of August, citing persistent failings in their digital infrastructure.
When the organisations responsible for safeguarding $4.2 trillion in retirement savings do not have multifactor authentication for high-risk activities such as withdrawals, other businesses need to question if they’re doing enough to protect clients.
As more advice firms engage capital partners, the expectations and requirements around risk management will only increase with that partner’s involvement.
Access control, including multifactor authentication, strong passwords and restricting privileges, is one of the simplest and most effective ways that organisations can prevent cyber criminals from gaining access to online systems, services and data.
Other relatively simple ways include upgrading and maintaining software, data encryption, and a robust incident response plan.
Yet many advice businesses don’t have those four basic cyber security protocols and protections in place.
For advice leaders who are focused on growth and, more specifically, corporatising their business for scale, a structured disciplined focus on risk management is a critical capability to get right.
This requires a mindset shift as advisers have traditionally focused on areas like compliance, regulatory and investment risk but given little attention to operational risks like cyber threats.
When it comes to cybercrime, there are a couple of myths to debunk.
Firstly, cyber criminals are not reclusive 40-year-old nerds operating in isolation from their parents’ garage, despite how they are often depicted in movies.
Cybercrime is big business and many criminals run large, sophisticated global operations with hundreds of employees who are paid to deceive, manipulate and steal.
According to the Australian Cyber Security Centre, a cybercrime occurs every six minutes in Australia and the financial and insurance services sector is one of the top ten industries being targeted.
The three main forms of attack involve ransomware, supply chain disruption, and phishing including vishing which uses voice and video phishing.
Secondly, and more importantly, cyber security is not just an IT problem.
It can’t be addressed by simply installing antivirus software and malware protections on computers.
Cyber security risk is a broader risk management problem that also involves people and processes. In many instances, humans are the weakest link in the chain, which is why social engineering has become such an effective technique for cyber criminals who are able to extract confidential information from people and convince them to do things that compromise security.
Educated and alert people, not just systems and technology, are the foundation of a strong defence.
The rapidly changing nature of cybercrime and the techniques being used highlights today’s environment of accelerating disruption.
No sooner have organisations addressed one threat when another one arises.
Under these conditions, it’s impossible for the average advice business, or any advice business, to manage the growing volume, complexity and tenacity of cyber threats without expert support.
The same can be said of technology in general, which is advancing so quickly that businesses need to reassess how they select and integrate advice tech, and utilise AI and automation.
Businesses can’t go to tender for a solution, spend months assessing a request for proposal (RFP) and making a decision, and another few months implementing it and training staff with the expectation that it will serve the business for the next five or so years.
By the end of that six-month period, the cyber and technology market has innovated yet again.
Taking control
While advisers can’t control their operating environment or stop cyber criminals from targeting their business, they can control their response and take action to strengthen their risk management posture, starting with a risk management framework that addresses how they intend to identify, assess, monitor and respond to risks.
For small to medium-sized businesses that are already struggling with capacity constraints the most effective approach will be to leverage the resources of their licensee and/or partner with specialists.
Advisers don’t have to manage business risks alone.
They are not expected to have the internal resources to assess risks, implement solutions, and detect and combat threats in real time.
Many still rely on paper-based attestations from staff, including those who do not have a risk and compliance or technology background, to verify their risk management measures, illustrating the gap that must be closed to catch up.
Gaining a disruptive edge
According to a US study by Harvard Business Management, the average lifespan of an S&P 500 company has fallen by 80 per cent in the last 80 years to just 15 years, due to consolidation, shrinking and digital disruption.
As part of that study, HBM also looked at organisations that had been around for 100 years or more and found that they shared common attributes, namely a stable organisational purpose and a disruptive edge. This disruptive edge commonly involved bringing outside expertise in and learning from other sectors.
The study also found a link between longevity and size, with smaller organisations more able to innovate and adapt to change.
HBM’s findings are positive for advice businesses, which are predominately SMEs but size can also be a disadvantage.
When it comes to cybercrime, SMEs are key targets because they often have limited resources and weaker defences.
The quickest and easiest way for businesses to beef up their resources and gain a disruptive edge is to leverage the resources and expertise of specialists.
Businesses that are growing and scaling understand the value of partnering with experts because it frees them up to focus on the things that they’re good at and excites them, and generates revenue and profits.
Outsourcing jobs and roles in areas that businesses do not have a competitive advantage is critical for increasing their capacity to serve clients, achieving sustainable growth, and scaling up.
Nathan Jacobsen is chief executive of adviser outsourcing firm Vital Business Partners.
