The cyber breach on Fortnum Private Wealth and subsequent ASIC action has thrown into stark relief the risks posed by cyber attackers at a time when digital technology is becoming more engrained into many advice businesses.
While Entireti, the owner of FPW, has indicated it will defend itself in court against ASIC the case shows the importance for advice practices to be due diligent over its cyber processes.
Cyber Collective founder Fraser Jack tells Professional Planner that cyber insurance is now “a must have, not an option”.
“With licensing, the requirement is to be able to recover and make good on any damage that’s been done, and there’s a lot of expenses at the time of a cyber incident of which a lot of firms wouldn’t have the resources lying around to spend on it,” Jack says.
A cyberattack can have a long tail of costs beyond those of just replacing compromised machines. The big expenses are the legal fees, Jack says; then there’s forensic IT and accounting teams to figure out how the attackers got in and exactly what they took. Those teams work long hours, and the costs “can mount up really fast”.
“There’s a lot of work in that back end to make good,” Jack says.
“There’s also losses where somebody has paid the wrong invoice or been tricked into making a transaction. That can be very expensive, especially if the trick has been the rollover of a super fund into the wrong account. Then it could be a matter of making good on that person’s super fund balance.”
The average time an attacker stays in a system before they’re found out is more than 200 days. Cyber insurance typically needs to be in place when an incident is discovered, but not necessarily when it occurs, and provides for “the fire brigade and the rebuild”. But products – including cyber insurance – are only part of the solution to the problem of cyberattacks.
“In our world of cyber, we don’t start with a product as an adviser doesn’t start with a product,” Jack says.
“But when people don’t understand cyber they start with a product; ‘Oh, we have MFA’ [multi-factor authentication]. But that’s one thing; this is like a massive corporate building with hundreds of windows and doors, and you’ve just shut one of the windows.”
Businesses need to make sure they’ve got their “IT hygiene” sorted; controls can always be tightened. Teams must be well trained, because human beings “are 95 per cent of the problem”. Technology can safe in the hands of the right person and dangerous in the hands of the wrong person, Jack says.
“The third area is compliance, as it is in financial services; if you don’t have your boxes ticked and can’t demonstrate that you’ve done your risk assessments and haven’t done your mitigation strategies, then you’re going to find yourself in trouble when something does happen – and you can’t demonstrate that you’ve done everything right.”
Jenny Brown, financial adviser and founder of self-licensed firm JBS Financial Strategists, acquired cyber insurance more than a decade ago.
“We do so much online,” Brown tells Professional Planner.
“If we screw up and one of my team members clicks on the wrong link, the reputational damage is absolutely massive, full stop. But then you also have to have really deep pockets to fix it and investigate it and I just figured that, for the premium of two and a half grand it’s a small price to pay.”
When they’re looking for cyber insurance, advisers need to think about what it does and doesn’t cover and how it interacts with their management liability and professional indemnity (PI) insurance.
“We need to make sure that we don’t have a gap where we’re not covered,” Brown says.
“I want to know that if our systems got hacked and client sensitive data got leaked – and I would be very surprised if it did – that we can recover it and pay the fees and the fines off the back of that; what does the insurance cover us for in that regard?”
The need for not just cyber insurance, but better training and controls, became more pressing for JBS during Melbourne’s Covid-19 pandemic lockdown, where the business switched to 100 per cent remote work.
“Because we’re so reliant on technology and so reliant on the internet, we have to have all these security measures in place,” Brown says, adding that the team does monthly training – this month was focused on phishing scams – and that almost all of its digital systems have heavy security on them.
“You can’t even update the printer software without reaching out to the offsite IT guy,” Brown says.
“We don’t allow anybody to download really anything, including me as the CEO. Simply because it’s too dangerous. That sometimes causes complaints, but I’d rather do that and have a half an hour hiccup where they’ve got to reach out to IT than have an issue where it impacts our business and our clients – and everybody understands that.”
But while cyber insurance, tight controls and training across the business provide some level of comfort, it’s important not to become blasé about the risks, Brown says.
“When we do training sessions with our staff, we say ‘It’s not if, it’s when’. But the more diligent we are and the more we talk about it, it builds awareness. And the more you do that, the more you protect your business and your clients.”
