Practices should be upping their awareness and management of cyber security, according to a local industry figure.
Adrian Johnstone, co-founder and president of Australian advice business management platform Practifi, said in his dealings with advice firms, there is a distinct difference in how they view cyber awareness.
“Depending on the firm, they either come up in fear and sometimes really genuine fear because there's a part… of understanding where your data is. What data do you have? Where is it? Who can see it? How is that accessible?” Mr Johnstone said while appearing on a new episode of the ifa Show podcast.
Mr Johnstone said Practifi has seen a “huge uptake” in firms who never realised that their data wasn’t encrypted even after undergoing extensive work on cyber security.
“Or the other is where people see it as an opportunity. And I think this is true of a lot of compliance pieces, whether it's looking at your AML, KYC type stuff, or whether it's looking at it from a cyber threat perspective, is if you've got to jump the compliance hurdle anyway, then why not turn it to an advantage?
“And so we are seeing people marketing now to clients, particularly where their clients are high-net-worth, the ultra-high net worth, they're actually marketing security. It's become a selling point: 'Work with us because your data is more secure with us than it is at the firm down the road.'”
His comments come after Virtual Business Partners head, David Carney, called for better management of cyber security risks following May's landmark ruling against RI Advice which saw the Federal Court rule that the advice group failed to have adequate risk management systems to manage its cyber security risks.
According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
Mr Carney said the ruling has motivated licensees and insurers to “critically” examine their standards in an opinion piece published on ifa this week.
“Whilst all advice businesses have professional indemnity (PI), very few have coverage specifically for cyber security. This is due to a lack of proper education by the industry around the issue. In addition, cyber security is currently not a requirement for corporate authorised representatives or PI insurers,” Mr Carney wrote.
“This is expected to change. If cyber security protection is not mandated, it should be considered best practice given the rate of attempted cyber attacks globally as infrastructure moves to digital storage via remote access.”
Listen to the full podcast with Mr Johnstone here.