We live in a world where no one is immune to cyber threats, and where financial services firms across the globe are prime targets for cyber criminals including Australian fund managers and IFAs.
Why? Financial services firms deal in many hundreds of millions of dollars making extracting fraudulent payments a simple but lucrative numbers game. IFAs in particular also have most of their clients personally indemnifiable information which can be on-sold in the black market.
In Australia, financial service firms rank as having the highest per capita cost per compromised record at $249. In simple terms, if you have 1000 client records breached, the cost to rectify that intrusion would be 1000 records x $249 = $249,000. Not all data breaches are malicious, however malicious or criminal attacks represent 49 per cent of all data breaches whilst 27 per cent are due to human error.
This is notwithstanding the potential fines and penalties imposed by the Privacy Commissioner (up to $1.7 million for companies and $340,000 for individuals,) or legal action by those who may have been defrauded or had their personally identifiable information stolen. The costs for data breaches can quickly mount up.
Typical activities for discovery and the immediate response to the data breach include the following:
- Conducting investigations to determine the root cause of the data breach
- Determining the probable victims of the data breach
- Organising the incident response team
- Conducting communication and public relations outreach
- Preparing notice documents and other required disclosures to data breach victims and regulators
- Implementing call centre procedures and specialised training
The following are typical activities conducted in the aftermath of discovering a data breach:
- Audit and consulting services
- Legal services for defence
- Legal services for compliance
- Possible discounted services to victims of the breach
- Identity protection services
- Customer acquisition and loyalty program costs
Could this realistically happen to you? The unfortunate answer is yes. Our clients have informed us of numerous failed attacks (some failed by sheer luck, others by well-versed and vigilant staff,) and we have also dealt with a number of cyber claims in increasing regularity over the past two years.
By far the most devastating cyber attacks on financial services firms are those which involve social engineering. Put simply, social engineering exploits human psychology through a variety of media (including social media, emails and phone calls) to trick others into divulging sensitive information or making fraudulent transfers. We have seen a number of instances where someone pretending to be the chief executive or chief financial officer of an organisation emails a high-level employee in the finance department to transfer money; or where someone pretending to be a client instructs their financial adviser to transfer money. These are sophisticated attempts where the attacker has already gained enough information from an intrusion to masquerade as someone else.
What are the obligations for AFSL Holders?
ASIC has named cyber as a key priority in its 2016/17 Strategic Plan and is establishing a Cyber Task Force (Financial Markets) to address this which will carry out surveillance programs across the regulated population. ASIC also considers cyber security to be a corporate governance issue that needs to be considered with all risk management practices – it is no longer a matter to be considered solely by the IT department.
As stated in the Australian Privacy Principles Guidelines under the Privacy Act 1988:
APP 11 – “[An AFSL holders need to take] reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.”
AFSL holders should also familiarise themselves with The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) which has been passed by both houses of Parliament and will come into effect in the next 12 months.
It is an organisation’s obligation to put mechanisms in place to prevent a breach of personal information belonging to clients and customers. As a financial adviser, you have a professional duty to your client to protect their confidential information.
Oscar Martinis is a senior partner at McDougall Kelly and Martinis, a specialist insurance brokerage that deals exclusively with financial services participants including IFAs, fund managers, hedge funds, listed investment companies, private equity and venture capital firms and research houses. MKM Partners is one of Australia’s leading professional indemnity, directors and officers liability, public offer of securities and cyber liability firms.
