If cybersecurity hasn’t shot up towards the top of the list of identified risks in your financial services business, you may want to revisit your risk register. The global COVID-19 pandemic and the attendant work-from-home upheaval tilted the scales heavily in favour of cyber crooks.
And financial services businesses are, particularly at risk. Why? Put simply, it’s where the money is. Why beat around the bush if you are a fraudster? Why not go straight to the source instead!
The Cyber Risks
Cyber breaches can lead to financial and reputational loss and damage to your clients as well as you and your business. Hard-won trust and reputations can be trashed overnight if a client suffers damage because of a successful cyberattack on you.
Cyber risks are everywhere and come in a range of forms. Fraudulent activity can stem from:
- Phishing expeditions;
- Intrusions/unauthorised access (hacking);
- Deliberate impairment (viruses);
- Denial of service attacks;
- Online fraud (e.g. impersonation, identity theft).
Fraudsters are determined, smart and nimble. They will probe all manner of defences to identify areas of weakness they can take advantage of. Your next cyber threat could literally come from anywhere. Being prepared is the best way to ensure you (or your clients) don’t become the next victim.
ASIC Is Watching
You may have heard that ASIC is taking RI Advice Group Pty Ltd to court, alleging that RI Advice failed to have adequate cybersecurity systems. ASIC brought the legal action following a number of alleged cyber breach incidents at certain authorised representatives (AR’s) of RI Advice. ASIC alleges that, as the AFS licensee responsible for the compliance and conduct of the AR’s under its AFSL, RI Advice failed to have implemented (including by its AR’s) adequate policies, systems and resources that were reasonably appropriate to manage cybersecurity and cyber resilience risks.
ASIC has made it clear that it expects all financial services participants to have adequate cyber arrangements. It has also made it clear that cyber threats and risks will continue to be a priority supervisory issue for the regulator.
Think it won’t happen to you? Think again. TWO CASE STUDIES
One of our clients had discussed the issue of cybersecurity and cyber insurance at Board level. There was a lot of reluctance and scepticism from many on the Board but ultimately the decision was taken to purchase cyber insurance for the first time. And not a second too late. Within two months, a cyber incident had taken place at one of the licensee’s corporate authorised representative businesses, leaving the business and clients alike potentially exposed to untold damage, expense and loss.
But because the cyber insurance was in place, this small business was able to avert a substantial six-figure loss claim and hefty legal, IT and forensic fees. It was still a stressful time and took valuable management time and focus away from business-as-usual. But this paled compared to what may have been.
So, how did the breach occur? As seems to be more and more common, one of the financial adviser’s client’s email accounts had been compromised. Through a series of emails, the fraudster, posing as the client, weaved a story about not being able to talk or meet in person for a variety of reasons and then took advantage of this ‘grooming’ to then provide account details for receipt of substantial payments. The adviser was expecting to receive payment instructions (the fraudsters knew this of course, having trawled their way through the hacked client’s email account) and when received proceeded to issue instructions to a third party to make the requested payments. Of course, the receiving account turned out to belong to the fraudsters and not the client. Luckily as the payments were made via a bank many of the payments were able to be recovered. But not all. And not before a lot of investigation was undertaken to identify if any other personal information of the client or any other client accounts had been compromised.
Several years ago, another client experienced a similar fraud. The fraudster, having gained access to the client’s email, issued genuine-looking payment instructions to an adviser. Again, the fraudster spun a compelling story about not being contactable but requiring an urgent payment. Knowing the client was due to head overseas (which the fraudster also knew, having been through the client’s emails), the request presented to the adviser as having the ring of truth. Unfortunately, the adviser ended up $10,000 out of pocket after compensating the client. Needless to say, it could have been much worse.
We could present many more examples. But what is important to recognise is that:
- Cyber threats in financial services are increasing, not diminishing;
- Cyber threats can come in many different forms;
- Fraudsters are getting more and more sophisticated in their efforts;
- Fraudsters are expert at identifying and exploiting weaknesses in your defences;
- Financial services firms need to have robust policies and procedures to avoid (or minimise) potential loss. Remember, AFS licensees have a general legal obligation under s912A of the Corporations Act to have adequate risk management systems (unless regulated by APRA, in which case additional risk management obligations apply).
Unfortunately, our experience is that many licensees simply are not doing enough to manage this insidious risk.
What To Do?
Start at the start! It is not possible to forge a proper path forward until you know where you currently are. Keep your cybersecurity arrangements fit and healthy. imac legal’s compliance business, complifit®, offers a comprehensive cybersecurity risk assessment, designed to give small-to-medium financial services businesses a clear picture of the strengths and weaknesses of your current cybersecurity controls and arrangements so you can forge a confident path forward.
*Price subject to change without notice.
Ian McDermott, Financial Services Lawyer and Compliance Consultant