After the event: Key risks to financial services firms following a data breach

Originallly published in FS Advice MONDAY, 4 JUN 2018   10:29AM

As financial advice firms embrace technology to improve the customer experience, they are also increasingly being exposed to the new risks and responsibilities that come with holding important client personal and financial information.

There were 47,000 reported cyber security incidents in Australia in 2016-17, up 15% from the previous year, according to the Federal Government's Australian Cyber Security Centre.

Cybercrime will continue rising and is predicted to cost businesses globally more than US$6 trillion annually by 2021, according to research from Cybersecurity Ventures.

For Australian financial advice firms, the risk is unfortunately further heightened.

The data they hold is valuable for its use in tax, superannuation, identity - and financial fraud schemes.

The value of client trust means financial advice firms are more likely to pay ransoms to resolve issue quickly, especially as the majority of smaller firms do not have the internal resources of their larger counterparts to deploy highly sophisticated security programs. All characteristics that have not been lost on cyber criminals.

So, what are the common business risks Australian advice firms are experiencing?

Ransomware Attacks

Ransomware is the most prevalent cybercrime threat in Australia and often occurs when a person, often an inexperienced employee, opens an email and clicks on a link that then infects the business's technology.

This can encrypt data and freeze all digital systems, except e-mails from the cyber-criminal, until a ransom is paid.

Ransoms are generally pitched at a level that encourages payment ($5,000-$10,000) and request payment via bitcoin or other cryptocurrencies, but the issues that result are not so easily resolved.

The diagnosis and forensic review of the breach, liaison with law enforcement and the logistics of cryptocurrency exchange all result in significant interruption while the business grapples with the inevitable questions:

"If we pay the ransom, will we even get our data back?"

"What's to stop it happening next week if we do?"

"What do we tell our clients in the meantime?"

Theft of personal or financial information

While ransomware inhibits a firm's access to data, the clicked email link can also result in a more malicious outcome, theft. In such cases, urgent diagnosis and forensic review of the breach are required, but simultaneous consideration of the firm's legal position also becomes paramount.

Under new laws that came into effect in February, the Australian government requires all businesses with a turnover of more than $3 million to report data breaches involving personal information that are likely to result in serious harm to any individual affected.

The Notifiable Data Breaches (NDB) legislation includes significant fines if businesses fail to report hacking attacks or breaches of personal data. It is important to read up on the legislation and have a reporting plan in place to follow in the event of an attack.

Human error, the forgotten cause of loss

You also don't have to be "hacked" to suffer a data breach. This is in an important fact that sometimes gets lost in all of the discussion around cybercrime.

Laptops left on planes, phones left in cabs and the failure to correctly dispose of (physical or digital) personal or commercial information are very basic but all too common causes of data breach. In such circumstances, businesses may still have obligations under the Notifiable Data Breaches legislation to advise the Office of the Australian Information Commissioner (OAIC) and potentially affected individuals.

Where a notification is suspected, the costs can mount quickly. Legal counsel is usually required from the outset to determine reporting obligations and may be required to address enquiry or defence of regulatory proceedings.

In addition, notification of affected individuals can mean incurring costs for things like call centers and credit monitoring.

Social engineering fraud, business email compromise, CEO fraud

These are three common names for Australia's fastest grown brand of financial fraud.

These attacks occur when criminals pretend to be customers, suppliers, or high-profile individuals within businesses and trick staff into paying large sums of money into the attackers' bank accounts.

They have proved highly successful where internal payment controls either break down or don't exist, allowing criminals to successfully steal from all types of businesses, large and small.

For advice firms this insidious form of attack has been successfully deployed during client settlement or disbursement transactions.

Advice is about trust, protecting reputation can't be ignored.

Following a loss of personal or commercial information, whether it be by error, breach or even malicious acts by employees, firms need to consider their public response and client communication strategy.

This is something even the very big end of town can misjudge, case in point being the recent revelation by the Commonwealth Bank that it lost the financial statements of almost 20 million accounts.

Preparedness is key. It is usually a stressful time for Management and/or Principals and an off-the-cuff communication strategy often compounds reputational damage and prolongs negative financial outcomes.

What measures should firms be taking to minimise these risks?

Prepare your response

All organisations should have a Business Continuity Plan and/or a Disaster Recovery Plan. Depending on the size of your business the plan(s) fit for purpose may not mean complex.

What's important is that firms think about and prepare a response, so that in the event the worst happens they have a process to follow and don't need to resort to ad-hock decision making under what is an inevitably stressful situation.

Understand your security posture

There are a number of very basic measures firms should be taking.

  1. Backup data;
  2. Run software patches as they become available;
  3. Use strong, unique passwords;
  4. Run quality anti-virus/anti-malware software; and
  5. Train and remind your staff to not to click on those phishy emails.

Fortunately, Australian advisory firms can also get great technical advice and assistance from a number of high quality specialist security professionals.

A simple review is the place to start. Security professionals can review your current security posture and then implement the required security measures advisory firms need to improve their posture and increase their resilience.

Buy Cyber Insurance

There is no panacea to protect from the risks cybercrime and data breach  present. Security and insurance are complementary when it comes to protection and cyber insurance is more affordable than many firms realise.

When considering cyber insurance, there are some key points firms should consider:

  1. Coverage differs greatly between providers. By choosing a specialist cyber insurance provider, firms will maximise their coverage and usually reduce expense;
  2. Cyber insurance will meet the unbudgeted costs that arise after a data breach but perhaps more importantly, good insurance policies also include emergency response capability. Choose a cyber insurance provider that has the highest quality emergency response to ensure you have access to experience and expertise when you need it. It will make the whole experience far less stressful;
  3. Some cyber insurance policies will not pay for the costs of a breach that occurred before the policy started, even if you weren't aware of it when you bought the insurance. The time between when a breach occurs and its detection can be months, so such policies should be avoided.

Visit Edmund today and get a cyber insurance quote for your business. We’ve made it easy for firms in Australia to get cover, which takes about 8 minutes. If you are hacked, threatened or lose data, we’ll cover you for the costs to recover, for any loss of profit and provide you with a 24/7 Emergency Response team when you need them.