Cybersecurity best practices for financial advisors
Cyber-attacks are becoming increasingly sophisticated as criminals continually develop new methods to disrupt and damage businesses and organisations worldwide. But the concerning truth is that many of the old strategies – phishing emails, ransomware attacks – are still proving effective. This potentially places multiple sectors, including financial services, at risk of substantial monetary losses and long-lasting reputational damage. And if data is the ultimate goal for hackers, then financial advisors are likely to be increasingly targeted as the gatekeepers of both sensitive client information and financial account details.
Cybersecurity threats facing advisors
According to BT’s Adviser Sentiment Index 2024, cyber-crime remains a top concern among advisors, with more than 80 per cent indicating they are worried about being targeted. Almost a third indicated that they already have some direct experience of online financial crime. These data breaches were often unsophisticated email attempts to secure personal information (like passwords or credit card details) by pretending to be from a reputable company – known as phishing – or ransomware attacks where malware restricts access to an organisation’s files until a ransom is paid. However, the research also noted that advisors are attractive targets for cyber criminals as they have all their customers’ first, middle and last names along with copies of identification documents such as passports and drivers’ licenses.
Establishing cyber resilience
The simple reason why phishing and ransomware strategies remain effective is that it costs far more to defend a system than it does to hack it. Add newer and more sophisticated ransomware variants that leverage AI to the mix, and you can see why the need for organisations to establish a robust cyber resilience strategy has never been greater.
According to the experts, effective cyber resilience must be an enterprise-wide, risk-based strategy that takes a collaborative approach which includes not just the organisation but its partners, supply chain participants and customers. In the case of a financial advice practice this may mean involving clients, employees, licensee and regulators in proactively managing risks, threats and vulnerabilities. Through robust cybersecurity practices, financial advice firms can not only protect their clients’ data, but also preserve trust, maintaining strong relationships with their clients and instilling confidence in prospective clients.
ASIC regulations for AFS licensees
The Australian Securities and Investment Commission (ASIC) used a 2023 report to warn financial services organisations that cyber security and cyber resilience must be a top priority. Specifically, the regulator said it expected this to include oversight of cyber security risk throughout the organisation’s supply chain as third-party relationships often provide criminals with easy access to systems and networks.
A landmark 2022 legal decision found an Australian financial services (AFS) licensee had breached its licence obligations by failing to adequately manage its cybersecurity risks. In the judgment it was noted that RI Advice Group Pty Ltd had a number of inadequate risk management practices across its network. This included some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices. Inadequacies in its cybersecurity risk management led to cyber incidents affecting clients in the six-year period to May 2020.
Three ways to reduce risk
In her RI Advice Group judgement, Justice Rofe made it clear that cybersecurity should be front of mind for all AFS licensees. She acknowledged that while ‘it is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls …’ As a result, ASIC released a range of expectations for AFSLs to ensure that they are effectively managing cybersecurity risks.
These guidelines can be broadly categorised into three areas:
- Risk management – Having robust risk management frameworks in place to identify, assess and manage cybersecurity risks.
- Incident management – Having effective incident management processes in place to detect, respond to, and recover from cybersecurity incidents. This includes communicating with affected clients and stakeholders, as well as having business continuity plans in the case of an attack.
- Disclosure and reporting – Being transparent and accountable in relation to cybersecurity risks and incidents. This applies to both disclosing any material cybersecurity incidents to ASIC as soon as possible, and keeping clients informed about any risks or incidents that may affect them.
Key measures to protect your clients’ data
While high-profile cyber-breaches in the financial services industry are daunting for financial advice principals, clients are seeing the same news reports. They will expect to be protected by a robust cyber protection strategy as part of your service. According to Morningstar, the most effective approach involves crafting a plan that covers the stages before, during, and after a cyberattack.
Some practical tips are:
- Strong password policies and multi-factor authentication (MFA)
- Regular software updates
- Encryption of data
- Role-based access control
- Secure communication channels
- Secure data storage and backups.
How to safeguard your practice against cyber attacks
Cyber criminals often exploit vulnerabilities in financial networks to acquire data. These breaches might have a significant impact on financial services firms who were often relying on a third-party provider to secure file transfers or protect sensitive data. The entire financial services industry should now consider itself warned of the dangers and the need for robust cyber security measures and proactive risk management strategies. The importance of regular software updates, thorough security assessments, and comprehensive ongoing employee training should not be underestimated, nor the importance of using secure software providers.
Adopt secure software solutions
If you’re tracking your clients’ investment portfolios, using an online portfolio tracker like Sharesight is one way to boost efficiency while also ensuring that your clients’ data is secure. At Sharesight, we have always maintained a constant vigilance around cybersecurity, but in recent years we have stepped up our security and compliance focus, allowing us to achieve enterprise-grade security.
We've done this in part as a proactive drive to stay ahead as much as is possible in an increasingly turbulent cyber security landscape, but also as a result of changing expectations from our partners and the community at large. This has meant the recruitment of personnel dedicated to our security as well as an expansion in our tooling, training and more broadly a holistic look at our cyber security posture across our offices, workstations, infrastructure, personnel and more.
Sharesight ensures customer data is kept safe through several key measures:
- Allowing users to securely share portfolio data with others by setting customisable access levels, tailored to meet each individual’s specific needs
- Strong password protection, which is independently audited for security, and the option to enable two-factor authentication (2FA) for added account protection
- Data storage and transmission are safeguarded using industry-standard encryption (TLS), and all data on our database servers is encrypted at rest
- Automated, real-time backups are performed throughout the day and stored in multiple secure locations worldwide, ensuring disaster recovery readiness
- Regular independent security audits to verify that our software adheres to best practice guidelines in IT security.
Transform your practice with Sharesight
Join thousands of financial professionals using Sharesight to automatically track all their clients’ investments in one place. Spend less time on tedious tasks and more time building valuable relationships with your clients. With Sharesight, you can reduce admin, boost productivity and security, and focus on what really matters — giving advice and growing your business.
Put Sharesight to the test with a free 30-day trial — no billing details required and you can upgrade, downgrade or cancel at any time.
FURTHER READING
An unexpected cost of running an SMSF
This article covers the journey of new SMSF owners — the unexpected costs, surprises, and the tools they rely on to streamline their SMSF management.
How to create a multi-generational wealth plan
We explore key approaches to developing a strong multi-generational wealth plan, including education, legacy planning and family governance structures.
Sharesight product updates – November 2024
This month's focus has primarily been on our new drawdown risk report (currently in beta), along with UI/UX enhancements and expanded broker support.