By Jayson Forrest
With the financial services sector 300 times more likely to experience a cyber attack, taking cybersecurity seriously is an absolute necessity for any financial advice business. Fraser Jack (The Cyber Collective) provides his top tips for putting together a cybersecurity plan.
With an average of 211 days passing between a cyber breach happening and when a business discovers it, and another 23 days lost to resolve the cyber attack, there’s no doubt that a cybersecurity event can be reputationally and financially costly for any business.
Add to this the expectation from consumers and Government that a client’s personal and financial information is securely held and protected, then it’s little wonder that Fraser Jack - Founder of The Cyber Collective - believes that all advisers and advice businesses should take cybersecurity very seriously.
“Consumers expect their data to be stored safely and securely, and when a breach happens, they want to know about it quickly,” says Fraser, who refers to research from CoreData Adviser Pulse Check 03 2022 Survey, which found that 93 per cent of clients want to be notified within the same day if their data was compromised.
Speaking at the IMAP 2023 Virtual InvestTech conference, Fraser says in order for advice businesses to safeguard their data, there were a number of key considerations they needed to make when choosing their software. These include: functionality, efficiency, client experience, contract obligations, backup plan, security, and storage.
“These considerations are all important for any adviser when choosing software. That’s because what underpins the advice relationship is ‘trust’,” he says. “The client is trusting you with their personal and private information.”
According to Fraser, it’s this trusted relationship between advisers and their clients that hackers are looking to infiltrate. They do this by either pretending to be the client or the adviser, because they know this relationship is valuable. Therefore, he says it’s important that advisers have an understanding with their clients as to how this trusted relationship is going to work, which might include introducing a multi-factor authentication system for enhanced security purposes.
Fraser adds that advisers also need to be aware of ‘third-party’ contracts when selecting software. He says there are many elements within a contract that advisers need to be fully aware of.
“Along with all the fun stuff, like how the software works, you also need to be aware of the risks associated with the software,” he says. “What happens if the software provider or you get hacked? Who from the software provider will be informing who inside the business? If the provider or their other clients get hacked, will they tell you about it for risk mitigation purposes? These are all questions that need to be answered before settling on any software.
“And when entering into a contract with a technology provider, it’s important to understand what the security issues and risks are with the software, and how to reduce those risks.”
As an essential part of using software, Fraser recommends cultivating a strong relationship with the technology provider, enabling users to contact another person directly in order to address any technology issues.
Fraser Jack - Founder of The Cyber Collective
Consumers expect their data to be stored safely and securely, and when a breach happens, they want to know about it quickly
Cyber conversations
As part of the ongoing client review process, Fraser believes it’s important for advisers to have conversations with their clients about how they feel about their data being held by the advice business on their behalf.
“Clients are hearing a lot in the media about cyber breaches and are likely to be fearful about the possibility of their identities and personal information being stolen. Clients are justifiably nervous. Therefore, it’s important for advisers to get on the front foot and educate their clients about the cybersecurity in place to protect their data.”
Fraser adds that it’s equally important for advisers to train their team to talk about what they’ve learnt about cybersecurity, so they can remain informed and provide clients with helpful information about this topic. Cybersecurity audits are also an additional opportunity to discuss issues with both the advice team and clients.
“Whilst advisers think that asking clients to do things that requires an extra step - like multi-factor authentication - is going to be annoying for them, in the vast majority of cases, clients are actually going to be receptive and supportive that you’re taking that extra step to protect their data.”
What underpins the advice relationship is ‘trust’. The client is trusting you with their personal and private information
Variable cyber risks
According to Fraser, when it comes to cyber risks, the variable risks in any business is often the result of humans around communication, whether that’s emails, phone calls or text messages. It’s how advisers typically communicate to their clients, and how clients communicate back to the adviser.
According to Fraser, variable risks represent about 80 per cent of cyber issues. Unlike the technology side of a business, which tends to be robust and generally reliable, what isn’t reliable is human behaviour. This may be due to being busy or stress, which can result in wrong decisions being made. To address this, he says it’s essential that ongoing training and educating of team members around cybersecurity occurs within the advice business.
“Cybersecurity is definitely a team sport,” says Fraser. “My advice for practices is to have a cyber champion in your business. Run cyber drills, and ensure that everybody within the business knows who to contact regarding cybersecurity. There should be a continuity plan in place, and people should know how to mitigate any risks as they occur.”
He adds that talking about cybersecurity shouldn’t just be limited to your team. Fraser also encourages advisers to talk about it with their peers.
“If you see or hear anything that’s suspicious, talk about it within your licensee, as well as with your peer groups, and with other people around you who are also operating similar businesses to yours,” he says. “That’s one of the best ways of remaining on top of cybersecurity issues.”
Clients are hearing a lot in the media about cyber breaches and are likely to be fearful about the possibility of their identities and personal information being stolen. Clients are justifiably nervous. Therefore, it’s important for advisers to get on the front foot and educate their clients about the cybersecurity in place to protect their data
Cybersecurity is definitely a team sport. My advice for practices is to have a cyber champion in your business. Run cyber drills, and ensure that everybody within the business knows who to contact regarding cybersecurity. There should be a continuity plan in place, and people should know how to mitigate any risks as they occur.
Top five tips
When putting together an action plan for cybersecurity, Fraser recommends advisers adopt the following five points:
1. Have a plan
The NIST Cybersecurity Framework is a powerful tool to assist businesses organise and improve their cybersecurity program. It is a set of guidelines and best practices to help organisations build and improve their cybersecurity. The framework also helps advisers to identify the risks associated with their business, and suggests protective actions that can be put in place.
According to Fraser, the NIST Cybersecurity Framework outlines: how to identify risks associated with your business; how to put internal protections in place for your business; how to detect when a cybersecurity event is happening; how to respond quickly to those events; and how to recover from cybersecurity events.
“Having a cybersecurity plan consists of three parts - ‘before', ‘during’, and ‘after’ a cyber attack. This plan is incredibly important and all team members should know what the plan is,” says Fraser.
2. Train your team
It’s important to ensure team members receive ongoing education and awareness training with cybersecurity. This will enable them to know what to look out for. Vulnerability testing of systems and technology, like phishing emails, also needs to occur within the business on a regular basis.
3. Lockdown your logins and multi-factor authentication
Ensure passwords are strong, use a password manager, and implement multi-factor authentication on everything that contains client data.
4. Set the technology - reclaim your domain
An email domain is one of the biggest areas of risk for a business. According to Fraser: “It’s an old technology that was based on physical mail. It’s not safe, but you can use technology to make your domain safer.”
5. Provide the proof - A for audit
When using technology, conducting a regular audit of your software and systems can help ensure the ongoing security of your business and processes.
About
Fraser Jack is Founder of The Cyber Collective.
He delivered a session on, ‘Can your clients trust your cybersecurity’, at the IMAP 2023 Virtual InvestTech conference.