How advice businesses can use outsourcing to manage their cyber security risk

Increased responsibility to understand and assure a secure operating environment under which advice is produced, stored and shared has emerged as a result of a Supreme Court ruling. RI Advice was a highly regarded advice licensee with 119 practices. But between June 2014 and May 2020, nine cyber security incidents were found within their network, ranging from fraudulently sent emails to phishing incidents and hacking attacks.

The ruling has motivated all licensees and insurers to critically examine their standards and third-party relationships they hold across their network. We expect specific requirements to be placed on practices to mitigate the cyber security risks through evidence and attestation by both licensees and the insurers.

Whilst all advice businesses have professional indemnity (PI), very few have coverage specifically for cyber security. This is due to a lack of proper education by the industry around the issue. In addition, cyber security is currently not a requirement for corporate authorised representatives or PI insurers.

This is expected to change. If cyber security protection is not mandated, it should be considered best practice given the rate of attempted cyber attacks globally as infrastructure moves to digital storage via remote access.

Cyber security is merely one component of a larger framework of governing risks and threats to the viability of an advice firm. Governance can include assessment of risks such as money laundering and terrorism financing, and the creation and maintenance of a risk register to record them as well as regular strategies to manage the commercial and financial viability of the business.

However, many advice firms don’t consider cyber security to be significant enough for further attention. This can be a dangerous stance to take. You only need to look at the case of RI Advice when ASIC found that it failed to have adequate risk management systems to manage its cyber security risks. The consequences were devastating, with RI Advice ordered to pay $750,000 towards the regulator’s costs.

Why cyber security remains a gap in risk governance

Most risk compliance managers understand what is required to effectively manage any threats that may come their way. However, corporate governance frameworks often provide little insight as to how to execute a proper cyber security strategy for their firm.

A reason this may be the case is that cyber security approaches can vary from business to business, leading to inconsistencies across the industry and complacency within firms.

There are many key decisions principals and compliance managers need to consider around forming a proper governance framework, including:

• Clear and deliberate commitment to move from file compliance to business governance, through its addition to quarterly business planning and specific appraisal when considering different technology implementation and third-party relationships
• Deciding the ownership of governance – who is responsible for different business line functions within the business through the development of a responsibility assignment (RACI) matrix
• Whether to outsource your governance to an outsourcing firm or keep it in-house
• Completing an external governance risk assessment that includes evaluating business operations and finding improvements, assessing your procedures to determine compliance with industry regulations and standards
• Deciding line-item ownership of the risk register across the various roles within the advice business. It’s important that everyone is involved in the governance of the business, and that position descriptions should include ownership or risk and which projects they own; and
• Regularly reassessing the significance of risk and determining projects to mitigate those risks. In some of those projects, you might look to third-party suppliers where you may have capability or knowledge gaps within your internal structure.

Implementing a proper cyber security framework

To meet the need for better cyber security governance, there are several frameworks and standards that help businesses create or enhance their cyber security program to cover all areas of their information security. Standards ISO 27001 and APRA CPS 234 are two such examples, each designed to meet a particular set of needs.

ISO 27001 allows for advice businesses to adopt a risk-based approach to information security that is internationally accepted as best practice. Achieving this certification proves to clients and partners that your business is committed to achieving a global standard of information security. Third-party relationships that meet this international certification in information management ensure you have a defensible position when it comes to cyber security.

In addition, APRA recently created a new standard called APRA CPS 234 to help APRA-regulated entities increase their overall resilience towards incidents that can affect the security of information.

While not applying directly to advice practices, the standard speaks to the more serious approach being taken towards cyber security across the Australian financial services ecosystem. Advice businesses whose group ownership is based within Australia provide additional protection under Australian laws.

Conclusion

As more practices shift to self-licensing, there is also a greater need for businesses to understand issues of governance, cyber security and sustainability as they are no longer outsourcing these competencies to a licensee.

Advice practices have no excuse to not implement cyber security into their governance framework. Not only will it provide the principal (and the team) peace of mind, but it will also give them assurance that they won’t be prone to data breaches and become the next whose licensee finds themselves on the wrong side of ASIC.

David Carney, CEO, Virtual Business Partners

Neil Griffiths

Neil is the Deputy Editor of the wealth titles, including ifa and InvestorDaily.

Neil is also the host of the ifa show podcast.