thoughtful-manager-image

A recent Australian Prudential Regulation Authority (APRA) survey identified that 50% of financial sector organisations experienced cyber-security incidents needing executive management involvement.

For many financial planners and wealth managers, such cyber-attacks threaten business collapse.

Why do hackers focus on financial planning and wealth adviser professionals? The opportunities for criminal financial gains are large, and many financial advisers are small in size with  business processes are not well developed in cyber-security terms.

'Why do you keep robbing banks?'
'Because that is where the money is...'

For those managing the wealth of others, it is both 'the money' and confidential information that cyber-criminals are after.

Financial planning clients are a special cyber-target group with significant financial and other resources. Confidential information can be leveraged into identity theft of the financial planner or clients and thence into illegal access of financial and other resources.

Cyber-criminals are interested in information, ANY information, held by a financial planner, wealth manager or super manager as a step to accessing the wealth that is managed.

Major cyber-threats on financial management businesses

The  major cyber threats to financial planners, wealth managers, super managers and the financial industry are:

  • Ransom-ware - an increasing threat (14% of organisations). For smaller financial organisations, these can lead to total loss of data and potential business collapse.
  • High impact risks, denial of service attacks and compromise of highly-privileged access (21% of organisations)
  • Compromise of clients' accounts, internet banking fraud, phishing and malware attacks (24% of organisations)
  • Potentially reputation-damaging incidents (12% of organisations)

Traditionally, until now, cyber security protection has been primarily technical.

This purely technical approach is emerging as both insufficient and having diminishing returns as cyber-criminals focus on the weaknesses of people, business processes and the consequences of business decisions about managing information. 

Nowadays, most successful cyber attacks are enabled via innocent actions of business staff, by weaknesses in business processes, and as a consequence of data storage that are not arranged to reduce the losses from a successful attack.

A more comprehensive management-based approach to cyber-security is needed that focuses on increasing cyber-security by managing what people do, improving business processes and reducing potential cyber-losses by changing how information is stored and used.

There is a shift of understanding towards focusing on 'how to minimise business losses during and after a successful cyber-attack', and away from assuming that cyber attacks can always be stopped.

This shift of understanding of cyber-attacks also sees them as being part of routine business activity.  Successfully protecting from the losses of cyber-attacks becomes management's role rather than purely technical IT .

Cyber-security from a management point of view involves structuring businesses processes and ways of managing and storing confidential information.

For instance, a minor cyber breach should at worst allow access to only a small part of the information, confidential data and passwords of a business.

A management role in cyber-security is to decide how best to separate things so that a successful attack will only get access to a very limited amount of data.

Take-Aways for Financial Management professionals

  • Financial-management businesses are a major focus of cyber-attacks.
  • All businesses will be breached by cyber attacks, even with the best IT protection. The main aim is the business issue of 'how best to reduce losses' in any cyber attack.
  • For financial planners, wealth managers and super management organisations, cyber-security now depends crucially on management decisions about procedures and storing information in separate baskets

The Boss-Gram Newsletter focuses on providing useful information to managers to reduce losses from cyber-attacks.

This is a Boss-Gram article written by Dr Terence Love.

Resources

http://www.apra.gov.au/Insight/Pages/insight-issue3-2016.html

http://asic.gov.au/about-asic/media-centre/find-a-media-release/2016-releases/16-064mr-asic-reports-on-cyber-resilience-and-shares-examples-of-emerging-good-practices/

http://www.cnbc.com/2016/02/02/is-your-wealth-manager-a-target-for-a-cyberattack.html

http://www.financialstandard.com.au/news/view/88499885

http://asic.gov.au/regulatory-resources/find-a-document/reports/rep-468-cyber-resilience-assessment-report-asx-group-and-chi-x-australia-pty-ltd/

https://www.nccgroup.trust/au/about-us/newsroom-and-events/blogs/2016/january/cyber-security-for-the-financial-sector/

http://www.thinkadvisor.com/2014/11/25/top-10-cybersecurity-trends-for-financial-services

https://www.finra.org/sites/default/files/2016-regulatory-and-examination-priorities-letter.pdf