SEARCH
How advice businesses can use outsourcing to manage their cyber security risk
How advice businesses can use outsourcing to manage their cyber security risk
When it comes to cyber security risk, most financial advice practices focus on the advice compliance file but this can be at the expense of other key areas. Outsourcing cyber security risks can be a good option for capability-stretched licensees. However, it requires proper due diligence to implement.
Increased responsibility to understand and assure a secure operating environment under which advice is produced, stored and shared has emerged as a result of a Supreme Court ruling. RI Advice was a highly regarded advice licensee with 119 practices. But between June 2014 and May 2020, nine cyber security incidents were found within their network, ranging from fraudulently sent emails to phishing incidents and hacking attacks.
The ruling has motivated all licensees and insurers to critically examine their standards and third-party relationships they hold across their network. We expect specific requirements to be placed on practices to mitigate the cyber security risks through evidence and attestation by both licensees and the insurers.
Whilst all advice businesses have professional indemnity (PI), very few have coverage specifically for cyber security. This is due to a lack of proper education by the industry around the issue. In addition, cyber security is currently not a requirement for corporate authorised representatives or PI insurers.
This is expected to change. If cyber security protection is not mandated, it should be considered best practice given the rate of attempted cyber attacks globally as infrastructure moves to digital storage via remote access.
Cyber security is merely one component of a larger framework of governing risks and threats to the viability of an advice firm. Governance can include assessment of risks such as money laundering and terrorism financing, and the creation and maintenance of a risk register to record them as well as regular strategies to manage the commercial and financial viability of the business.
However, many advice firms don’t consider cyber security to be significant enough for further attention. This can be a dangerous stance to take. You only need to look at the case of RI Advice when ASIC found that it failed to have adequate risk management systems to manage its cyber security risks. The consequences were devastating, with RI Advice ordered to pay $750,000 towards the regulator’s costs.
Why cyber security remains a gap in risk governance
Most risk compliance managers understand what is required to effectively manage any threats that may come their way. However, corporate governance frameworks often provide little insight as to how to execute a proper cyber security strategy for their firm.
A reason this may be the case is that cyber security approaches can vary from business to business, leading to inconsistencies across the industry and complacency within firms.
There are many key decisions principals and compliance managers need to consider around forming a proper governance framework, including:
- Clear and deliberate commitment to move from file compliance to business governance, through its addition to quarterly business planning and specific appraisal when considering different technology implementation and third-party relationships
- Deciding the ownership of governance – who is responsible for different business line functions within the business through the development of a responsibility assignment (RACI) matrix
- Whether to outsource your governance to an outsourcing firm or keep it in-house
- Completing an external governance risk assessment that includes evaluating business operations and finding improvements, assessing your procedures to determine compliance with industry regulations and standards
- Deciding line-item ownership of the risk register across the various roles within the advice business. It’s important that everyone is involved in the governance of the business, and that position descriptions should include ownership or risk and which projects they own; and
- Regularly reassessing the significance of risk and determining projects to mitigate those risks. In some of those projects, you might look to third-party suppliers where you may have capability or knowledge gaps within your internal structure.
Implementing a proper cyber security framework
To meet the need for better cyber security governance, there are several frameworks and standards that help businesses create or enhance their cyber security program to cover all areas of their information security. Standards ISO 27001 and APRA CPS 234 are two such examples, each designed to meet a particular set of needs.
ISO 27001 allows for advice businesses to adopt a risk-based approach to information security that is internationally accepted as best practice. Achieving this certification proves to clients and partners that your business is committed to achieving a global standard of information security. Third-party relationships that meet this international certification in information management ensure you have a defensible position when it comes to cyber security.
In addition, APRA recently created a new standard called APRA CPS 234 to help APRA-regulated entities increase their overall resilience towards incidents that can affect the security of information.
While not applying directly to advice practices, the standard speaks to the more serious approach being taken towards cyber security across the Australian financial services ecosystem. Advice businesses whose group ownership is based within Australia provide additional protection under Australian laws.
Conclusion
As more practices shift to self-licensing, there is also a greater need for businesses to understand issues of governance, cyber security and sustainability as they are no longer outsourcing these competencies to a licensee.
Advice practices have no excuse to not implement cyber security into their governance framework. Not only will it provide the principal (and the team) peace of mind, but it will also give them assurance that they won’t be prone to data breaches and become the next whose licensee finds themselves on the wrong side of ASIC.
David Carney, CEO, Virtual Business Partners
About the author
Neil is the Deputy Editor of the wealth titles, including ifa and InvestorDaily. Neil is also the host of the ifa show podcast.
Neil is the Deputy Editor of the wealth titles, including ifa and InvestorDaily. Neil is also the host of the ifa show podcast.
Subscribe to our Newsletter
We Translate Complicated Financial Jargon Into Easy-To-Understand Information For Australians
Your email address will be shared with nestegg and subject to our Privacy Policy
latest articles
OUR PLATFORMS AND BRANDS
- Accountants Daily
- Accounting Times
- Adviser Innovation
- Australian Aviation
- Broker Daily
- Cyber Daily
- Defence Connect
- Fintech Business
- HR Leader
- Independent Financial Adviser
- Investment Centre
- Investor Daily
- Lawyers Weekly
- Money Management
- Nestegg
- Property Buzz
- Real Estate Business
- Smart Property Investment
- SMSF Adviser
- Space Connect
- Super Review
- The Adviser
- Wellness Daily
- World of Aviation
EVENTS AND SUMMITS
- Accountants Daily 30 Under 30 Awards
- Adviser Innovation Summit
- Australian Accounting Awards
- Australian Aviation Awards
- Australian Broking Awards
- Australian Defence Industry Awards
- Australian Law Awards
- Australian Space Awards
- Australian Space Summit
- Better Business Summit & Awards
- Broker Daily Business Awards
- Corporate Counsel Summit & Awards
- Cyber Security Summit & Awards
- Defence Connect Budget Lunch
- Defence Connect DSR Summit
- Fund Manager of the Year Awards
- ifa Excellence Awards
- ifa Future Forum
- Investor Daily ESG Summit
- Lawyers Weekly 30 Under 30 Awards
- Lawyers Weekly Women in Law Forum
- New Broker Academy
- Partner of the Year Awards
- REB Awards
- Reinnovate
- SME Broker Bootcamp
- SMSF Adviser Technical Day
- Super Fund of the Year Awards
- Women in Finance Awards
- Women in Law Awards
- Accountants Daily Podcast Network
- Australian Aviation Podcast Network
- Broker Daily Podcast Network
- Defence Connect Podcast Network
- HR Leader Podcast Network
- REB Podcast Network
- Relative Return
- Space Connect Podcast
- The Adviser Podcast Network
- The ifa Show
- The Lawyers Weekly Show
- The Smart Property Investment Show
PODCASTS
LEARNING AND EDUCATION
MOMENTUM MARKETS NETWORK
LINKS
STAY CONNECTED
Subscribe to the Adviser Innovation eNewsletter.
OUR PLATFORMS AND BRANDS
- Accountants Daily
- Accounting Times
- Adviser Innovation
- Australian Aviation
- Broker Daily
- Cyber Daily
- Defence Connect
- Fintech Business
- HR Leader
- Independent Financial Adviser
- Investment Centre
- Investor Daily
- Lawyers Weekly
- Money Management
- Nestegg
- Property Buzz
- Real Estate Business
- Smart Property Investment
- SMSF Adviser
- Space Connect
- Super Review
- The Adviser
- Wellness Daily
- World of Aviation
EVENTS AND SUMMITS
- Accountants Daily 30 Under 30 Awards
- Adviser Innovation Summit
- Australian Accounting Awards
- Australian Aviation Awards
- Australian Broking Awards
- Australian Defence Industry Awards
- Australian Law Awards
- Australian Space Awards
- Australian Space Summit
- Better Business Summit & Awards
- Broker Daily Business Awards
- Corporate Counsel Summit & Awards
- Cyber Security Summit & Awards
- Defence Connect Budget Lunch
- Defence Connect DSR Summit
- Fund Manager of the Year Awards
- ifa Excellence Awards
- ifa Future Forum
- Investor Daily ESG Summit
- Lawyers Weekly 30 Under 30 Awards
- Lawyers Weekly Women in Law Forum
- New Broker Academy
- Partner of the Year Awards
- REB Awards
- Reinnovate
- SME Broker Bootcamp
- SMSF Adviser Technical Day
- Super Fund of the Year Awards
- Women in Finance Awards
- Women in Law Awards
PODCASTS
- Accountants Daily Podcast Network
- Australian Aviation Podcast Network
- Broker Daily Podcast Network
- Defence Connect Podcast Network
- HR Leader Podcast Network
- REB Podcast Network
- Relative Return
- Space Connect Podcast
- The Adviser Podcast Network
- The ifa Show
- The Lawyers Weekly Show
- The Smart Property Investment Show