With various and diverse compliance obligations to fulfil, cyber security may not always be the first item on the minds of adviser businesses. But as FMA’s cyber resilience info sheet points out, the impact of cybercrime-related attacks continues to grow.
In just a few years, cybercrime has quickly expanded beyond the domain of the IT department, evolving from a purely technological issue to a business one.
When it comes to New Zealand adviser businesses in particular, by setting out a data safety requirement, the new regime has made cybersecurity a matter of compliance. But cyber resilience is also more than simply a legal obligation: it’s a key tool for protecting clients’ sensitive information from the ever-evolving threats of the digital age.
With this in mind, it feels timely to talk about cyber security and financial advice: what recent stats tell us, why it’s important for financial advisers, and how to create (and maintain) cyber resilience.
COVID-19 has accelerated the use of technology, and with it, the impact of cybercrime. The overarching message is that cybercriminals have fast adapted to exploit the pandemic, bringing along new and more sophisticated risks.
Here in New Zealand, CERT NZ’s 2020 Report Summary revealed that the number of reported cybercrime incidents increased by 65% between 2019 and 2020, resulting in a loss of $16.9 million.
No FMA-regulated sector, least of all financial services, is inherently safe. According to the FMA’s cyber resilience survey, 18% of respondents experienced one or more cyberattacks in the previous two years. The variety of cyberattack types, ranging from phishing (78%) to malware attacks (44%), password attacks (28%), and service interruption (28%), can make quantifying cyber risks challenging. And the key thing to remember is that it doesn’t just affect the big players.
Stats are unequivocal: cyberattacks in the financial sector are all too common. Talking about the banking sector alone, the European Central Bank recently identified three main risk factors: the continued digitisation of financial services, the obsolescence of certain banking information systems, and the migration to the cloud.
Of course, these risks aren’t limited to banking. Our growing reliance on computer systems, coupled with the inherent vulnerability of these systems, means that businesses of all sizes require robust cyber security.
A common misconception is that only large companies are targeted. Of course, when this happens, it immediately makes the headlines. Some may recall the 2014 JPMorgan hack, when data from 76 million US households and seven million small businesses was compromised. More recently and closer to home, in 2020 cybercriminals launched multiple attacks to the New Zealand financial services sector, even going as far as knocking the NZX offline for a few days in a row.
But these prominent examples are just the tip of a much bigger iceberg. They show, if anything, that even large organisations that invest plenty of resources in cyber security are vulnerable to costly cyberattacks. The reality is that no firm, regardless of their size (or lack thereof), is immune to this upheaval – and the danger of complacency is too great.
Just like larger entities, smaller businesses collect and store confidential client information. And given the nature of financial advice, this is certainly the case for adviser businesses.
Clients entrust their advisers with a wealth of personal details, which advisers use to inform their recommendations. It’s thanks to this foundation of trust that the client-adviser relationship can translate into positive client outcomes.
When it comes to cyber resilience, though, it can be easy to develop a false sense of security. New Zealand is perceived as low-risk, and for smaller adviser businesses, numbers don’t seem to justify a bigger investment in cybersecurity.
Unfortunately, this is not the case. New Zealand is just as prone to cyberattacks as any other country, so it’s important for businesses big and small to treat cyber risk as real, and plan accordingly.
Remember, cyber security is not just a legal requirement; at its heart is the client. Making cyber resilience a priority means taking all the necessary steps to ensure people’s sensitive data is safe and secure. It’s about protecting the integrity of the trust relationship between advisers and New Zealanders, and ultimately, ensuring consumer confidence.
According to experts, there is no cyber security ‘silver bullet’, but having a holistic approach and implementing policies is a good place to start. At a minimum, the FMA expects all regulated entities to have basic response and recovery plans in place.
The solution lies in a combination of technology, training, and culture of cyber awareness within the business. And there are a lot of options available for any budget, keeping in mind that you often get what you pay for.
Overall, I believe that insurance advisers are in a prime position to understand the need for this type of protection. They understand risk, and know just how important it is to conduct risk assessments, have a plan and review it over time. Cyber resilience is exactly that: an organisational tool to mitigate ever-evolving risks and look forward to the future with confidence.
At Financial Advice NZ, we’re committed to helping advisers stay up to date with practical knowledge for the new regime and beyond, delivered straight from the experts.
For more information, we welcome you to visit financialadvice.nz/bring-in-the-experts-webinar-series, where you will find over 80 webinars to watch across a range of topics.