As insurance advisers, you’re adept at helping your clients protect their financial future from the unexpected. But what about the potential risks to your business?
As part of our ‘Bring in the Experts’ webinar series, we recently sat with Jan Thornborough from Intelligensia to talk about a largely invisible but growing risk: cyber threats.
It was a compelling session, with plenty of insights into this often-overlooked aspect of business resilience, from understanding cybercrimes through to identifying your weaknesses and planning your response.
We welcome you to watch a recording of the webinar in the Member Area of financialadvice.nz. But given the importance of this topic, I thought I’d share some key takeaways here as well.
With many and diverse compliance tasks to go through, enhancing your business cyber security may not be at the top of your to-do list. The sole idea of ‘cyber threats’ sounds intimidating and too technical for most of us. But the reality is, cybercrime is not just an IT issue – it’s well and truly a business risk.
Just to give you an idea of the extent of this phenomenon, you’ll find some interesting stats in a previous article I wrote here on Insurance Business. Importantly, as data shows, cyber security is everyone’s business now: large and small companies alike are being targeted every day, with financial services being one of the go-to industries for cyber criminals. Of course, larger companies are more likely to make the headlines, but they’re also more likely to have robust protection systems in place.
The risk for small-to-medium businesses is one of complacency, and it can put client data security and financial advisers’ own business reputation at stake. To quote Jan Thornborough, “a cyberattack is like a heart attack for your business, and open-heart surgery is often the only way to get yourself back up and running.”
As financial advisers, you inevitably hold a wealth of clients’ personal identifiable information, which cyber criminals would be more than happy to exploit. So, how can you be more resilient? There are essentially three steps to take.
(1) Understand cyber threats: where they come from, what they’re looking for, and the potential impact on your operations. Experts warn that cyber threats are getting more sophisticated by the day. And depending on the seriousness of the attack, it could take your business completely out of action until you restore your systems – with loss of time, data, money, and reputation.
Phishing emails are a common example; these are usually pretending to be from banks or other reputable institutions. They tend to create a sense of urgency, to trigger an emotional response: most recently, there have been reports of COVID-themed emails or fake Ukrainian charities. Their goal is to have you click a link or open a file, and then use a malware to acquire your data and login credentials.
Sometimes, phishing can turn into a ransomware attack: essentially, the attacker locks and encrypts your data, and then ask for a payment (usually, in cryptocurrency) to unlock your computer systems. If you don’t pay, they may threaten to attack your clients as well. And of course, even if you pay, there’s no guarantee that your data hasn’t been already sold.
The not-so-good news is that, in this increasingly digital world, cybercrime is on the rise. According to the United Nations, there has been a 600% increase in malicious emails as a result of the pandemic. Just another reminder of the importance of digital security.
(2) Identify your vulnerabilities: Cyber security is one of those cases where prevention is better than cure. While attacks can’t always be avoided, what you can do is make it difficult for scammers.
Now, you may think that cyber security is out of your depth. And the thing is, you’re not supposed to be an expert: there are technical experts out there who can do a ‘cyber security health check’ on your business, and help you determine the areas that need addressing.
These usually fall into three categories – people, systems, and processes. For example, educating yourself and your staff on how to spot a fake email, or how often you should change your passwords, can reduce your exposure to risk.
Many people don’t realise just how vulnerable their passwords are, but the statistics that Jan shared during our session were eye-opening. If you’re looking for a cost-effective, easy-to-use solution, then having a different password for everything and storing all in a password manager may be a good idea.
Also, the rise of cloud-based services and remote work poses some extra challenges. If you use a cloud-based CRM system, for example, it’s important to ensure that the CRM provider follows the best security practices, as a data breach represents a huge risk to the privacy of your clients.
The bottom line is that whatever the size of your business, having clear processes and procedures (including regular back-ups) can give you invaluable peace of mind. And it all starts with understanding your vulnerabilities.
(3) Planning your response: Last but not least, experts recommend having a plan in place in case of cyberattack, in line with Standard Condition 5 of full FAP licences (“Business continuity and technology systems”).
Creating an incident response plan can be a great way to remove the stress of having to do it ‘on the fly’. So, think about the critical technology you have in place. How would you operate if you suddenly lost access to it? Who is responsible for what? How much information can you afford to lose?
Once again, you don’t have to answer your questions on your own. Just like your clients do when they approach you, it’s all about seeking expert advice, identifying your most likely risks, and exploring the available solutions.
At Financial Advice NZ, we’re here to provide financial advisers with the tools they need to do their job at the highest level possible and build a better financial future for New Zealand.
Visit financialadvice.nz to learn more about our adviser support and resources.