With a new legal precedent set around how financial services companies manage cyber risks, Major General (Ret’d) Dr Marcus Thompson reveals 10 key questions to ask your service provider.
Earlier this month, a new legal precedent was set for financial services businesses. Australian Financial Services (AFS) licensee RI Advice was found to have breached its licence obligations by the Federal Court, after the judge ruled that the group did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber-security risks.
According to the Australian Securities & Investments Commission (ASIC) – which brought the case against RI Advice – a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent” obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected.
This resulted in the potential compromise of confidential and sensitive personal information of thousands of clients and other persons.
As such, RI Advice has also been ordered to pay $750,000 towards ASIC’s costs with many flagging that this has set a new precedent for financial services businesses, including brokers.
Given that brokers hold a treasure trove of financial and identity information on their clients, there is a particularly strong need for them to have strong cyber protections in place amid a growing threat environment.
The first step to having strong cyber protections in place is to understand that there is a threat, and what information would be particularly at risk/vulnerable to attack due to its inherent value, according to Major General (Ret’d) Dr Marcus Thompson, former head of the Department of Defence’s Information Warfare Division.
Dr Thompson has outlined that brokers should be asking their service providers (from digital service providers and data holders to aggregators and website providers) about the controls and protections they have in place to protect client data, and seek to better acquaint themselves with best practices.
According to Dr Thompson, questions could include:
- What are our targetable vulnerabilities and how might a threat target our vulnerabilities?
- What thresholds exist to disconnect systems and/or users?
- Do we have multifactor authentication for our systems?
- Are we compliant with the ASD Essential Eight, CPS 234, ISO 27001, etc?
- Is our data encrypted (both in transit and at rest)?
- Is data being backed up?
- What security breach reporting thresholds have been set (chief executive, board, ACSC, law enforcement, etc)?
- Do we have a baseline for the security of our systems?
- What is/are our response contingency plan/s?
- Who has authority to activate the contingency and incident management plan(s)?
Speaking to The Adviser in March, the former head of the Department of Defence’s Information Warfare Division, alerted brokers to the lurking threats of cyber attacks and urged them to implement defence mechanisms before they fall prey to cyber criminals.
“The time to be thinking about a response is well before a response is required,” Dr Thompson told The Adviser.
“Once an incident occurs, it’s too late to be thinking about that.”
Dr Thompson’s warnings have followed multiple incidents of malicious cyber attacks in the financial services sector, with studies revealing last year that the industry suffered the highest number of data breaches between January and July 2021.
Home buyers have also been targeted by scammers and lost hundreds of thousands of dollars.
Dr Thompson and The Adviser’s parent company Momentum Media director, defence, security and aerospace, Phil Tarrant will discuss these issues at the Better Business Summit 2022, and examine why brokers have a large target on their backs as they increasingly operate in a digital environment, and how they could build cyber-resilient brokerages.
The 3-pronged defence system
Noting that some businesses have employed measures with more vigour than others, Dr Thompson advised brokers to implement three types of cyber-security protection.
The first is self-defence, which would involve providing education to increase awareness among employees and embedding a culture of caution.
“Don’t be the person who clicks on the links in the phishing email or posts information on social media that a professional cybercriminal could use to target your brokerage in a socially engineered phishing attack,” he said.
The second is passive defence, where system administrators assess how well businesses are complying with the mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), which aim to prevent adversaries from compromising systems.
Known as the “essential eight”, these strategies include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multifactor authentication
- Regular backups
The third is active strategy where professional cyber-security officers sit inside systems and actively detect, contain, and resolve threats to a business’ system.
Be across the law
In addition, being updated on legislation is crucial, particularly the Security of Critical Infrastructure Act 2018, which manages the complex and evolving national security risks of sabotage, espionage, and coercion posed by foreign involvement in Australia’s critical infrastructure.
It applies to 22 asset classes across 11 sectors including financial services and markets.
“That legislation reclassified critical infrastructure within our economy, so there will be obligations on all companies within these sectors to consider not only the cybersecurity of their organisation but also their product or service offering,” Dr Thompson said.
The NSW government established a new identity support unit last year to minimise the risks associated with identity theft, setting up IDSupport NSW to prevent identity misuse and provide a single-point-of-contact support service for citizens.
In 2020, the state allocated a record $240 million to strengthen its internal cyber capacity, established a regional Cyber Security Hub in Bathurst, led the work for an industry standards taskforce, and introduced SME targets for information and communication technology (ICT) expenditure across government.
Dr Thompson will delve further into the legislative environment at the summit, and present a conceptual framework for the consideration of cyber security, and answer brokers’ questions around their technical support during his session.
The Better Business Summit 2022 will continue to the following locations:
- Perth, 19 May 2022 at Crown Towers
- Melbourne, 2 June 2022 at Crown Towers
You can listen to a podcast with Dr Thompson outlining the need for cyber resilience in the finance space, here: