In an increasingly digital world, cyber security should be at the top of an advice firm’s priority list.
But the pace of change in technology can often leave people not quite understanding what they need to do to protect their business from cyber attacks or vowing to ‘get around to it’ at some point.
However, as former Conservative MP Stephen McPartland, author of the McPartland Review into Cyber Security, says, a lot of cyber attacks are speculative.
He likens firms that have little or no cyber security to leaving the front door of your house open – both are invitations for opportunist thieves to strike.
So, what can advisers do to protect themselves as they increasingly digitise their businesses?
Protecting your firm
While it is great for people running a business to have a positive, confident outlook, they do need to be realistic about business risks, and cyber crime is one of them.
Statistics from market analyst Truelist show up to 94% of companies that experience a severe data loss never recover because it can take a long time to identify and contain a data breach.
According to Truelist, 51% of firms close within two years of the incident and 43% never reopen. The picture is even worse for small firms, as 70% close within a year of a big data loss.
FTRC founder Ian McKenna adds that, if an advice firm experiences a data breach, the FCA expects them to put in place and pay for cyber security protection for every customer.
According to McKenna, there is “significant evidence” cyber criminals are targeting small advice firms because the information they hold about their clients is so comprehensive and, therefore, valuable.
“So much information comes from a client fact find. Advisers will have details of their clients’ kids and the cars they drive. There is so much data to help criminals working on the dark web,” he says.
“Cyber criminals have also identified that smaller advice firms tend to be relatively vulnerable.”
McKenna points to a lot of cases being identified in the US. Is it inconceivable to believe the same is happening in the UK?
Increasing use of AI is only going to increase the need for advice firms – and not just the bigger ones – to ensure they have adequate cyber protection in place.
“You can’t have an AI strategy without cyber security – they go hand in hand,” says McPartland.
“If you are increasingly using AI and putting more business in a digital world, you need to ensure you can secure that.”
A lack of understanding about what to do to become more resilient can often be a barrier. This is where talking to an expert or getting some training can help.
For example, the Chartered Institute for Securities and Investment (CISI) runs a short online course that covers things such as the nature of cyber risk, the types of attacks to be aware of and details of the regulatory and legal requirements.
The CISI Corporate Cyber Security Professional Assessment is written and reviewed by industry experts and is suitable for anyone who works in financial services, including advice firms.
“The risks of cyber attacks occurring apply to both large and small firms, so understanding these threats and protecting your organisation from them is essential for all financial services practitioners,” says CISI executive director of global learning Mandy Gill.
“Human error is often a cause, so being able to identify and distinguish between the different threats – including malware, phishing, whaling, spyware, ransomware, trojan viruses and business email compromise – can be an effective way to manage and reduce this risk.”
The recommended study time for the course is six hours, followed by a 60-minute multiple choice test consisting of 30 questions.
The CISI also offers a range of other online CPD content in the area of cyber security, including Professional Refresher modules on topics such as cyber crime, operational resilience, financial risk and fraud risk management.
Cyber insurance is another way firms can protect themselves but, as McPartland says, they need a cyber security strategy to underpin this.
“If you go to an insurer and tell them you park your car with the keys in the ignition and no alarm, they are unlikely to insure it,” he says.
“The difference here is that you are talking about possessions in the digital world.”
That said, cyber insurance does not currently appear to be very popular among advice firms.
“Only 4% of advisers have cyber insurance,” says McKenna. “It’s crucial to have it. Ideally you want the insurer to be the same as the provider of your PI, as you don’t want a situation where they are both saying the other should pay out.”
McPartland has some sympathy for smaller advice firms.
“A lot of the problem is that the insurance market is not mature enough yet, so there aren’t enough products for SMEs,” he says.
Recovery
Having a recovery process in place is key to fighting back against things like ransomware, where criminals steal data and demand money to return it.
“If you have a process in please, you don’t need to get that data back. It’s backed up and you’re doing other things to be resilient,” says McPartland. “You can either fight it off or you recover quickly to be up and running in a couple of days, so ransomware is not the threat to you they think it is.”
McPartland says advice firms need to think about three elements together – their cyber security, their resilience to cyber attacks and the recovery process. Focusing on just one element is not enough. They all need to be in place and reviewed regularly.
“It’s important to protect your data because a lot of decisions are based on it. If someone interferes with that data, they interfere with your ability to make decisions.”