Where to begin?
One of the aspects of cyber security that I saw repeated more than any other while researching this article is that it’s not a risk that you ever declare victory over. This is frustrating for people because everyone likes to strike a line through something on your to-do list and then move on. Like a patch of moss on the garden path though, the risks that accompany our very use of technology start growing back as soon as they are cleaned up. The other issue is that no matter how careful an individual or firm is with their security practices, we are connected to so many other partners who hold or manage data on our behalf. From a business perspective, this means that every company that you operate with knows plenty about you and frequently will know plenty about your clients.
No provider that you deal with is going to tell you that they have substandard security practices so there is a high degree of trust required that assumes they are genuinely careful and adhere to the standards that are required of them. The more degrees of separation there are between you and a data breach the better it may be for your immediate accountability, but this will be of minimal comfort to clients that may suffer because of the breach. Everyone reading this article already has enormous responsibility when it comes to dealing with client finances, but as you would be aware, their data may be even more valuable in the wrong hands.
The response by insurers to thoroughly investigate the security standards of potential clients and enforcing limitations on what events are covered highlights an ongoing lack of seriousness being applied by decision-makers. In other words, this is an illustration of why prevention is vastly preferred to treatment since the cost of a breach can have consequences that occur immediately as well as other costs that will echo in the form of legal liability and PR shaming. It is clear that a data breach that occurs as a result of preventable outcomes should be considered a significant breach of ethical duties given the responsibility that any business (but financial advisers in particular) has to protect the value of the information that they have decided to collect and retain.
The path of this article is to move from the largest scale issues down to the smallest. When the CEO of Lloyds insurance company provides an expectation that global cyber insurance premiums will increase from $12 billion to $60 billion in the next five to 10 years it is apparent that the money at stake is enormous (Ralph, 2022). The potentially hundreds of thousands of attempts to breach security that the biggest banks face each year highlight the (obvious) point that bigger and wealthier institutions are the ones that have the most work to do.
However, their resources with which to protect themselves are also much larger so there are economies of scale available that small businesses don’t have. For a small practice it seems apparent that ticking the key boxes perfectly and consistently is the first order of business. Being well informed is part of this. It is becoming a part of regulatory oversight to ensure that CEOs (and the wider board members) of big companies are knowledgeable about the scope of the cyber risks that they face and the means by which they are protected.
As reporting in mid-February 2023 highlights, there is a significant expectation that small businesses will have to deal with stricter data protection requirements under a revised Privacy Act (Burton, 2023). The final legislation is not expected to be put in place until at least the end of the year but it highlights that if you have been waiting for the right time to up your knowledge and planning for cyber security there probably is not a better opportunity. Though many businesses may already have these rules applied via their licensee, it is an area that needs a high degree of refamiliarisation given the speed at which new threats arise. Even without considering the regulatory and licensee problems that arise from having to report data breaches, the angst to your clients and you that occurs when you need to contact someone to explain how a breach occurred is infinitely better to avoid than treat.