IFAOct 25 2022

‘Cyber attackers pose same cost to small IFAs as FTSE 100s’

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
‘Cyber attackers pose same cost to small IFAs as FTSE 100s’
[Chris Ratcliffe/Bloomberg]

Chief operating officer at adviser platform Multrees, Glenn Murphy, told FTAdviser that while national IFAs with more media exposure and reputational risk to guard against tend to be more prone to cyber attacks, smaller IFAs can feel it just as hard when they are targeted by hackers.

“For established larger IFAs and firms, the risks increase as there will be more relationships, such as multiple clients, partners or vendors and third parties,” Murphy explained.

“While it may give some comfort to the director of a small advisory company that they are less at risk of a cyber attack than a FTSE 100 giant, the impact they must avoid is the same at all levels: loss of reputation equals loss of clients.

“Every IFA especially knows that equipping themselves to tackle cybersecurity is equipping themselves to ensure their reputation continues to remain untarnished.”

Smaller IFAs have fallen victim to cyber attacks over the past year.

In March, Leeds-based IFA The Private Office experienced an email hack just 24 hours before the City watchdog told firms to prioritise cyber resilience.

The single biggest data security risk to adviser firms is simply emailing the wrong client with someone else’s personal data.Tessa Lee, Moneyinfo

It saw an “illegitimate” email sent from the address of one of the firm’s chartered financial planners telling recipients to click on a document link regarding an ‘agreement’ with the firm.

That month, the Financial Conduct Authority sent financial firms to guidance laid out by the National Cyber Security Centre, designed to help them increase their cyber security vigilance in response to Russia’s invasion of Ukraine. 

“The best guidance is to encourage firms to make sure their processes and technologies are up to date and aligned to the latest expectations,” said Murphy, citing checks on the latest versions of software, regularly verifying who has access to systems, updating defences such as anti-virus software or firewalls, and ensuring backup regimes are in place. 

“With so many companies using third party IT and outsourced providers, it is also incumbent on the company to have good vendor management controls in place and to undertake due diligence periodically,” he explained.

Risk of alienating clients

For advisers, the most common form of phishing is where someone poses as a legitimate organisation and sends a fake message by email, telephone or text in an attempt to persuade individuals to give sensitive data such as identification details, passwords or banking details.

That’s according to a Fidelity International report into cyber security and advice firms last year.

It found that just 7 per cent of financial advice firms were planning to hire an IT professional in the next year.

“Cyber security is a huge challenge for all businesses,” said NextWealth managing director, Heather Hopkins.

“It ranks as the fourth biggest challenge for financial advice businesses, after regulatory disruption, personal indemnity renewal and the Financial Services Compensation Scheme levy. 

We have to be careful not to alienate people in the name of layers dreamed up by boffins whose job is to create more IT technology, not necessarily user-friendliness.Adviser

Managing director at Moneyinfo, Tessa Lee, said the single biggest data security risk to adviser firms is simply emailing the wrong client with someone else’s personal data.

“You’d be forgiven for thinking that phishing attacks are the most common cyber-security risk,” she said.

“It’s so easy to send an email to the wrong person and you feel so stupid afterwards both having to apologise to your client and then disclosing the error to the Information Commissioner’s Office.”

It’s no safer to post, Lee said.

“Even if you avoid email and rely on the post to deliver your correspondence as you think it’s safer, you might want to consider that the second most common security breach reported to the ICO is posting or faxing a document to the wrong client.”

Some advisers have emailed FTAdviser, wishing to remain anonymous, saying it can be hard to get clients - particularly older ones - off email. 

“The other side of the coin is the human courtesy advisers owe to our clients. In many cases my clients are elderly, and conquering email has in itself been a triumph for them. Adding on secure portals and passwords or passcodes can feel quite daunting,” one adviser said.

“For others of a younger generation, it is an annoyance – two-factor authentication and emails that don’t actually tell you anything but make you click a link are irritating, and can put people off a particular provider.

“As with all things security, we have to be careful not to alienate people in the name of layers dreamed up by boffins whose job is to create more IT technology, not necessarily user-friendliness.”

Technology providers would argue that email and post do not meet this basic test for Data Protection Act Article 25 (1), which states that firms must take into account the state of the art, implement appropriate technical and organisational measures to safeguard client’s personal data.

“Email and post don’t meet this basic test. Any adviser firm still sending data via email or post is not taking appropriate care with their client’s data,” said Lee.

ruby.hinchliffe@ft.com