GUEST COLUMNIST – CLINTON STANGER
FAPs need to decide if they can effectively mitigate cyber risks – it is not an IT or technology risk – it is a business risk, writes Curated Risk‘s Clinton Stanger…
In the past few years the FMA has released guidance notes on cyber resiliency for financial advisers. In 2021 it published a cyber resilience information sheet, and last year signalled a heightened focus on cyber and operational resilience. In July it released a consultation paper proposing a new standard condition that licensees must have an appropriate business continuity plan.
In this new environment, FAPs need to make a conscious decision about whether they can effectively mitigate cyber risks themselves.
Most cyber risk is related to software and data. However, there are examples where software viruses have caused physical, or ‘real world’, damage. The most common risk perceived is the theft of data, or a virus that locks access to a computer system, with an associated demand for ransom to be paid.
It is essential to think about cyber risk. not as an IT or technology risk, but as a true business risk.
The insurance industry considers cyber risk will grow to be the biggest liability insurance portfolio in a matter of years. Swiss Re estimates the global cyber insurance portfolio at US$10 billion in premiums written for 2021. It forecasts this to be US$25 billion by 2025.
In the financial advice sector, regulators are not only increasing their focus on the risk management practices of FAPs, but also the attention risks such as the privacy of client data get from the management and directors of an entity.
There are many good guidance resources for financial advice practices to review and implement some practical steps which will improve the resiliency of your practice. Cert NZ, the national Computer Emergency Response Team, provides online resources.
Insurer’s such as NZI has dedicated resources for cyber risk and financial advisers should speak with their liability programme adviser to further understand the options available.
Cyber risk insurance can provide immediate action to a breach, IT consultants, and forensic data experts can help minimise the interruption to the advice practice. Access to public relations consultants to assist with managing the reputational aspects of such an event can also be a benefit.
In Curated Risk’s experience, mitigating a cyber incident requires the early intervention of experts to minimise business interruption, allay the anxiety of the adviser, and ensure the practice is operational quickly.