Risk and Compliance Blog

SAFAA Conference, is Technology a Friend or Foe?

Written by Kelly-Ann McHugh | Sep 8, 2020 12:15:00 AM

Last week MCO participated in the Stockbrokers and Financial Advisers Annual Conference, a virtual event in 2020 due to COVID-19.

We set out to discuss how to manage emerging risks such as cyber security, social engineering and to deliver a successful business. The level of scrutiny as to how advice businesses manage these risks is increasing dramatically. How do you keep on top of the demands?

  • What are the types of incidents that have affected organisations, large and small, that have compromised their business?
  • The people problem — the importance of influencing behaviour to manage vulnerabilities
  • Operational Resiliency, contingency plans and regulating technology
  • The most important takeaways in making Technology your friend

Kelly-Ann was joined by James Astley of the Australian Federal Police, Paul Black of KPMG Forensics and Calissa Aldridge of ASIC.

Kelly-Ann asked the audience at the beginning whether the audience could describe their feelings towards Technology in the Stockbroking & Financial Services Industry, the results were pretty positive, with most in the room feeling like technology was efficient, some saying it was room for improvement, and a small proportion feeling like it was better than paper.

 

We moved on quickly to really set the scene of the Technology industry, with a number of high profile Cyber-Crimes & recent attacks, both in the FS industry and outside it, it was timely to highlight the challenges firms have in protecting their clients, and themselves from these mostly external threats.

Some examples shared by James, Paul and Calissa included:

  • Australia has so far this year (until July) seen approximately $142mil in business email compromise loss
    • An example given during the presentation included: Getting Root access to a CFO’s computer, CFO sends an email requesting 3 invoices to be paid (expected), but the criminals have tacked on a 4th fake invoice, which is subsequently paid.
    • Often target vulnerable individuals
  • A senior citizen who had via cyber networks had $349,000 transferred offshore over course of several years due to email compromise.
  • The recent availability of early release of Super, had around $34 mil of attempted fraud and 700 cases so far!
  • ASIC released a media release on investment scams during COVID, and some case studies of scams to raise awareness among retail investors:
  • Nathan gets unexpected calls offering share trading software
  • Costa loses $56,000 through a dating app scam
  • Rhett is scammed $97,000 by a fake crypto/ICO endorsement  

Meanwhile, we also heard how the NZX was suffering its worst cyber attack (DDOS) the very week of the conference, with some participants having to halt trading due to the attack.

What are some of the key causes of these incidents? Paul, a Partner at KPMG Forensics went on to discuss how in many instances it came down to a People problem. Criminals are using Ransomware as a distraction, so technology teams focus on the Ransom and the crime, meanwhile the criminals are gaining access to other data and information in the process. James from the AFP also noted that Remote Access Trojans are using tools like Keylogging to facilitate access to passwords and systems, which therefore mean the crimes can go undetected for a long time. The AFP recommends visiting www.afp.gov.au/rats for more information on this attack.

Both during the session and in the preparation session, we discussed the challenges firms have in monitoring security risks and issues. In one very large cyber crime case with a large Retail Firm, it was discovered that after a bad year of Revenue, the firm had made cuts to its Technology Staff, in particular the Security team, and with this, this meant reduced budget for monitoring security weaknesses. In this case, the logging & security tools had identified that there was a breach, but no one with the skills was monitoring the tools which did in fact detect the anomalies. Thus, a people problem!

How can you manage cyber risk?

Firms must review their technology controls to ensure there are adequate protections for their client and employee’s data. There were a few key technologies discussed including:

Training & Education

Training should not be provided to employees on a once-off basis. Education and awareness for Cyber-Crime risk is an important element of a control framework. Phishing education can be easily rolled out to firms, to test their staff on how easy it would be to click and be vulnerable to business email crimes.

Two-Factor Authentication

Firms should endeavor to enable two-factor authentication wherever they can, and the one take away was for individuals to enable 2FA on all of their email accounts asap. It is well known that 2FA can reduce the risk of business email compromise significantly, and as such, it is highly recommended to be implemented. With a lot of cloud services now available, this should be an easy win for firms. At least AUD$500,000 has been taken in Australia where Superannuation accounts have been compromised, where 2FA would have prevented such loss.

Disaster Recovery & Contingency Planning

Firms should ensure they test their DR Plans adequately on an annual basis, as we have seen with Ransomware attacks, businesses can be taken down in their entire production environment, with no access to easily invoke backups, or to discover at an actual event that their backups are lost or don’t actually exist! Testing a full recovery is critical to your information security controls.

Outsourcing

ASIC will be reviewing and updating their Regulatory materials with relation to Outsourcing, in particular Consultation Paper 314 was released in 2019 with regards to Market Integrity Rules for technological and operational resilience to promote resilience of critical systems. Do watch out for updates with regards to the final guidance. Businesses should review technology vendors regularly (at least once a year) to ensure information security controls are being tested and reviewed where they are outsourced.  

Encryption

Where possible, one critical control of data within your database, is database level encryption. If you can afford to control production and sensitive data in your database with encryption, do review and implement.

MyComplianceOffice is a leading provider of RegTech Solutions, a “friend” to assist the Financial Services Sector maintain their Conflict of Interest and Conduct Risk Compliance obligations. With customers present in 80 countries, and over 400 customers using our Software as a Service solution, we are well placed to assist your firm automate your manual compliance activities, no matter the jurisdictions you need to comply with. Contact us today to learn more.