Data breach laws leave advisers at risk

Advice firms are in the firing line due to cyber security concerns


By Sarah Kendell

Email Article Print Article

Incoming laws requiring small businesses to compulsorily disclose when data breaches have occurred in their systems could have major implications for advice firms which often lack the tools to monitor or protect against data breaches, according to Kamino Cyber Security.

The new legislation - which is to receive royal assent in February - required businesses with an annual turnover of $3 million or more to notify the Office of the Australian Information Commissioner, as well as all affected individuals and clients, if they fell victim to a cyber security incident that compromised personal information.

Kamino managing director Julian Plummer said the laws left advice firms at risk given they often lacked the proper cyber security protocols to guard against data breaches and did not have the resources necessary to detect when a breach had occurred.

“The average advice practice today would be unable to determine whether a data breach has occurred,” Plummer told financialobserver.

“They simply don’t have the tools or processes in place to be able to do this, which is why it is often difficult for them to assess the harm it has caused.”

Apart from the administrative costs and reduction in consumer trust that could occur from an advice business having to disclose data breaches, such incidents could also cause legal headaches for the firm and their licensee, Plummer added.

“Depending on the nature of the breach and the harm caused, it would be best to seek legal advice on [the firm’s liability] – the AFSL (Australian financial services licensee) may have to get involved in the liability discussion also,” he said.

Plummer advised financial planning firms that prevention was better than cure when it came to cyber security, meaning they should make data security a top priority at board level and keep all IT systems up to date.

Additionally, practices should “ensure [their] staff have received appropriate training and education regarding information security processes and procedures, and engage independent verification that their systems and processes are fit for purpose and they have adequate controls in place to safeguard their clients’ information”.

“This is key to doing business in the digital age,” Plummer said.

« Back to Articles