A leading industry cyber security expert has warned brokers they could be at risk of being sued, losing clients or having accreditations revoked if they become the victims of a cybercrime.
Paul Hankin, a former mortgage broker who now works as a cybersecurity adviser at Kaesim Cybersecurity, said cybercrime had become ’industrialised” over the last 10 years, and is now worth over $1.5 trillion annually.
Recent major data breaches involving household brands such as Optus, Medibank and Woolworths also mean consumer expectations have risen in the last two years.
This means brokers’ customers are now more aware of their data and privacy rights, know they need to protect their personal data, and know there are ways they can take action, Hankin said.
“Cybercrime is everywhere now. Where 20 years ago you might get a virus on a computer, which would be annoying, now it’s affecting everyone, both in their businesses and personally,” he said.
Hankin said brokers involved in a cybercrime incident risked being sued under the Privacy Act, losing client business, or facing increased compliance action from aggregators or lenders to ensure cybersecurity.
“Essentially they could lose money, lose clients and could even lose their accreditations,” he said.
In the case of Optus, which involved a breach of the personal data of 9.8 million customers, Hankin said 10% of customers had left the business, which added up to a $140 million cost to the business.
Financial services industry and brokers are a target
Latitude Financial recently advised the ASX that it had been hacked. Since then, it has expanded its estimation of the attack size, saying a total of 14 million customer records had been accessed.
Hankin said the financial services industry was one of the highest risk sectors and largest targets of cybercrime according to available incident data, alongside industries such as government and healthcare.
Hankin said professional services providers were also at the top of the list for ransomware attacks.
“Cybercrime is all about money, and the easiest way to get money, and that is available in the financial services industry. They are not going to target a McDonald’s or a hair salon,” he said.
Cybersecurity risks are also shared throughout the broker, aggregator and lender supply chain, because if someone in the supply chain has their data hacked, it could impact other parties.
In the case of Latitude Financial, the company said the attacker appeared to have used employee login credentials to steal information being held by two other Latitude service providers.
“A broker might say if the client gives me personal information and my aggregator loses it, the client doesn’t care about that – but the reality it was lost after they gave it to me,” Hankin said. “In a supply chain everyone carries responsibility, it doesn’t matter by whom it was lost.”
Cybersecurity risks and solutions for brokers
Ransomware and business email compromise have consistently remained the two biggest risks facing mortgage and finance brokers over the last five years, Hankin said.
However, a lot of businesses still don’t have the protections they should have on their email accounts and devices, in large part because of widespread “apathy” among users of technology.
“The first thing is that everyone hates IT – cybersecurity is incredibly boring. It’s something like life insurance, in that people only do something about when something goes wrong.”
The penalties levelled on businesses responsible for breaches have also not been high enough to spur action, though they did increase to $50m for larger businesses at the end of last year.
Hankin has encouraged brokers to implement three measures that could protect them.
“First, switch on two-factor-authentication for logins to your email, files and your CRM,” he said.
“We would also recommend switching on automatic updates for software like Windows so that your software stays up to date with security updates as they come through. Brokers should also ensure that they install business grade anti-virus software on their computer, tablets and phones,” he said.
Hankin estimates that about seven or eight out of 10 businesses do not have these basic measures in place and rely on the outdated view that the anti-virus software they have installed is enough.
“Anti-virus software is only 20% of the equation. People in businesses are still getting hacked every day of the week because they don’t have the other security gaps plugged.”
Have you or someone you know experienced a cybersecurity incident? Share your thoughts on this topic in the comments section below.