Financial advisers are a prime target for cyber criminals and — as has been documented in FT Adviser — there are any number of recent examples.
These include cyber extortion by way of ransomware, which involves criminals accessing systems and illegally encrypting them to deny their owners access, only relinquishing the captive systems in return for a ransom.
Large-scale data theft extortion and cyber-facilitated fraud have also hit the headlines — issues that financial advisers need to be very mindful of, given the sensitive information they hold for their clients.
Financial services in general have endured an increase in cyber attacks in recent years, but there are reasons that some of the smaller businesses in the industry have suffered an increase in focus.
They may be perceived by criminal gangs to be less well-protected from attack, less operationally resilient and therefore — in the extortion context — more likely to pay a ransom. Financial advisers’ reliance on third-party service providers, themselves potentially vulnerable to attack, adds a further layer of risk.
Operational impact
Much of the commentary in this area focuses on the impact to the affected business, often from the point of view of operational impact, liability to customers and third parties, regulatory consequences, and reputational harm.
But less discussed is the potential risk to the individuals behind those entities — the board members and senior executives who shape the company’s activities day to day. And that is despite the fact that the prospect of regulatory risk and liability for individuals has been growing for a while, a trend that looks set to continue.
Therefore, for example, financial advisers operating in the UK fall under the Senior Managers and Certification Regime monitored and enforced by the Prudential Regulation Authority and Financial Conduct Authority.
This imposes accountability on individuals in a number of key functions. Most notably here, the rules specify the chief of operations senior manager function has responsibility for cyber security.
While to date the PRA and FCA have focused enforcement action in the wake of cyber incidents on entities rather than individuals (including the fines imposed on Tesco Bank and Equifax), the regulatory framework would allow for individual enforcement action — and the PRA has shown willingness to enforce in relation to non-cyber-related IT issues, including in imposing a penalty on the former chief information officer of TSB Bank.
Meanwhile, the EU Digital Operational Resilience Act, which comes into force from January 2025, will apply further layers of accountability and potential liability to senior individuals within investment companies operating in the EU.
Dora requires member states to provide for liability of individuals within a company’s “management body” (usually the board), and to other individuals who may be responsible for a breach of the act. The regulation imposes stringent operational resilience standards on regulated entities, which must be overseen by the board.