With the threat of cyber-attacks growing by the day, leadership teams in all areas of financial services are being urged to ramp up cybersecurity protections, with the regulators keeping a keen eye on their efforts. But while major institutions might be well resourced to respond, financial advisers are falling behind.

In recent months, several major institutions have fallen victim to cyber breaches, most notably NGS Super.

According to MinterEllison's 2023 Cyber Risk Report, 82% of survey respondents from the financial services sector ranked cyber risk among their top five priorities. However, only half of respondents (across all sectors) believed their organisation had sufficient resources to monitor and respond to its cybersecurity needs.

MinterEllison technology and data partner Paul Kallenbach says the last 12 months have seen a significant increase in the sophistication and frequency of cyber-attacks.

"In general terms, I do believe that Australian financial services organisations are focused on pre-paring for future cyber-attacks," Kallenbach says.

This is driven, in part, by layers of cyber-related regulation, including the Privacy Act, the Corporations Act, and the Security of Critical Infrastructure Act.

Moreover, with the recent large scale data breaches in Australia, Kallenbach says the sector is understandably very nervous about, and therefore focused on mitigating, this risk.

Regulators are also focused on it. In June, ASIC launched a cyber pulse survey to measure cyber resilience, open to all ASIC-regulated entities for the first time. In a statement to Financial Standard, ASIC confirmed most respondents so far have opted in to receive an individual report, providing insight as to how their cyber resilience compares to their peers.

Meanwhile, APRA is assessing more than 300 of its regulated entities' compliance with CPS 234 Information Security. So far, 24% of entities have been reviewed, finding several concerning gaps including incident response plans not being regularly reviewed or tested.

Bright Corporate Law principal David Jacobson says serious penalties and costs can apply to licensees who fail to protect confidential and sensitive personal information of clients.

Referencing the Federal Court judgement in ASIC v RI Advice Group, in which RI Advice was found to have failed its cybersecurity obligations, Jacobson says regulatory expectations are ramping up.

"The proceedings against RI Advice are of interest because they show ASIC's appetite to take enforcement action against companies that fail to meet reasonable standards in managing cyber risks," he notes.

And APRA regulations are now designed to make sure that financial institutions know what data they have and test to ensure systems are as secure as possible, with a requirement to report serious data breaches to the Privacy Commissioner as well as affected individuals.

"Of course, there can always be human error. Therefore, on an organisational level, APRA re-quires the training of employees and education of customers to make sure financial institutions are as secure as they can be," Jacobson says.

However, at the other end of town, The Cyber Collective founder Fraser Jack says financial ad-vice practices are in dire need of support.

"The government is doing a very good job of combining resources and trying to come at this from a 'one government' point of view, but unfortunately smaller advice firms are falling through the cracks," he says.

"Larger firms already have a lot of security in place, whereas it's always been really difficult for the small 'mum and dad' businesses to hold fort because they don't have all the cyber teams working for them."

To prevent cyber-crime, Jack encourages advisers to look at three key areas of practice: technology, training, and testing.

"Firstly, setting the tech is an essential. Secondly, we look at training the teams, or what I call 'rebooting the humans', and the third area is being able to provide proof. For example, undertaking an audit or being able to demonstrate competence," he says.

Jack also reminds practice owners to consider supply chain risks with third-party providers; ask the right questions and don't just assume they have adequate processes in place.

He adds that having a strong cybersecurity plan in place not only strengthens a business but can improve client relationships, saying: "There's a huge opportunity for advisers to have proactive conversations with their clients about their cyber-security processes."