Small SMSF firms need cyber crime security measures in place: expert
SMSF accountants, auditors and advisers are at risk of cyber crime and should take precautions to secure their clients’ details.
Fraser Jack, founder of the Cyber Collective, said in the latest ASF Audits podcast that smaller professional firms need to behave like larger institutions when it comes to securing against cyber attacks.
“Data is being held in a lot of places. It might be held within a cash management account, with an auditor, with an adviser in a client’s email,” he said.
“You also have to think about those trusted relationships and the thing about a data breach, like having clients’ addresses is one thing, but being able to access more information, like something that can create transactions, or their myGov portal to be able to roll money from a retail fund into an SMSF, means that a cybercriminal can get enough information to then access that money or make their own transaction.”
Fraser said one data breach can lead to major consequences for SMSF clients and a “crumb of information” can be built upon by cyber criminals to access funds.
“Somebody with a crumb of information can get a bit more until they have enough crumbs to reassemble the cake,” he said.
“For example, getting into a client’s personal information account can give an attacker their ID, and enable them to access their email. They can change their password, set up the multi-factor identification and with their phone number, and they’re ready to go.”
He said large funds have protocols that notify them if a client changes their phone number or address, but that is not always the case in small funds and SMSFs.
“An auditor or adviser in a small firm looking after SMSFs may not be looking for those signals or updates, or training their staff to look for them,” he said.
“Smaller firms need to behave like a larger institution when it comes to the level of security they implement.”
He said if smaller firms consider implementing an additional sign-off it could add an extra layer of security to their clients’ data.
“For example, if you are moving money out of an SMSF, you might ring the client because you have a personal relationship with them, and speak to them. It is what I call two-factor authentication – jumping on a team's meeting with them and eyeballing them and asking if they requested a transaction.”
“[A procedure like this] is an opportunity for SMSF advisers to be able to offer this type of multi-factor authentication whereas a larger fund wouldn't ring the end client as often. Smaller firms have that relationship where they can visually see their client and know what they look like.”