If your business still needs to become POPI compliant, we can help. Click here for more information

If your business still needs to become POPI compliant, we can help. Click here for more information

Tips to mitigate cybercrime risks

Posted on 5 October 2020   

Cybercrime has increased, however, you can protect yourself, your employees, business and clients from falling victim to cyber criminals by acting with due skill, care and diligence.

Cyber criminals are aware people are spending more time online. Since lockdown began, there has been an unprecedented increase in virtual meetings and general online activity. Even as restrictions are being lifted, employers are still encouraged to let employees work from home.

Cyber criminals are using this time to prey on consumers, as well as businesses and their employees who rely on internet services to operate remotely. Not only are the anxious and less tech-savvy people targets, but FSPs have also become more vulnerable to becoming victims. Without measures in place to combat cybercrime, FSPs are exposed to the various risks that result from cybercrime.

An example of cybercrime is a client losing money because an FSP processed a withdrawal that came from the client’s hacked email account. Another example is a cyber breach, where a scammer releases clients’ personal information. This results in clients losing trust in you as an advisor or FSP. In addition, scammers who hold business systems hostage, disrupt operations and limit the ability to service clients effectively.

Impact of cybercrime

Cybercrime that impacts clients financially or relates to use of personal information could impact your business reputation. Clients trust that you are dealing with their financial matters using ‘due skill, care and diligence’. A lack of trust negatively impacts client retention and growth. In turn, this affects your financial goals, as well as business profitability and sustainability.

As cybercrime increases, are you more concerned about your exposure to cybercrime and its impact on your business reputation and clients’ trust? Are your business and clients protected against cyber-criminal activity? Are you familiar with the latest cybercrime activities? Has this information been shared with your employees and clients and are they on full alert?

As scams are innovative and suited to the current environment, awareness of the latest cybercrime techniques would benefit you and your employees. Information should also be communicated to clients to minimise their risk of suffering financially and their data being breached.

Steps to avoid falling victim to cybercrime

There are steps you can take to avoid becoming a victim of cybercrime, like only using trusted Wi-Fi networks. Do not click on links or open attachments in emails or SMSs you were not expecting, or which seem suspicious. Before sharing personal or confidential information online, verify the authenticity of a website. There should be a lock symbol in your browser’s URL bar, or the website URL should begin with ‘https’. If in doubt, stay away.

Also be sure to provide your employees with the necessary business applications and tools to do their job. Alternatively, give them clear instructions on what they should use and where they can find it. Doing this may prevent employees from downloading malicious programmes that appear to be legitimate tools.

Take care with your passwords. Many people use the same password for many different websites and applications. They also use passwords that are easy to remember. Consider using a password manager – many are available as free applications – to avoid using the same password on numerous websites.

You can also apply 2-factor authentication when allowing clients or staff access to confidential information or secure environments. For example, you can send a one-time password (OTP) when registered users enter their username and password. Alternatively, registered users could use an app on their phone for verification purposes. Consider verifying the identity of people who send you information via a follow-up phone call, WhatsApp or SMS, especially if money is involved. Your PI insurer may refuse to pay your claims if you do not have some of these checks in place.

Be cautious before sharing screens on MS Teams or Zoom virtual meetings. Also be conscious of the information contained in screenshots before sending them.

Ensure all your employees have the necessary security precautions to protect business information, such as up-to-date anti-virus software. Discourage the use of personal computers for business. Also encourage and make cyber security courses available to employees.

Client follow-ups and processes

Client follow-ups are vital when handling instructions to disinvest or transfer funds to another account. All employees need to understand and adhere to the business processes and procedures when executing these instructions. They also need to perform them with the necessary due skill, care and diligence. This is particularly essential if processes and procedures were adapted or relaxed to accommodate clients during lockdown.

For example, a long-standing, A-segment client calls the office and asks an employee for an emergency disinvestment, as he cannot wait for the advisor’s response. Do your employees have a clear process to follow in this case? This scenario may sound far-fetched, but a court case highlights the severity of cybercrime and the importance of following policies and procedures.

On 18 March 2020, the Supreme Court of Appeal found an FSP had incorrectly transferred one of its client’s funds. The instruction came from a fraudulent email created by a hacker posing as the client. There was no signature attached to the instruction, even though the mandate stipulated that instructions would be sent by fax or email “with client’s signature”.

The court found the FSP had acted without receiving proper instructions and contrary to its mandate. The appeal was dismissed and the FSP was ordered to pay the client’s costs of R804 000.

Avoid a similar scenario

To avoid a similar scenario in your business, be sure to review your business processes and retrain employees to mitigate the risk of cybercrime. You could also document a list of client emails your business will use to verify client instructions. The business should also specify what will be accepted as a signature. Both parties, namely the business and the client, should be aware of and agree to this.

Also consider adding cyber insurance to your PI cover. Regardless of changes made or advice rendered, you still need to prove the authenticity and/or accuracy of information obtained from the client.

Due skill, care and diligence are particularly important during a time like Covid-19. So, ask enough questions to obtain all the necessary information and adhere to the relevant legislation, policies and procedures before acting on client instructions. This will ensure requests are not cyber-attacks, but are aligned to the client’s best interests.

By acting with due skill, care and diligence, your business can protect clients against unfair outcomes, such as becoming a victim of cybercrime. It also protects your business against reputational and financial damage.

To understand the responsibilities and impact that cybercrime has on a business and its clients and to be more equipped to identify and avoid cyberattacks, register for Masthead’s Cybersecurity Online Course which is designed to equip you with the know-how to protect yourself and your FSP from cybercrime on a day-to-day basis. Click here to read more and register or contact or contact your nearest Masthead Regional Office for assistance.


We would also like to keep track of what is happening in your world. Please feel free to share your positive stories, as well as your challenges, so we can explore ways to support you during the coming months. You can email us at pmnewsletters@masthead.co.za


Global & Local Investments Advisors (Pty) Ltd v Fouche (71/2019) [2020] ZASCA 8 (18 March 2020)
Lake, R. & Naidoo, P. (2020, March 22). Financial Service Provider has to pay back customer who was hacked. Retrieved from: https://www.financialinstitutionslegalsnapshot.com/2020/03/financial-service-provider-has-to-pay-back-customer-who-was-hacked/
Mabuza, E. (2020, April 29). Cybercrimes ‘on the rise’ during Covid-19 lockdown, warn experts. Retrieved from: https://www.timeslive.co.za/news/south-africa/2020-04-28-7am-cyber-crimes-on-the-rise-during-covid-19-lockdown-warn-experts/
Radoini, A. (2020, May 11). Cyber-crime during the COVID-19 Pandemic. Retrieved from: http://www.unicri.it/news/article/covid19_cyber_crime

MASTHEAD IS

A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?

CONTACT US

Phone:

+27 21 686 3588

E-mail:

 info@masthead.co.za

B-BBEE CERTIFICATE

Masthead is a level 1 B-BBEE contributor.

Read more and view certificate