Choosing the right cyber security partner for your business is not easy. Here are some insights to help you select the right cyber security partner.

1. How does a financial planning business properly identify and select the right cyber security partner for its business?

Answer: Potential security partners should acknowledge that cyber risk is not ‘one-size-fits-all’ and should provide customisable solutions tailored to the business, environment and scale. Multi-layered approaches, including products, services, education and employee training, should be on offer, along with guidance on best practices, policies and procedures, and any compliance requirements your firm is bound to.

Reputable managed security service providers should be able to provide relevant examples (‘war stories’) and specifics of their practices, along with certifications and the credentials of their team.

2. What are the types of questions a financial planning business should be asking their cyber security partner?

Answer: In terms of due diligence, we would recommend five specific questions as follows:

1. Have you worked with financial planning firms before?
2. What types of regulations and requirements does my business need to comply with?
3. Who can I contact for references? Be wary of a firm who will only provide testimonials or who doesn’t want to connect you with other clients.
4. How frequently will we see status reports? What kind of visibility will we have on your work on our behalf?
5. What is your incident response procedure if something happens to our networks or systems? What can we expect and can you talk us through it?

3. How does a financial planning business properly assess, manage and monitor the cyber risks across its business?

Answer: Any assessment of cyber risk begins with a broader internal assessment of the firm, its assets and its environment. A business needs to be aware of the following:

• What are business-critical functions and processes that must be maintained?
• What data and resources constitute the firm’s ‘secret sauce’ and must be protected at all costs?
• Who might want to attempt to steal those ‘top secret’ assets or disrupt the firm’s operations, and to what end?
• What tools and workflows are currently in use, where are offices located, and what are the things that could potentially go wrong?

By establishing the essential components of the firm’s operations, which resources and information must be treated as top secret, and outlining the firm’s scope of operations, this will allow you to work with a reputable cyber consultant to establish priorities, procedures and put appropriate controls in place to monitor and mitigate cyber risks to the business.

****

Alex Wise is Head of Australia and New Zealand, Castle Hall.