FAAA argues financial advice is a small business sector

Mike Taylor

Managing Editor and Publisher

7 March 2024

The financial advice profession has been declared a “largely small business sector with a predominantly self-employed business model”, by the Financial Advice Association in Australia (FAAA).

Explaining the positioning of the sector with respect to cyber-security, the FAAA went on to say that “whilst in some cases, advisers may be authorised by larger institutions, there is an increasing number who are self-licensed or working within small small businesses.

The FAAA said that, in these circumstances, responding to cyber risk had particular additional challenges.

In a submission responding to a Department of Home Affairs consultation on Australian Cyber Security strategy, the FAAA emphasised the generally small business nature of financial planning notwithstanding the sensitive data held by firms.

It said that most financial advice practices would meet the Australian Taxation Office (ATO) definition of small business as featured in the consultation and attacks on small businesses are limited.

“While it is true that some 80% of businesses have faced ransomware software attacks, only approximately 500 such attacks in 2021 eventuated in demands for payment for stolen data. We support, with appropriately scoped obligations, the reporting of ransomware payments,” it said.

“Whilst we support the mandatory reporting regime proposed for ransomware, we are also strongly supportive of a no-fault, no-liability model. This will help to make it easier to report and to reduce the anxiety that may have been generated in reporting such situations to the Government.”

“We would also suggest that the requirements need to exclude any report of those types of cyber security emails that claim to have hacked an individual or a company’s website, where payment has been demanded, however there is no evidence that there has been any loss of data,” the FAAA said.

It said the FAAA holds the view that an payment should be reported in the context of a no-fault, no liability framework.

“Paying a ransom, we would suggest, represents a drastic and dramatic further step in the regular course of events of a ransomware attack and as such should be reported. Financial advice licensees take the issue of data security very seriously and it would be disheartening to know that some of these events would possibly happen in a vacuum with little to no government oversight.”