The new legislative and regulatory regime goes live, so to speak, in June next year. The last couple of years have been a blizzard of “consultation documents” and meetings with MBIE/FMA. I see the FMA has just issued yet another consultation document on proposed standard conditions for transitional licences!
This latest consultation document is focused on record keeping and having a complaints process, so we may not provide feedback in this instance. When reading it, you get the impression that further down the track, the full licence system may well be more onerous than the transitional one.
Anyway, it’s pleasing to see plenty of activity from members who are getting their heads around the new licensing and training requirements, and moving to get things in place where they need to. Hopefully within a couple of years, all advisers will be through the transition period, so we can look forward to being able to focus on core business, rather than dealing with constant change.
Around a third of our members’ firms have cyber cover via the TripleA’s PI scheme. The TripleA itself also purchases cyber cover as it’s probably the biggest single business risk we all face. Recently, we had reason to activate our policy as the TripleA website was hacked.
It was just the public website so, apart from the inconvenience which bubbled on for a few weeks, it didn’t prove to be a major problem. The thrust of the hack was extortion emails threatening to flood the world with emails purporting to be from the TripleA website, which would annoy our clients. Of course, this wouldn’t happen if we sent some funds off to a Bitcoin account!
The lessons we learnt from the experience were:
- As a small entity, having technical experts on hand who can quickly help track and close the source of the hack, was a huge comfort.
- Interestingly, the source was a couple of steps down the supply chain so to speak. It wasn’t our website but the ‘shared hosting’ service that sits behind it. Shared services are often selected because they appear to be cost-effective. They aren’t necessarily insecure, but there proved to be some question marks around a couple of their processes.
- Our developer and the cyber security experts that were called in didn’t have direct or easy access to server log files or base code, which made it more difficult to track down the root source of the hack.
- We have opted to move away from a shared hosting service so that our own developer has more direct responsibility and oversight of all update and password management, and website monitoring for re-hacks.
On the upside, we discovered that operationally we were pretty resilient. Most things carried on as normal and the exercise, albeit unplanned, led to a broader review and tightening of processes, where we could, in several areas.
Many of our members will be small entities like the TripleA itself. While none of us like the cost of purchasing cyber cover, the internet today, while bringing many efficiencies also carries quite a few risks. From our experience, cyber cover is certainly worth having when one of those risks lands on your doorstep!
Finally, I’d like to welcome the new members below to the TripleA. We continue to have a steady stream of new advisers joining the TripleA which is great to see.
Wayne Smith, CEO