We Don’t Need Cyber Insurance Because We Don’t Touch the Money…

The assumption is understandable. Because advisers typically do not have direct custody of assets, many believe client money cannot be stolen through the advice practice itself.

Unfortunately, that is no longer the reality.

What We Are Seeing in Practice

Even where advisers never physically “touch” client funds, adviser credentials, email systems, and platform access can still be exploited as an attack vector.

We are seeing a growing pattern of cyber-enabled investment fraud involving:

• Compromise of an adviser’s email account, credentials, or platform access
• Use of that access to sell listed Australian securities held within client or superannuation platforms
• Redirection of the sale proceeds into offshore, thinly traded securities - commonly small-cap stocks listed on overseas exchanges (including recent incidents involving the Hong Kong Stock Exchange)
• Offshore purchases executed at manipulated or artificially inflated prices, where the fraudster or associated parties are effectively the counterparty
• Funds becoming irrecoverable once the trade settles, leaving the acquired securities illiquid or effectively worthless

This structure closely mirrors recognised market manipulation and matched-counterparty fraud typologies - an increasingly sophisticated evolution of traditional “pump and dump” schemes.

These risks are now well understood by regulators, insurers, and cyber investigators both in Australia and internationally, even where individual cases are not publicly detailed.

Why This Matters for Advisers

These incidents create significant exposure for advice practices because:

• The transaction trail can initially appear legitimate at the platform level
• Recovery becomes extremely difficult once funds move across jurisdictions and offshore exchanges
• Even where the adviser is also a victim, firms may still face:
  • Client complaints
  • AFCA disputes
  • Regulatory scrutiny
  • Costly investigations
  • Reputational damage

The Critical Point

Direct custody of funds is not required for a cyber-enabled financial loss to occur.

Platform access - and the ability to initiate or facilitate transactions - is enough.

The Insurance Implications

Professional Indemnity (PI) insurance is generally designed to respond to allegations of negligent advice. In some circumstances, it may assist where clients suffer losses arising from unauthorised platform transactions or cyber-enabled asset misappropriation.

However, coverage is not guaranteed.

Cyber insurance, particularly when combined with appropriate crime cover extensions, is increasingly becoming the policy designed to respond to these events.

Importantly, cyber policies can also provide cover for:

• Incident response costs
• Digital forensic investigations
• Legal and regulatory notification expenses
• Crisis management and response services

In our experience, these costs alone commonly range between $60,000 and $150,000 for small businesses - even before considering potential client compensation exposure.

A Combined Risk Management Approach

To ensure appropriate protection, Financial Planning firms should consider whether their compulsory Professional Indemnity insurance is properly complemented by a robust Cyber Insurance policy with suitable crime endorsements.

ASIC, insurers, and many AFSL licensees are increasingly recognising that this combination is no longer optional - it is becoming an essential part of modern risk management for advice practices.

If you would like to review your current Professional Indemnity or Cyber Insurance arrangements - or better understand how these exposures may affect your practice - click here to get in touch with one of our specialists for a confidential discussion.

‍