By Doug Morris, Chief Executive Officer, Sharesight.
Every 10 minutes, the Australian Cyber Security Centre receives a report of cybercrime. If we do the math, that’s six incidents per hour, 144 a day, and over 50,000 a year — each one a potential threat to sensitive client information. And with access to client information such as full names and identification documents, investment advisors are often a prime target.
Understandably, more than 80% of advisors are worried about being targeted by cybercriminals, as noted in BT’s Advisor Sentiment Index 2024. Yet as many as 30% are unsure about their platform’s ability to keep client data safe.Cybersecurity is more than just a technical issue, it’s a business-critical responsibility. As an advisor, you’re likely well aware of the increasingly strict regulations around data breaches, as well as the reputational damage that your firm could suffer if your clients’ data is targeted.
Therefore, it’s important that you take proactive steps to protect your client information. By relying on spreadsheets, unsecured emails and manual processes, you leave both your clients and your practice exposed. At the same time, you need to ensure that the platforms in your tech stack are doing their part to protect you and your clients.
The first step is to ask your tech providers the right questions. Here are five questions you should never overlook:
1. Who controls access to your client’s portfolio?
To begin with, you need to understand who has access to your clients’ data, and how that access is managed. Not all technology platforms offer granular control over user permissions, and some may allow multiple employees or third-party contractors access to sensitive portfolios.
You should confirm whether access is role-based, with each user only able to see what they need to do their job. Ask about procedures for granting and revoking access, particularly when staff leave or change roles. You should also look for providers who can demonstrate SOC 2 Type 2 certification, as this independently verifies that their access controls are tested and effective. A platform that allows you to clearly define and monitor access helps minimise the risk of unauthorised use and protects client trust.
2. What authentication measures are in place?
Authentication is your first line of defence against unauthorised access. Multi-factor authentication (MFA) should be standard, requiring users to confirm their identity in more than one way — for example, by entering a password and then approving a login through a mobile app or security token.
Beyond MFA, look for platforms that actively monitor login attempts and flag unusual activity, such as multiple failed logins or access from unexpected locations. Providers with SOC 2 Type 2 certification are required to maintain and test these kinds of controls, offering added assurance that their authentication protocols meet rigorous standards. This is an essential safeguard against both opportunistic attacks and sophisticated breaches.
3. How is data stored and delivered?
Understanding the infrastructure supporting your platform is essential to assessing its security and reliability. And unfortunately, not all data storage is created equal. Sensitive client information must be encrypted both in transit and at rest, meaning it is scrambled into unreadable formats while being transmitted or stored on servers. Encryption protects data even if a breach occurs, reducing the likelihood of sensitive information being compromised.
It’s also important to know the physical location of your tech provider’s servers, their backup processes, and whether they have redundancy systems in place. If you serve international clients or store data in multiple regions, GDPR compliance is another vital consideration, as it ensures that data is handled according to strict privacy regulations.
4. How often are independent security audits performed?
Don’t forget to inquire about the frequency and scope of your provider’s independent security audits. Regular third-party testing is essential, as it provides an objective assessment of a platform’s vulnerabilities and confirms that security measures are being implemented effectively.
You should also ask for details on the audit process, including whether penetration testing is conducted, how vulnerabilities are reported and addressed, and how findings are communicated to clients. SOC 2 Type 2 certification is particularly important here, as it demonstrates that a provider’s security controls are not only designed effectively but also operating as intended over time. GDPR compliance also requires providers to demonstrate accountability through regular audits and assessments.
5. What disaster processes are in place?
Preventing data breaches is vital, but in the event that an incident does occur, having a reliable disaster response plan can mean the difference between a minor incident and a major reputational crisis. Ask providers about their disaster recovery and business continuity plans. These processes should outline how data is backed up, how quickly it can be restored, and what steps are taken to maintain service continuity for your clients.
A robust disaster plan ensures that even in the event of a ransomware attack, hardware failure, or natural disaster, your client data remains protected, and your practice can continue operating with minimal disruption. When evaluating providers, confirm that their disaster recovery protocols are aligned with SOC 2 Type 2 standards, which require ongoing testing of backup and recovery controls.
Building trust through secure technology
The current regulatory environment adds another layer of urgency. Because AFS licensees now have stricter reporting requirements around data breaches, it’s essential to adopt technology that not only safeguards data but also ensures compliance with reporting obligations.
Trusted platforms, such as Sharesight’s investment portfolio tracker, offer enterprise-grade security features designed for advisors. With SOC 2 Type 2 certification, GDPR compliance, multi-level authentication, encrypted storage and comprehensive disaster recovery protocols, Sharesight helps advisors meet regulatory requirements while maintaining client trust.
Cybercrime is not a hypothetical threat — it is a real and growing concern. But with careful evaluation and the right technology, you can reduce risk, protect client information, and continue to deliver the trusted advice your clients expect.
If you’re looking for a secure portfolio tracker that safeguards client information and offers powerful reporting tools for advisors, click here to sign up for Sharesight’s 14-day free trial.
