ASIC has sent a strong message, in a first, that AFSL holders will be held accountable for not managing cybersecurity risk as part of their overall obligation to efficiently and fairly.

Financial services company RI Advice Group was ordered to pay $750,000 towards ASIC’s costs by the Federal Court ( The finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons. It’s interesting to note that the initial response to the claim by ASIC was “the allegations by ASIC are very general’, ‘appear to relate to a small number of cyberattacks of a nature not uncommonly faced by Australian businesses’ and ‘in most instances, no client data would appear to have been compromised’. This is clearly missing the point as ASIC is more concerned about what steps the AFSL holder has taken to address cybersecurity risk and not just outcomes.  When handing down judgment, Her Honour Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating, ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’

What does this mean for you?

ASIC is now taking enforcement action for a lack of preparedness on cybersecurity compliance. Therefore, it would be prudent for AFSL holders to:

  • Develop a cybersecurity framework to reduce cybersecurity risk in accordance with the business’ risk appetite;
  • Undertake a cybersecurity risk assessment to test the effectiveness of that framework
  • Remediate any gaps or deficiencies found in the risk assessment to bring the residual risk down to an acceptable level.
If you would like to know how to manage your cybersecurity risk then please contact ACY Advisory.

We are open for new projects!


Any questions or business offers? We are looking forward to hear from you!


International: +61 2 9188 2999

Taiwan: 02 5594 4927

Australia: 1300 729 171

China : 950 4059 5638



Level 18, 799 Pacific Hwy
Chatswood NSW 2067


  • Monday 9am-5pm
  • Monday 9am-5pm
  • Wednesday 9am-5pm
  • Thursday 9am-5pm
  • Friday 9am-5pm
  • Saturday Closed
  • Sunday Closed
ACY Advisory


ACY Advisory acknowledges and respects the Traditional Custodians of country throughout Australia. We respect their knowledge and recognise their continued connections to land, sea and community. We pay our respect to their Elders past, present and emerging.