ASIC has sent a strong message, in a first, that AFSL holders will be held accountable for not managing cybersecurity risk as part of their overall obligation to efficiently and fairly.
Financial services company RI Advice Group was ordered to pay $750,000 towards ASIC’s costs by the Federal Court (https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/). The finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
It’s interesting to note that the initial response to the claim by ASIC was “the allegations by ASIC are very general’, ‘appear to relate to a small number of cyberattacks of a nature not uncommonly faced by Australian businesses’ and ‘in most instances, no client data would appear to have been compromised’. This is clearly missing the point as ASIC is more concerned about what steps the AFSL holder has taken to address cybersecurity risk and not just outcomes. When handing down judgment, Her Honour Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating, ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
What does this mean for you?
ASIC is now taking enforcement action for a lack of preparedness on cybersecurity compliance. Therefore, it would be prudent for AFSL holders to:
- Develop a cybersecurity framework to reduce cybersecurity risk in accordance with the business’ risk appetite;
- Undertake a cybersecurity risk assessment to test the effectiveness of that framework
- Remediate any gaps or deficiencies found in the risk assessment to bring the residual risk down to an acceptable level.