article

What a Federal Court ruling on cybersecurity means for AFS licensees

Published

  • AFS licensees must adequately manage cybersecurity risks as part of their licence obligations.
  • Adequate technological systems, policies and procedures should be in place to ensure sensitive consumer information is protected and to minimise the risk of consumer harm.
  • ASIC will take enforcement action when an AFS licensee does not meet these obligations.

In an Australian first, an Australian financial services (AFS) licensee has been found to have breached its licence obligations by failing to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, and by failing to adequately manage its cybersecurity risks.

In the judgment it was noted that RI Advice Group Pty Ltd had a number of inadequate risk management practices across its network. This included some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices. Inadequacies in its cybersecurity risk management lead to a number of cyber incidents affecting clients in the six-year period to May 2020.

With financial services continuing to move online, this decision highlights the importance of good cybersecurity.

In her judgment, Justice Rofe made it clear that cybersecurity should be front of mind for all AFS licensees. She acknowledged that while ‘[i]t is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls...’

The Australian Cyber Security Centre (ACSC) recommends organisations implement eight essential mitigation strategies, at a minimum, from their Strategies to mitigate cyber security incidents. By implementing these steps, firms protect themselves against many vulnerabilities.

But, it doesn’t end there.

Our expectations of AFS licensees

First, AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings.

Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. We expect active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.

Third, we expect AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting. All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.

Finally, we strongly encourage AFS licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to ASIC.

ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders. We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management.

It is important to note that dual regulated AFS licensees will also have obligations to comply with the standards of other regulators, such as APRA.

What does this decision mean for your organisation?

This decision confirms that AFS licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. This will minimise the risk of consumer harm.  

If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions ASIC may take enforcement action, as we did with RI Advice, which can result in significant penalties.

Where can I find out more about my obligations?

Visit our website for more resources on cyber resilience, including cyber resilience good practices and key questions for boards of directors.

ASIC is Australia’s corporate, markets and financial services regulator.

Media enquiries: Contact ASIC Media Unit