ASIC issues expectations on cybersecurity

The impact of the RI Advice case continues to reverberate throughout the financial services industry with ASIC issuing its expectations of Australian Financial Services licensees regarding cybersecurity.

In an Australian first, the Federal Court found licensee, RI Advice Group Pty Limited, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. It was noted that it had a number of inadequate risk management practices across its network. This included some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices. Inadequacies in its cybersecurity risk management led to a number of cyber incidents affecting clients in the six-year period to May 2020.

In her judgment, Justice Rofe made it clear that cybersecurity should be front of mind for all licensees. She acknowledged that while ‘[i]t is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls…’.

Four expectations

ASIC has pointed out that the decision confirms that licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. And in response to the decision, it has issued a set of expectations for licensees which it states go further than implementing the eight essential mitigation strategies recommended by the Australian Cyber Security Centre (ACSC).

  • First, licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings.
  • Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. ASIC expects active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.
  • Third, ASIC expects AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting. All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.
  • Fourth, ASIC strongly encourages licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to ASIC.

Warning to licensees

ASIC also warns that if a licensee fails to meet its obligations as a result of similar conduct or omissions, it may take enforcement action which can result in significant penalties.

In the RI Advice case, the licensee was ordered to pay $750,000 towards ASIC’s costs; however, it did not receive a penalty as the circumstances occurred before a breach of section 912A (1) resulted in a civil penalty.

The maximum penalties available for a breach of section 912A(1) are now:

  • the greatest of $10.5 million
  • three times the benefit obtained, or
  • 10% of annual turnover (capped at $525 million).

A link to ASIC’s expectations on cybersecurity can be found here

This article is general information only.