SMSF adviser logo
subscribe to our newsletter

ASIC outlines cyber security expectations for AFS licensees

Miranda Brownlee
16 May 2022 — 1 minute read

In light of the recent Federal Court ruling on cyber security, ASIC has outlined what its expectations are for AFS licensees in managing cyber security risks and incidents.

Earlier this month, the Federal Court found that an AFS licensee, RI Advice, breached its licence obligations by failing to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, and by failing to adequately manage its cyber security risks.

The RI Advice Group licence covers a range of financial advice firms, including a number of SMSF advice firms.


The Federal Court found that RI Advice had a number of inadequate risk management practices across its network.

According to ASIC, this included some of its authorised representatives failing to have up-to-date antivirus software, system back-ups, email filtering or quarantining, and poor password practices.

“Inadequacies in its cybersecurity risk management lead to a number of cyber incidents affecting clients in the six-year period to May 2020,” ASIC stated.

In an online update this week, ASIC has highlighted what it expects from AFS licensees in terms of managing cyber security risks.

“First, AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings,” the corporate regulator stated.

“Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. We expect active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.”

ASIC also stated that it expects AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm.

“Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting,” said ASIC.

“All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.”

ASIC said it also strongly encourages AFS licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to ASIC, it added.

“ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders,” it noted.

“We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management.”

Miranda Brownlee

Miranda Brownlee

Miranda Brownlee is the deputy editor of SMSF Adviser, which is the leading source of news, strategy and educational content for professionals working in the SMSF sector.

Since joining the team in 2014, Miranda has been responsible for breaking some of the biggest superannuation stories in Australia, and has reported extensively on technical strategy and legislative updates.
Miranda also has broad business and financial services reporting experience, having written for titles including Investor Daily, ifa and Accountants Daily.

You can email Miranda on: [email protected]momentummedia.com.au
ASIC outlines cyber security expectations for AFS licensees
smsfadviser logo
join the discussion


Get the latest news and opinions delivered to your inbox each morning

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.