Earlier this month, the Federal Court found that an AFS licensee, RI Advice, breached its licence obligations by failing to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, and by failing to adequately manage its cyber security risks.
The RI Advice Group licence covers a range of financial advice firms, including a number of SMSF advice firms.
The Federal Court found that RI Advice had a number of inadequate risk management practices across its network.
According to ASIC, this included some of its authorised representatives failing to have up-to-date antivirus software, system back-ups, email filtering or quarantining, and poor password practices.
“Inadequacies in its cybersecurity risk management lead to a number of cyber incidents affecting clients in the six-year period to May 2020,” ASIC stated.
In an online update this week, ASIC has highlighted what it expects from AFS licensees in terms of managing cyber security risks.
“First, AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings,” the corporate regulator stated.
“Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. We expect active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.”
ASIC also stated that it expects AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm.
“Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting,” said ASIC.
“All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.”
ASIC said it also strongly encourages AFS licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to ASIC, it added.
“ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders,” it noted.
“We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management.”
