PFA IRC Update: Cybersecurity risks in ASIC’s sights following advisory group failure
ASIC has shown it is more prepared to take action against AFSL holders which aren’t adequately monitoring cybersecurity risks or taking their cybersecurity risk management seriously.
In what has been described as an Australian first, RI Advice was found by the Federal Court of Australia to have breached its licence obligations to act “efficiently and fairly” by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its authorised representatives.
Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s authorised representatives. One hacker gained unauthorised access to an RI Advice representative’s server for several months before being detected, with potential to compromise the confidential and personal information of several thousand clients.
While RI Advice acknowledged its failures and attempted to improve its cyber risk mitigation, the firm took too long to implement change, and this delay contributed to the findings against RI Advice.
In a press release, ASIC Deputy Chair Sarah Court said: “ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
In the RI Advice judgment, the court stated the following, which ASIC cites with approval: “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
In its press release, ASIC states it is imperative for all entities, including AFS licensees, to have adequate cybersecurity systems in place to protect against unauthorised access to sensitive personal information about clients.