ASIC warns AFS licensees must adequately manage cybersecurity risks
The Australian Securities and Investments Commission (ASIC) today outlined its expectations regarding how the holders of Australian financial services (AFS) licenses must meet their cybersecurity obligations.
This happens shortly after, in an Australian first, RI Advice Group Pty Ltd, an Australian financial services (AFS) licensee, has been found to have breached its licence obligations by failing to adequately manage its cybersecurity risks.
In the judgment it was noted that RI Advice had a number of inadequate risk management practices across its network. This included some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices. Inadequacies in its cybersecurity risk management lead to a number of cyber incidents affecting clients in the six-year period to May 2020.
With financial services continuing to move online, this decision highlights the importance of good cybersecurity.
The Australian Cyber Security Centre (ACSC) recommends organisations implement eight essential mitigation strategies, at a minimum, from their Strategies to mitigate cyber security incidents. By implementing these steps, firms protect themselves against many vulnerabilities.
ASIC today outlined its expectations of AFS licensees in this respect.
- First, AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings.
- Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. ASIC expects active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.
- Third, the regulator expect AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting. All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.
- Finally, ASIC strongly encourage AFS licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to ASIC.
It is important to note that dual regulated AFS licensees will also have obligations to comply with the standards of other regulators, such as APRA.
If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions ASIC may take enforcement action, as it did with RI Advice, which can result in significant penalties.