ASIC’s recent landmark case against RI Advice Group Pty Ltd has highlighted the importance of licence holders implementing continuous checks on their compliance programs and in managing cyber attacks. These proceedings are a reflection of ASIC’s increased level of regulatory action in focusing on cyber security and resilience.
Cyber security and the protection of personal information has been a growing concern for entities over the past few years. The threat that cyber risks pose upon Australian Financial Services Licence (“AFSL”) and Australian Credit Licence (“ACL”) holders is increasing.
What this means for licence holders?
AFSL and ACL holders should undertake reasonable measures for managing cyber-attacks. These may include:
- reviewing current cyber security policies and procedures to ensure they are appropriately adapted to the business operations, the financial or credit services offered and the various delivery methods used;
- providing a structured and systematic process to assess, manage and mitigate the cyber security risks faced;
- establishing and maintaining appropriate controls to minimise the risks that potential cyber attacks pose and limit any adverse outcomes;
- reviewing the effectiveness of cyber security controls such as two-factor authentication, cyber training and awareness, incident response methods and filtering of emails;
- ensuring any cyber security issues or breaches are remedied internally in a timely manner to effectively manage risk; and
- reviewing your policies and procedures to ensure compliance with all applicable laws.
ASIC has also provided a general list of good practices to enable AFSL and ACL holders to operate highly adaptive and responsive cyber resilience processes.
We recommend AFSL and ACL holders undertake regular reviews of their resources such as IT systems, breach reporting procedures and recovery systems to effectively manage and mitigate any risks. In doing so, this will allow licence holders to proficiently respond to a cyber-attack.
Consequences for failing to implement adequate cyber security measures:
Apart from the loss of consumer confidence and financial loss, failure to implement adequate cyber security measures may result in enforcement action being taken by ASIC. ASIC views cyber security breaches as a serious matter. Unauthorised access to personal information is significantly detrimental to individuals that are unaware of cybersecurity breaches. This is particularly the case where licence holders do not take appropriate measures to minimise the impact of a cyber-security breach. Licence holders may be liable for civil penalties resulting from non-compliance with their obligations under the Privacy Act and Corporations Act.
Where to from here?
It is important that licence holders consider the risks that cyber threats have upon your business and your clients. By identifying any areas of concern within your business structure you can help to minimise cyber security threats and the impact of any breach.
- ASIC Report 429 – Cyber Resilience: Health Check
- ASIC – Cyber Resilience Good Practices
- ASIC Regulatory Guide 78 – Breach Reporting by AFS Licensees
If you have any questions or concerns about your cyber security obligations, you can contact us.