Close this search box.

Protecting your Business from Cyber Attack, Essential to maintaining your AFSL or ACL

Cyber Attack

ASIC’s recent landmark case against RI Advice Group Pty Ltd has highlighted the importance of Australian Financial Services Licence (“AFSL”) and Australian Credit Licence (“ACL”) holders implementing continuous checks on their compliance procedures in relation to managing cyber attacks. These proceedings are a reflection of ASIC’s increased level of regulatory action in focusing on cyber security and resilience.

Cyber security and the protection of personal information has been a growing concern for entities over the past few years. The threat that cyber risks pose for AFSL and ACL holders is increasing.


What this means for licence holders?

ASIC has provided a general list of good practices to enable AFSL and ACL holders to adopt highly adaptive and responsive cyber resilience processes. These include:

  1. reviewing current cyber security policies and procedures to ensure they are appropriately adapted to the business operations, the financial or credit services offered and the various delivery methods used;
  2. providing a structured and systematic process to assess, manage and mitigate the cyber security risks faced;
  3. establishing and maintaining appropriate controls to minimise the risks that potential cyber attacks pose and limit any adverse outcomes;
  4. reviewing the effectiveness of cyber security controls such as two-factor authentication, cyber training and awareness, incident response methods and filtering of emails;
  5. ensuring any cyber security issues or breaches are remedied internally in a timely manner to effectively manage risk; and
  6. reviewing your policies and procedures to ensure compliance with all applicable laws.


ASIC has also provided a list of expectations following the Federal Court ruling on cybersecurity. These include:

  1. identifying potential consumer harms that can arise from cybersecurity risks;
  2. adopting cybersecurity risk management practices such as assessing cyber incidents, review of incident responses and business continuity plans;
  3. acting timely in the event of a cyber incident to minimise the risk of ongoing harm; and
  4. reporting cyber incidents to the Australian Cyber Security Centre. Licensees should also consider whether this incident needs to be reported to ASIC.


Whilst ASIC does not provide technical standards or expert guidance on cybersecurity, it is expected that AFSL and ACL holders address cyber risks as part of their obligations, including risk management.

We recommend AFSL and ACL holders undertake regular reviews of their resources such as IT systems, breach reporting procedures and recovery systems to effectively manage and mitigate any risks. In doing so, this will allow licence holders to proficiently respond to a cyber-attack.


Consequences for failing to implement adequate cyber security measures:

Apart from the loss of consumer confidence and financial loss, failure to implement adequate cyber security measures may result in enforcement action being taken by ASIC. ASIC views cyber security breaches as a serious matter. Unauthorised access to personal information is significantly detrimental to individuals that are unaware of cybersecurity breaches. This is particularly the case where licence holders do not take appropriate measures to minimise the impact of a cyber-security breach. Licence holders may be liable for civil penalties resulting from non-compliance with their obligations under the Privacy Act and Corporations Act.



The Federal Court found RI Advice Group Pty Ltd (RI Advice Group) had breached its AFSL obligations by failing to implement adequate risk management systems to manage its cybersecurity risks. The finding comes as a result of a number of significant cyber incidents which occurred at authorised representatives of RI Advice Group. ASIC noted these incidents allowed third parties to gain access to clients’ personal information and that it was imperative all licence holders had adequate systems in place to prevent these types of attacks. In addition to engaging a cybersecurity expert, RI Advice Group was ordered to pay $750,000 towards ASIC’s costs.

ASIC strongly encourages licensees to follow the Australian Cyber Security Centre advice in adopting adequate cybersecurity measures to prove its resilience and reduce its risk in an ever increasing cyber-threat environment.


Where to from here?

It is important that licence holders consider the risks that cyber threats have upon your business and your clients. By identifying any areas of concern within your business structure you can help to minimise cyber security threats and the impact of any breach.


Further reading


If you have any questions or concerns about your cyber security obligations, you can contact us.

Check our our Compliance Portal

Subscribe to our Newsletter

Contact Us