Australia: Cybersecurity now a legal obligation for AFS Licensees
By Kane Barnett and Bernard Sia
As technology continues to drive change within the financial services industry, Australian courts and regulators have confirmed the need for Australian financial services (AFS) licensees to address the cybersecurity risks. On 5 May 2022, the Australian Federal Court ruled in favour of the Australian Securities and Investments Commission (ASIC), holding that AFS licensee RI Advice Group Pty Ltd (RI Advice) had breached its statutory obligations by failing to have adequate cybersecurity measures in place.
RI Advice, as an AFS licensee, had obligations under the Corporations Act 2001 (Cth) to ‘do all things necessary to ensure that the financial services were provided efficiently, honestly and fairly’, and to ‘have adequate risk management systems’ in place.
The Federal Court found that a lack of proper anti-virus software, robust password practices or effective system backups, amongst other things, had all contributed to 9 cybersecurity incidents involving RI Advice’s authorised third party representatives over a 6 year period. As a result, the Court held that RI Advice’s cybersecurity measures fell short of the obligation to ensure efficiency and fairness and to have adequate risk management systems across its network of representatives.
The Federal Court orders included that RI Advice engage cybersecurity experts to identify and implement further measures where necessary and to pay $750,000 towards ASIC’s costs.
- Robust cybersecurity and cyber resilience measures are part of an AFS licensee’s obligations.
- ASIC now has and is willing to take enforcement action where AFS licensees are not meeting their cybersecurity risk management obligations.
- AFS licensees must be thorough in ensuring that any authorised third party representatives have adequate cybersecurity risk management practices in place, not just plans to implement programs.
AFS licensees should be aware of, and review their current practices against, the relevant regulatory guidelines on cyber resilience.