What a Federal Court ruling on cybersecurity means for AFS licensees

May 13th '22

  • AFS licensees must adequately manage cybersecurity risks as part of their licence obligations.
  • Adequate technological systems, policies and procedures should be in place to ensure sensitive consumer information is protected and to minimise the risk of consumer harm.
  • ASIC will take enforcement action when an AFS licensee does not meet these obligations.


In an Australian first, an Australian financial services (AFS) licensee has been found to have breached its licence obligations by failing to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, and by failing to adequately manage its cybersecurity risks.


In the judgment it was noted that RI Advice Group Pty Ltd had a number of inadequate risk management practices across its network. This included some of its authorised representatives failing to have up-to-date antivirus software, system backups, email filtering or quarantining, and poor password practices. Inadequacies in its cybersecurity risk management lead to a number of cyber incidents affecting clients in the six-year period to May 2020.


With financial services continuing to move online, this decision highlights the importance of good cybersecurity.


In her judgment, Justice Rofe made it clear that cybersecurity should be front of mind for all AFS licensees. She acknowledged that while ‘[i]t is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls…’


The Australian Cyber Security Centre (ACSC) recommends organisations implement eight essential mitigation strategies, at a minimum, from their Strategies to mitigate cyber security incidents. By implementing these steps, firms protect themselves against many vulnerabilities.


But, it doesn’t end there.


  • ASIC expectations of AFS licensees

First, AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings.


Second, they should adopt good cybersecurity risk management practices to reduce potential harm to consumers. We expect active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans.


Third, we expect AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting. All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the size and complexity of their business, and the sensitivity of the information they hold.


Finally, we strongly encourage AFS licensees to report cyber incidents to the ACSC. Licensees should also consider if any obligation arises to report the incident to Australian Securities & Investments Commission (ASIC).


ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders. We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management.


It is important to note that dual regulated AFS licensees will also have obligations to comply with the standards of other regulators, such as APRA.


  • What does this decision mean for your organisation?

This decision confirms that AFS licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. This will minimise the risk of consumer harm.


If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions ASIC may take enforcement action, as we did with RI Advice, which can result in significant penalties.


  • Where can I find out more about my obligations?

Visit our website for more resources on cyber resilience, including cyber resilience good practices and key questions for boards of directors.


Source: © Australian Securities & Investments Commission. Reproduced with permission.


ASIC is Australia’s integrated corporate, markets, financial services and consumer credit regulator.


Related: Why get your advice from a licensed financial adviser?


About us

LS Consultancy are experts in Marketing and Compliance. We provide a cost-effective and timely bespoke copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us


Call Us Today on 020 8087 2377 or send us an email.


We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…