ASIC says AFS licensees need cybersecurity controls as part of license obligations

Australian Federal court found an AFS license holder in breach of its license obligation for failing to adequately manage its cybersecurity risks.

Cybersecurity measures are not mentioned in the Australia Financial Services (AFS) license conditions. However, the Australian Securities & Investments Commission (ASIC) has confirmed that adequate cybersecurity measures are required for regulated financial market participants.

The regulator said:

ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders.

We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management.

Additionally, the Australian watchdog clarified that dual-regulated AFS licensees also have the obligation to comply with all necessary standards of the other regulator.

ASIC ban

A need for cyber security measures

The matter of cyber security measures as part of the obligations of AFS licensees arouse from a ruling of the Australian federal court against a RI Advice Group Pty Ltd. The company was found in breach of its AFS license obligations because of a lack of adequate risk management practices across its network.

Among the security breaches were representatives failing to have up-to-date antivirus software, system backups, and poor password practices. The omissions in cybersecurity risk management lead to cyber incidents affecting clients in the six-year period to May 2020.

Although the judge acknowledged that is not possible to reduce the risks of any cyber-attack to zero, cybersecurity should be important for all AFS licensees.

The Australian Cyber Security Centre (ACSC) recommended that organisations implement at least eight essential mitigation strategies to mitigate cyber security risks.

ASIC noted that cyber security shortcomings can lead to potential consumer harms.

The regulated stated:

This decision confirms that AFS licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. This will minimise the risk of consumer harm.

If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions ASIC may take enforcement action, as we did with RI Advice, which can result in significant penalties.

Read Also: