What you need to know
- ASIC has recently commenced proceedings against an AFS licensee on alleging that the licensee breached section 912A of the Corporations Act by failing to have adequate cyber security systems in place.
- ASIC alleges that a series of cyberattacks, over several years, allowed attacker(s) to gain access to sensitive client information (including client identification documentation) held by authorised representatives of an AFS licensee.
- Cybersecurity and cyber resilience in Australia's financial markets was already an identified area of focus for ASIC.
What you need to do
- AFS licensees should review and test the adequacy of their existing systems and resources for dealing with cybersecurity and cyber resilience.
- Given the magnitude and prominence of cyber risk for most organisations, ASIC expects that Boards should have appropriate oversight over the adequacy of the systems and resources for dealing with this risk.
- AFS licensees should consider having the effectiveness of their systems and controls tested by independent experts.
- AFS licensees with authorised representatives are responsible for ensuring that the systems and resources maintained by their authorised representatives to deal with cybersecurity and cyber resilience are adequate.
ASIC commences proceedings against AFS licensee for alleged failure to have adequate cyber security systems
ASIC's proceedings against RI Advice Group Pty Ltd (RI) seek a declaration that RI contravened section 912A(1) of the Corporations Act 2001 (Cth) (Corporations Act).
Facts
ASIC alleges that authorised representatives (ARs) of RI were the target of "brute force" cyberattacks from 15 May 2018 to 12 March 2019. During this time Frontier Financial Group Pty Ltd (Frontier) an AR of RI, was targeted and a malicious user gained access to Frontier's server spending more than 155 hours logged into the server which contained sensitive client information including identification documents.
ASIC is seeking
ASIC seeks the following:
- declarations from the Federal Court of Australia that RI contravened provisions of the Corporations Act including ss 912A(1)(a)-(d) and (h) and (5A);
- a pecuniary penalty in an amount declared by the Court;
- compliance orders requiring RI to implement systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience within 3 months of the declaration; and
- orders requiring RI to engage a qualified independent expert to confirm the systems have been implemented within 5 months of the declaration.
Significance of this action
AFS licensees have various obligations to comply with as set out by ASIC and the Corporations Act. These include obligations under section 912A of the Corporations Act to do all things necessary to ensure financial services are offered efficiently, honestly and fairly; to have adequate financial, technological and human resources; and to have adequate risk management systems in place.
This is the first known action brought by ASIC against an AFS licensee alleging deficient cybersecurity practices. It emphasises how seriously ASIC views the importance of AFS licensees having effective and robust cybersecurity risk management practices in place.
Regardless of the size or nature of an organisation, cyber incidents are now a serious and constant threat. The reality is that at some point all organisations will have to deal with some form of cyber incident and therefore adequate preparation for such an eventuality is imperative.
Authors: Jonathan Gordon, Partner; Corey McHattan, Partner; and Stephen Tudjman, Consultant.
