Licensees on alert over ASIC cyber test case

Cyber Indemnity Solutions national marketing executive financial services, Fraser Jack, told ifa the regulator’s case against IOOF-owned dealer group RI Advice had exposed similar weaknesses in many licensees’ cyber security policies and audit processes.

“The [cyber resilience] the framework you need to put in place has been there for a long time – ASIC put out its first report on this in 2015 – but the biggest issue they’ve seen is no one is taking the reasonable steps that ASIC is expecting you to take,” Mr Jack said.

“Licensees have felt that their job was to look after their data and it’s the adviser’s job to look after their practice’s data. The issue is who is providing oversight, and at the moment it’s nobody.”

The case, due to go to trial in November, centres around an RI-aligned practice that experienced a number of alleged cyber breaches in 2017 and 2018.

ASIC is seeking declarations from the Federal Court that the dealer group, which was at the time owned by ANZ, breached the Corporations Act by failing to put adequate systems in place across its authorised representatives to reduce the risk of an attack.

Mr Jack said compliance orders made by the regulator against the licensee demonstrated that ASIC expected it to have clear oversight of measures its aligned practices had taken to reduce cyber risk, including adequate staff training and up to date security systems.

“ASIC have said in an email that [RI] have to have implemented all the correct policies, procedures and controls – what that means in real terms is they have to have some dashboard or oversight as to what systems and frameworks are in place,” he said.

“At the moment licensees audit clients files in terms of the advice and the adherence to other parts of the Corporations Act, but they’re not auditing this part. 

“There are a lot of moving parts when it comes to being secure – there’s locking away the data in a digital way where you can have lots of parameters around people hacking it, there are systems like patches that need to be done, and there’s a massive amount of staff training. About 90 per cent of breaches come from the fact that a staff member has clicked on a wrong email.”