ASIC has issued a response following the Federal Court’s landmark decision against AFS licensee, RI Advice.
The group was found to have breached its licence obligations with the Court ruling that it did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
RI Advice was also ordered to pay $750,000 towards ASIC’s costs.
In a statement released this week, ASIC said AFS licensees should be aware of the “potential consumer harms” and adopt good cyber security risk management to reduce potential harm.
“We expect active management of cyber risks and continuous cyber security improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans,” the statement read.
“…we expect AFS licensees to act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting.”
ASIC concluded: “This decision confirms that AFS licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. This will minimise the risk of consumer harm.
“If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions ASIC may take enforcement action, as we did with RI Advice, which can result in significant penalties.”
Shortly after the decision, CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said “businesses must learn” from the landmark decision.
“With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyber attack, it is more a question of when an attack will occur,” Mr Unni said.
“Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.”
So, I have no server. My email server is provided by an acknowledged cyber expert. All confidential client info on file is kept on a CRM with cloud in Sydney. Do not run a website! Am I expected to seek assurances from the CRM provider.
I fully understand cyber risks. But if I was being conspiratorial, I would suspect this is just another ASIC move which favours the big end the town because only they could afford the expense that ASIC seems to be suggesting. Remember it has long been the ASIC business model to have no more than 200 AFSLs. Makes it easy to close them down when they been naughty, like they did with Westpac in 1999