Virtual Business Partners head, David Carney, has called for better management of cyber security risks following May’s landmark ruling against RI Advice which saw the Federal Court rule that the advice group failed to have adequate risk management systems to manage its cyber security risks.
According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
Mr Carney said the ruling has motivated licensees and insurers to “critically” examine their standards in a new opinion piece published on ifa.
“Whilst all advice businesses have professional indemnity (PI), very few have coverage specifically for cyber security. This is due to a lack of proper education by the industry around the issue. In addition, cyber security is currently not a requirement for corporate authorised representatives or PI insurers,” Mr Carney wrote.
“This is expected to change. If cyber security protection is not mandated, it should be considered best practice given the rate of attempted cyber attacks globally as infrastructure moves to digital storage via remote access.”
Mr Carney said practices should consider outsourcing as while most risk compliance managers understand what is required to manage threats, corporate governance frameworks offer “little insight” in how to execute a proper strategy.
He suggested this is because cyber security approaches take on by businesses can vary.
“As more practices shift to self-licensing, there is also a greater need for businesses to understand issues of governance, cyber security and sustainability as they are no longer outsourcing these competencies to a licensee,” Mr Carney wrote.
“Advice practices have no excuse to not implement cyber security into their governance framework. Not only will it provide the principal (and the team) peace of mind, but it will also give them assurance that they won’t be prone to data breaches and become the next whose licensee finds themselves on the wrong side of ASIC.”
Read the full opinion piece here.
Late last month, ASIC warned that failure to address cyber security could see company directors fall short of their regulatory obligations.
Commissioner Danielle Press said that the ruling against RI Advice should serve as a timely reminder for company directors about cyber security risk oversight and disclosure obligations.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations,” Mr Press said.
It’s a bit rich for ASIC to be lecturing everyone around cyber security when they themselves have experienced a significant hack which exposed sensitive information. Based on Danielle Press’s attitude who exactly at ASIC faced the consequences of their failings? Or was it as she likes to say “above her pay grade”.