ASIC has warned that failure to address cyber security could see company directors fall short of their regulatory obligations.
Commissioner Danielle Press said June’s landmark ruling against RI Advice – which found that the local firm breached its licence obligations by failing to have adequate risk management systems to manage its cyber security risks – should serve as a timely reminder for company directors about cyber security risk oversight and disclosure obligations.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations,” Mr Press said.
“Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.
“ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain.”
Ms Press said that, in a bid to drive a strong “cyber resilience culture” company directors should look to assess their current risk management framework and make adjustments where needed, enquire about incident response and business continuity plans and ensure access to resources to effectively manage cyber security risks.
Ms Press also reminded directors that they may be required to disclose cyber risks and incidents and that failure to do so may be a breach of their directors’ duties.
Following the ruling against RI Advice in June, ASIC reported a “significant number” of cyber incidents which occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
RI Advice was also ordered to pay $750,000 towards ASIC’s costs.
Shortly after the decision, CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said “businesses must learn” from the landmark decision.
Shortly after on a recent episode of the ifa Show podcast, Shane Bell, cyber partner at specialist advisory and restructuring firm, McGrathNicol, suggested that cyber security should be a top three issue for financial advisers and their businesses.
“Technology is embedded in everything that we’re doing. And for that reason, cyber security has to be in some of the top risks that you’re considering,” Mr Bell said.
“And so if that’s your starting position, which I think it should be, then I don’t think it has to be about choosing between cyber and something else. I think if you’ve got a good risk culture, then it’s about connecting cyber up to that.”
Listen to the full podcast with Mr Bell here.
Just add this to the never ending list of things that ASIC will persecute advisers for………
Cyber security is one of a number of issues that can only be practically managed at an advice firm level. It can’t be done by an AFSL that has separate advice firms or sole traders operating as “authorised representatives”. It can’t be done by an individual adviser within a firm. The same could be said for a whole range of control and supervision functions necessary for effective licensing and consumer protection.
That’s why all advice AFSLs must be held by the firm that directly employs the adviser, and all advisers must be employed by an AFSL holder. It’s time to get rid of “authorised representatives” from the licensing model.
Correct B. The Government won’t help stop the perpetrators, but will punish the victims. What a joke. Out of interest did they take themselves to court when ASIC was hacked in January 15 2021 in a Acellion attack? Word is ASIC were themselves sleeping at the wheel. So don’t do as I do, do as I say. Lets kick that victim of a crime while they are down.
Incredible that the victim of the crime gets blamed and punished in practical terms more than the perpetrator of the crime. That’s the regulatory environment we operate in.
Except when it is ASIC. They were hacked and yet they can just carry on as normal.
“The corporate watchdog waited 10 days before informing financial institutions its servers had been hacked in a cyber attack that has wreaked havoc for major institutions including blue-chip law firm Allens and the Reserve Bank of New Zealand.”
A University was recently hacked and lost a lot of sensitive data….. Where is ASIC about that one? nothing…
Just shows the culture within ASIC.
Yer but if we don’t take adequate measures to protect our clients as an AFSL then we should be held accountable for that as it’s our responsibility – they weren’t pinned for the event, rather that lack of process and protection they didn’t do.
Yes everyone should take adequate measures but what is adequate? There is no guidance, and ASIC still seem happy to fine you even if you have, what you think are, adequate systems & protection.
agreed! they supply us with no guidelines of what is adequate and push the blame on to business owners, whom are already struggling. perhaps shift the blame to those policing cybercrime?