Last month, local firm RI Advice was found to have breached its licence obligations with the Court ruling that it did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
Appearing on a new episode of the ifa Show podcast, Shane Bell, cyber partner at specialist advisory and restructuring firm, McGrathNicol, acknowledged that many in the advice sector were perplexed by the ruling.
“I certainly acknowledge and appreciate that there’s going to be, within the industry, a bit of ‘So what does this mean for me? What do I have to do? How do I manage this? What are the regulator’s expectations?’ All of those things, I think come from it,” Mr Bell said.
“But I think it’s clear in the judgment… if you’re doing nothing, you need to do something.”
Mr Bell said advisers and practices should ensure that processes they put in place are consistent with ASIC expectations, as per the corporate regulator’s website.
He said that putting a plan in place is a good “starting point”.
“And so if people are a bit perplexed about ‘Where do I start with this?’ I think it’s actually taking stock of what you’re doing, not shying away from that, not asking yourself the questions that you don’t want the answer to, if that makes sense,” he said.
“Because you really need to have the full picture in order to then drive forward.”
Listen to the full podcast with Mr Bell here.
Earlier this week, ASIC called on listed businesses to re-assess cyber risks and make a “long-term” commitment to cyber awareness, with Greg Yanco – executive director, Markets at ASIC – saying that businesses must be ready to respond to online threats.
Meanwhile a new study from LexisNexis Risk Solutions predicted that Australian financial services companies will spend more than $3.6 billion collectively on financial crime compliance this year.
The RI Advice case highlighted a much bigger issue than cybersecurity. It highlighted that licensees have ultimate responsibility for a wide range of systems and processes used by its ARs, even though those ARs are independently owned businesses with their own way of doing things.
It highlighted that the AR based licensing model is not workable in practice if properly enforced. It never should have existed, and needs to be wound up ASAP. All advisers should be self licensed, or direct employees of a licence holder.