summary
The Federal Court has found that financial adviser, RI Advice, has breached its Australian Financial Services (“AFS”) licence obligations. RI Advice failed to have adequate risk management systems to manage its cybersecurity risks and as a result, breached its AFS license obligations to act ‘efficiently, honestly and fairly’ as required by section 912A of the Corporations Act (Cth) 2001…
A significant number of cyber incidents occurred at RI Advice between June 2014 and May 2020. In a particular incident, an unknown malicious agent obtained unauthorised access to a server in December 2017 and was not detected until April 2018, resulting in the potential compromise of confidential personal information of thousands of clients. ASIC Deputy Chair, Sarah Court said that the cyber attacks were ‘significant events that allowed third parties to gain unauthorised access to sensitive personal information’ and that ‘it is imperative for all entities to have adequate cybersecurity systems in place’.
risk management
When handing down her judgement, Justice Rofe made it clear that ‘Cybersecurity risk poses a significant risk with the conduct of financial services and that cybersecurity should be a priority for all licensees’. Justice Rofe acknowledged that ‘it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cyber security risk through adequate cybersecurity documentation and controls to an acceptable level.’
RI Advice has now taken steps to address cybersecurity risk across its authorised representative network. The Court ordered RI Advice to engage a cybersecurity expert to identify and implement what further measures are necessary to adequately manage cybersecurity risks. RI Advice has been ordered to pay $750,000 towards ASIC’s costs, deterring other AFS licensees from engaging in similar conduct.
next steps
To access the full decision of ASIC v RI Advice Group Pty Ltd [2022] FCA 496 please click here.
To access ASIC’s regulatory resources that include further information about cybersecurity and cyber resilience please click here.
For more information, and any guidance or advice on cybersecurity, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.
Please click here to follow us on LinkedIn to receive the latest information on this and other important topics!