In this article, consultant Jeunesse Meldrum discusses some key take-aways following ASIC's recent allegations against RI Advice Group (RI) about having inadequate cyber security systems and encourages you to health check your business' cyber resilience. It seems ASIC is sending a clear message that it fully intends to enforce cyber security and resilience obligations.

ASIC ACTION

On 21 August 2020, ASIC commenced proceedings against RI, an Australian financial services (AFS) licensee, for alleged failure to implement adequate policies, systems and resources to manage risk in respect of cyber security and cyber resilience across its authorised representative (AR) network.

ASIC's action followed a number of alleged cyber breach incidents at ARs of RI, including a 'brute force' attack where a malicious user gained remote access to an AR's server and spent more than 155 hours logged into the server, which contained sensitive client information, including identification documents.

ASIC alleges this failure and others caused RI to breach its general obligations as an AFS licensee to—

• do all things necessary to ensure financial services are provided efficiently, honestly, and fairly
• comply with the conditions of its licence and with the financial services laws, and
• have adequate resources and risk management systems.

These proceedings come at a time when ASIC has also identified monitoring cyber resilience as a key focus in its Corporate Plan for 2020-2024.

KEY TAKE-AWAYS

Here are some key take-aways for your cyber resilience health check:

• Good practice in relation to cyber security strategy and governance is characterised by board ownership and responsible and agile governance models.
• It is essential that businesses allocate adequate resources (including technological, human, and financial) to cybersecurity and cyber resilience.
• Cyber security documents should be tailored to the requirements of each specific business. ASIC took issue with the fact that many of RI's documents were developed by its parent company and were not tailored to RI and its AR's requirements.
• Businesses should adopt and implement cyber security documentation and controls across all cyber security domains, including asset management, supply chain risk management, incident response and communication, and continuity and recovery planning.
• AFS licensees should have comprehensive documentation for the management of cyber security across their entire AR network.
• In the event of a cyber security attack, ASIC expects an AFS licensee will promptly do the following, as relevant, depending on the nature of the incident:
  • Properly review the effectiveness of cyber security controls (eg password effectiveness, email filtering, application whitelisting etc) across its business and AR network.
  • Ensure controls are remediated where necessary.
  • Engage a cyber security firm to perform cyber security assurance risk reviews of its business and its AR organisations.
  • Consult with cyber security experts to develop and adopt a cyber security framework to guide its cyber-related activities.
  • Seek technical security assurance from its ARs about the cyber security risks that exist in the AR organisations.
  • Develop and implement a cyber security remediation plan and supporting initiatives that are tailored to its AR network.

WHAT SHOULD YOU DO NEXT?

AFS licensees should health check their risk management systems and resources in respect of cyber attacks, data breaches, technology failures and system outages, including across their AR networks.

ASIC Report 429—Cyber resilience: Health Check includes helpful prompts to consider in the context of your business.

Our lawyers can help you comply with your breach reporting obligations if you identify a cyber security incident. We can also help you ensure appropriate disclosure of cyber risks is made to investors, including in offer documents.