Cybersecurity has been a key risk management issue for AFS licensees for several years and remains an area of focus for ASIC. Between June 2014 and May 2020, an AFS licensee (RI Advice) experienced a significant number of cyber incidents which resulted in the potential compromise of confidential and sensitive personal information of several thousand clients and other people.
Last week, the Federal Court found RI Advice breached its general obligations as an AFS licensee. The Court said RI Advice failed to act efficiently and fairly and failed to have in place adequate risk management systems. This is the first time such a finding has been made.
The Court made it clear cybersecurity should be front of mind for all licensees, and while it is not possible to reduce cybersecurity risk to zero, it is possible to materially reduce the risk through adequate cybersecurity documentation and controls.
All AFS licensees should have robust cybersecurity procedures in place to ensure their obligations as a licensee are met and their business is not jeopardised.