Posted May 17, 2022
Posted By Meghann Cannon
What licensees need to know about managing cybersecurity risks
For the first time in Australia, a court has found that failing to adequately manage cybersecurity risks can amount to a breach of AFS licence obligations.
What did the Federal Court case decide?
The Federal Court found that AFS licensee RI Advice had breached the requirement to ensure that the financial services covered by the licence were provided efficiently and fairly.
It also found that RI Advice did not have adequate risk management systems in place to manage cyber risks.
The case looked at 9 cyber incidents that occurred at RI Advice’s authorised representatives (AR). They included a brute force attack that gave the cyber attacker access to an AR’s server for several months without being detected and compromised the personal information of thousands of clients.
What do you need to know?
The case confirms that staying on top of IT risks, and the systems you have in place to manage these risks, is a core part of meeting your licence obligations.
In this news story, we’ll run through:
- what ASIC expects from AFS licensees when it comes to managing cyber risks; and
- how your current compliance program with Kit Legal (via the DCP) helps you to meet these obligations.
What does ASIC want to see AFS licensees doing to manage cybersecurity risks?
Before getting into ASIC’s expectations, it’s important to point out two important things:
- First, the judge in the RI Advice case acknowledged that it’s impossible to reduce cybersecurity risk to zero. However, she did say it was possible to materially reduce cybersecurity risk through adequate systems.
- Secondly, ASIC doesn’t prescribe specific technical standards or requirements that AFS Licensees must comply with.
Following the case, ASIC published an article setting out its expectations, which we’ve summarised here.
ASIC expects AFS licensees to:
- be aware of the potential consumer harms that arise from cybersecurity shortcomings;
- adopt good cybersecurity risk management practices, including ongoing, active management and continuous improvement processes;
- act quickly if a cyber incident occurs to minimise the risk of ongoing harm;
- consider reporting cyber incidents to the Australian Cyber Security Centre (ACSC) and also consider whether there’s any obligation to report the incident to ASIC.
How does the DCP help you to meet your obligations?
ASIC is focused on the systems that AFS licensees have in place to manage risks that could impact the financial services they provide. Cyber risks are no different.
As part of overall risk management, your compliance program on the DCP is designed to manage cyber risks in three key ways, via quarterly compliance meetings/attestations, annual tasks and checklists and meeting your privacy obligations.
Without setting out every applicable area of the DCP, here’s a summary of how these three areas work together to cover cyber risks:
- compliance meetings/attestations include standing items to consider:
- new or changed risks in the business;
- whether the risk register is up to date (which includes e.g. the risk of failing to maintain adequate IT systems);
- whether IT systems are adequate;
- whether any privacy breaches have occurred.
- annual tasks include:
- reviewing data security processes;
- conduct relevant training;
- meeting your privacy obligations through, for example:
- annually testing your data breach response plan;
- reviewing the risk of unauthorised access to personal information;
- quarterly compliance meeting/attestation items as above.
To strengthen this regime, we’ve amended one of your existing tasks to make it clear that when you complete this task, you’re turning your minds to cyber security, and getting help from your IT service provider where required. The task also references ASIC’s cyber resilience good practices checklist, which is already in your DCP. We’ll be pushing this amended task out this week.
By following your compliance program diligently, you will be maintaining robust oversight over the risks that may arise.
The crucial next step is to act quickly should any of these checks reveal a weakness or failing in relation to IT systems and client data.
We’re also developing a training video to support you in how to engage on cyber security issues with your service provider and some key questions for you to ask. This will be rolled out before the end of the financial year.
What else can you do?
As we’ve said already, the DCP includes a checklist based on ASIC’s cyber resilience good practices which you can use to guide conversations and actions regarding cyber security within your business.
You should also clarify with your IT service provider how your systems are protected based on the ‘essential 8’ strategies developed by the ACSC.
At Kit, we’ll continue to review and update your compliance program as required and there will be more to come in the training space in the coming year.
And as always, we’ll keep you updated on new developments.