The Australian Securities and Investments Commission says it will have a stronger focus on the management of cybersecurity risks, following a Federal Court ruling last week that a company’s inadequate cybersecurity risk management was a breach of the Corporations Act.
ASIC commissioner Cathie Armour said cybersecurity risk was a big and growing issue for financial services firms and regulated entities must put it “front and centre”.
Speaking at a Finsia conference on Friday, Armour said: “Companies are going to have some cyber disruption and they have to be prepared to make an investment in their system security.
“This is not an issue for the IT department. We would expect senior management to be involved.”
ASIC issued a statement outlining what the court ruling means for licensees and the regulator’s expectations. Not only does it expect companies to have risk management systems in place but it also expects them to act quickly in the event of a breach and to report cyber incidents.
It said it does not prescribe technical standards but it will treat inadequate systems as a potential licensing breach.
The Federal Court ruled that RI Advice Group failed to have documentation and controls in place in respect of cybersecurity and cyber resilience “that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR [authorised representative] network.”
As a result, it failed “to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly”.
RI Advice was an ANZ subsidiary until September 2018, when it was one of three ANZ financial licensees sold to IOOF Holdings (now called Insignia Financial).
Between June 2014 and May 2020 nine cybersecurity incidents occurred at RI authorised representative practices. ASIC took the matter to court in August 2020.
The court ordered the company to engage a cybersecurity expert agreed to by ASIC to put a cybersecurity risk management program in place. It must get the work done as soon as possible and it must report back to ASIC on its progress.