Recently, the Federal Court considered the cybersecurity obligations of AFSLs and their authorised representatives.
Currently, under s912A of the Corporations Act 2001 (Corps Act), an AFSL has certain core obligations. These being:
- do all things necessary to ensure financial services are provided efficiently, honestly and fairly;
- have adequate resources (including financial, technological, and human resources), to provide financial services and carry out supervisory arrangements; and
- have adequate risk management systems.
During the case, ASIC argued successfully that the core obligations extend to cybersecurity and cyber resilience.
This means that AFSLs, and their authorised representatives are required to:
- identify the risks faced in the course of providing financial services, including in relation to cybersecurity and cyber resilience; and
- have systems, resources, and controls in place that are adequate to manage risk in respect of cybersecurity and cyber resilience.
In managing your cybersecurity and cyber resilience, some key issues were identified in the case against RI Advice. These being:
- computer systems not having up to date antivirus software installed and operating;
- no filtering and quarantining of emails.
- backup systems not in place and backups not performed; and
- poor password practices, including sharing of passwords and use of default passwords, passwords.
Risks relating to cybersecurity, and the controls that can be deployed to address such risks, will evolve over time. As the services our industry provides are increasingly conducted using digital and computer technology, cybersecurity risk also increases.
Cybersecurity risk forms a significant risk connected with the conduct of your business and provision of financial services. It is impossible to have zero cybersecurity risk. Through adequate cybersecurity policies and controls it is possible to manage and reduce risk.