Attention Afsl Holders: Cybersecurity Now Forms Part Of A Holder'S General Duties – Lexology

Attention AFSL holders: cybersecurity now forms part of a holder's general duties – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
In an Australian first, the Federal Court has read into an Australian Financial Services License (AFSL) holders’ general duties an obligation to maintain adequate cybersecurity protections and mitigate cybersecurity risks, including holding AFSL holders responsible for the failure of any Authorised Representatives which perform work on its behalf.
AFSL holders have general duties to provide financial services efficiently, honestly, and fairly, and to maintain adequate risk management systems. By failing to maintain adequate cybersecurity protections, the Federal Court (in the decision of ASIC v RI Advice [2022] FCA 496) found that RI Advice (RI), a subsidiary of ANZ, had failed to meet both of these duties.
What happened?
RI relied on a network of independently owned authorised representatives (ARs) to provide financial advice to RI clients on its behalf. This network of ARs electronically received, hosted, and accessed personal information of RI’s clients, such as their full names, phone numbers, email addresses and drivers’ licenses. As independent operators, these ARs varied in levels of cybersecurity protection, leaving the personal information of many RI clients vulnerable to the efforts of hackers.
Between May 2018 and August 2021, many of RI’s ARs were the subject of at least nine cyber security breaches across. As a consequence of the breaches, fraudulent emails were sent from hacked AR email accounts to RI clients, urging them to transfer funds (including one client who made numerous transfers totalling almost $50,000). In a separate incident hackers accessed and held files containing the personal information of up to 220 clients for ransom. The most egregious incident involved a malicious agent gaining access to an AR practice’s server, undetected for several months. This server held the personal information of several thousand clients of RI.
Did RI have any cybersecurity protections at the time?
Up to May 2018, RI had taken certain steps in respect of its cybersecurity risk for its ARs, including:
Despite this, inquiries made by RI following these cybersecurity incidents revealed that there were a variety of issues in the respective ARs’ management of cybersecurity risk, including:
Ultimately, RI did not have adequate risk management systems to mitigate cybersecurity threats during this period.
What did the Court find?
As an AFS licensee, RI is bound by duties under the Corporations Act 2001 (Cth) (‘the Act’), including:
The Court considered that the standard of ‘efficiently, honestly, and fairly’ meant that it was appropriate to measure the alleged conduct against the reasonable standard that a person qualified in the relevant field would expect. Given the variety of issues in RI’s cybersecurity protocols detailed above, it was clear that RI’s conduct fell short of what a cybersecurity expert would expect of a financial services firm working with clients’ sensitive personal information.
Furthermore, the Court recognised that the obligation on AFS licensees to have adequate risk management systems extends to cybersecurity, as it forms a “significant risk connected with the …provision of financial services”. Although the Court recognised that cybersecurity risk cannot be reduced to zero, RI failed to implement adequate cybersecurity documentation and controls to reduce cybersecurity risk to an acceptable level.
RI was subsequently found in breach of both sections s 912A(1)(a) and 912A(1)(h) and was ordered to pay an amount of $750,000 towards ASIC’s legal costs, among other orders.
What does this mean for AFS licensees in future?
This case was a statement by ASIC to AFS licensees to ensure they are taking the threat of hackers and cyberspace vulnerabilities seriously. To achieve this, AFS licensees can take the following actions, as recommended by the Federal Court:
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research


Leave a Comment

Leave a Reply

Your email address will not be published.

Can Kaspersky survive the Ukraine war? – CyberScoop

Global experts discuss cyber security at MENAISC 2022 conference in Riyadh – ZAWYA

Struggling with PI? Improve risk management systems – Professional Planner

FDA Updates Guidance on Cybersecurity Responsibilities for Medical Device Manufacturers – Ropes & Gray LLP