ASIC outlines cybersecurity expectations

Following on from RI Advice's Federal Court loss, the corporate regulator has laid out its expectations of licensees when it comes to cybersecurity.

Just last week, in what was an Australian-first, the Federal Court found RI Advice failed its obligations as an AFSL holder by failing to have adequate systems in place to manage cybersecurity risks.

ASIC says the determination should serve as a wake-up call to all licensees as to their obligations, saying that should be aware of the potential consumer harms that arise from cybersecurity shortcomings.

Licensees are also expected to adopt good cybersecurity risk management practices to reduce potential harm, ASIC said.

Sponsored by Praemium Find out how managed accounts enhance practice success

"We expect active management of cyber risks and continuous cybersecurity improvement, including assessment of cyber incident preparedness and review of incident response and business continuity plans," the regulator said.

They're also expected to act quickly in the event of a threat or incident, with ASIC saying cybersecurity measures should be regularly reviewed and any mitigation and response measures should adequately support the size and complexity of the business as well as the sensitivity of the information on file.

Finally, ASIC strongly encouraged licensees to report incidents to the Australian Cyber Security Centre and said that if any issue arises, they should also consider whether ASIC should be informed.

"ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual licence holders. We do, however, expect licensees to address cyber risk as part of their AFS licence obligations, including risk management," the regulator said.

Failure to comply with such expectations could result in ASIC action and lead to significant penalties, it said. RI Advice was ordered to pay $750,000 towards ASIC's costs.