Financial services licences now conditional on cybersecurity measures
In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the licensee agreed that it had breached s 912A(1)(a) and (h) which require that licensees must ensure that the financial services covered by the licence are provided efficiently, honestly and fairly, and have adequate risk management systems.
Between 2014 and 2020, RI Advice Group’s risk management practices permitted some of its authorised representatives to have taken inadequate cybersecurity measures including failing to have up-to-date antivirus software, system backups, email quarantine and password practices. Several of its clients were affected by cybersecurity incidents. One such incident enabled a hacker to access an authorised representative’s server for several months to collect private information about thousands of clients. Not all the funds fraudulently transferred were recovered.
This is the first time that ASIC has used its enforcement powers about cybersecurity risk controls and the Federal Court’s first consideration of the topic through the lens of the licensees’ general obligations in s 912A. It’s unlikely to be the last.
The July 2022 update of Robson’s Annotated Corporations Legislation in Thomson Reuters' Corporations Law Practice Area features revisions by Grant Holley of Holley Nethercote Lawyers to Parts 7.6 (including s 912A) and 7.8 of the Corporations Act.