Case note: ASIC action for cybersecurity breach of financial services licence

ASIC has announced that it has commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.

ASIC alleges that RI breached its financial service licence conditions by failing to implement (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.

ASIC is seeking:

  • declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
  • orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
  • compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.

ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including Wise Financial Planning, RetireInvest Circular Quay, Frontier Financial Group Pty Ltd, RI Shepparton and Empowered.

ASIC alleges that after becoming aware of the FFG breach, and with knowledge of the Wise Financial Planning, RI Circular Quay and RI Shepparton cybersecurity incidents, and external reports, RI should have, in consultation with internal or external cybersecurity experts, promptly adopted a cybersecurity framework to guide all of its cyberrelated activities, undertaken a risk assessment across its entire network of ARs, and then sought technical security assurance across a number of its ARs as a technical measure of the cybersecurity risks that exist in their organisations.

ASIC says RI failed to do so.

RI was, until 1 October 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.