ASIC has referred to the Federal Court judgment in Australian Securities and Investments Commission v RI Advice Group Pty Ltd to support its statement of expectations of AFS licensees for cyber security and to express its views that failure of cyber security measures was the number one risk for Australian executives.
These statements coincide with the introduction of the obligation to report cyber security incidents for critical financial services infrastructure assets. Background.
ASIC says that:
- AFS licensees should be aware of the potential consumer harms that arise from cybersecurity shortcomings;
- they should actively manage cyber risks and continuously improve cybersecurity, including assessment of cyber incident preparedness and review of incident response and business continuity plans;
- AFS licensees should act quickly in the event of a cyber incident to minimise the risk of ongoing harm. Theft of sensitive personal information can significantly affect consumers’ financial and physical well-being and can be long-lasting;
- AFS licensees should report cyber incidents to the Australian Cyber Security Centre. Licensees should also consider if any obligation arises to report the incident to ASIC.
ASIC has referred auditors to the guidelines produced by the Auditing and Assurance Board Bulletin: The Consideration of Cyber Security Risks in an Audit of a Financial Report for more information.
Reporting of cyber security incidents for critical infrastructure assets
From 8 July 2022 owners or operators of critical infrastructure assets (which include critical banking assets and critical payment systems) who become aware of a cyber security incident that has had a significant impact on an asset (materially disrupting the availability of essential goods or services provided by the asset) must report the incident to the Australian Signals Directorate within 12 hours.
All other cyber security incidents must be reported within 72 hours.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.