About
Meet the team
What we do
Services
Business & Commercial
Defamation
Disputes & Litigation
Recovery & Insolvency
Employment & Industrial Relations
Corporate Governance & ESG
Intellectual Property & Technology
Professional Negligence & Insurance
Wills, Estates & Inheritance
Pro Bono
Industries
Transport & Logistics
Property & Real Estate
Mining & Resources
Public Sector
Non-Profit
Knowledge
Careers
Contact us

Federal Court determines that financial services licensee is obliged to have adequate controls with respect to cybersecurity

May 19, 2022

Every financial services licensee has statutory obligations to do all things necessary to ensure that financial services covered by its licence are provided efficiently and fairly, and to have adequate risk management systems in place.

In an Australian first, the Federal Court has determined in a "test case" prosecution brought by the Australian Securities and Investments Commission that failing to have adequate risk management controls within its cybersecurity constitutes a breach of these statutory provisions.FactsThe financial services licensee, RI Advice, authorised corporate representatives to provide financial services on its behalf.Following a number of incidents across the RI Advice network between June 2014 and May 2020, RI Advice conceded that it had insufficient practices in place to manage cybersecurity with respect to:

  1. Documentation;
  2. Controls; and
  3. Risk management systems.

Examples included licensees' email accounts being hacked or accessed without authorisation, resulting in a number of clients receiving 'fraudulent' email requests for money. The delivery of ransomware, and lack of anti-virus software (including where a 'Cloud' storage system is used), compromised servers and storage of client information.The Court considered that the statutory requirement of financial services to be provided 'efficiently, honestly and fairly' is to be read together, and not as three distinct behaviours.

The Court cautioned that conduct may fail to meet the statutory obligations even in circumstances where the conduct is not capable of being described as 'dishonest'. A breach of the standard required within these obligations is not limited to 'morally wrong conduct in the commercial sense.' This standard creates an obligation of 'competence' on the licence holder.

The Court determined that RI advice had breached this standard.

Comment and key takeaways

The increasing digitisation of professional services brings risks with rewards and increasing obligation on businesses to have adequate protections in place with respect to cybersecurity.

ASIC has indicated that cybersecurity and deficiencies in risk management generally will be more closely scrutinised. Organisations should expect that regulators will take an increased interest in assessing entities and their cybersecurity controls. The Deputy Chair of ASIC Sarah Court has indicated that it is imperative that all entities, including licensees, have adequate systems to protect against cyber-attacks.

A starting point for businesses, ASIC's guide on good practice strategies for cyber resilience, may be accessed here.

Law

Try our pragmatic approach.

Request a call back from the team

Request a call back

Thanks. Your message has been received.
Sorry, something went wrong while submitting the form. Have you completed all the required fields?
Make a PaymentPrivacy Policy
Liability limited by a scheme approved under Professional Standards Legislation.