ASIC has warned that failure to address cyber security could see company directors fall short of their regulatory obligations.
Commissioner Danielle Press said June’s landmark ruling against RI Advice – which found that the local firm breached its licence obligations by failing to have adequate risk management systems to manage its cyber security risks – should serve as a timely reminder for company directors about cyber security risk oversight and disclosure obligations.
“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations,” Mr Press said.
“Measures taken should be proportionate to the nature, scale and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.
“ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain.”
Ms Press said that, in a bid to drive a strong “cyber resilience culture” company directors should look to assess their current risk management framework and make adjustments where needed, enquire about incident response and business continuity plans and ensure access to resources to effectively manage cyber security risks.
Ms Press also reminded directors that they may be required to disclose cyber risks and incidents and that failure to do so may be a breach of their directors’ duties.
Following the ruling against RI Advice in June, ASIC reported a “significant number” of cyber incidents which occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
RI Advice was also ordered to pay $750,000 towards ASIC’s costs.
Shortly after the decision, CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said “businesses must learn” from the landmark decision.
Shortly after on a recent episode of the ifa Show podcast, Shane Bell, cyber partner at specialist advisory and restructuring firm, McGrathNicol, suggested that cyber security should be a top three issue for financial advisers and their businesses.
“Technology is embedded in everything that we're doing. And for that reason, cyber security has to be in some of the top risks that you're considering,” Mr Bell said.
“And so if that's your starting position, which I think it should be, then I don't think it has to be about choosing between cyber and something else. I think if you've got a good risk culture, then it's about connecting cyber up to that.”
Listen to the full podcast with Mr Bell here.
