Under the many conditions of an Australia Financial Services (AFS) license, the specific requirements of cybersecurity measures are not mentioned. But, a federal court in the country held an AFS license holder accountable for breaches of its license obligations for failing to adequately manage its cybersecurity risks.
Now, the Australian Securities & Investments Commission (ASIC) has clarified its stance on adequate cybersecurity measures for regulated financial market players. ASIC issues the AFS license and conducts supervisory duties.
“ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. We also do not prescribe specific requirements for individual license holders,” the regulator stated.
“We do, however, expect licensees to address cyber risk as part of their AFS license obligations, including risk management.”
In addition, it clarified that dual-regulated AFS licensees have the obligation to comply with all necessary standards of the other regulator.
Cybersecurity Measures Are Needed
The questions of cybersecurity measures as a part of the AFS license obligation arose with a ruling against RI Advice by an Australian court. The company was found to have breached its license obligations as it failed to have adequate risk management systems to manage its cybersecurity risks.
The judge acknowledged that it is not possible to reduce the risks of any cyber attack to zero. But, the companies can significantly reduce the risks by implementing appropriate measures.
The Australian Cyber Security Centre (ACSC) already recommended companies implement at least eight essential mitigation strategies to reduce cybersecurity risks, but they are not obligatory.
“This decision confirms that AFS licensees must have adequate technological systems, policies and procedures to ensure sensitive consumer information is protected. This will minimize the risk of consumer harm,” ASIC said.
“If an AFS licensee fails to meet its obligations as a result of similar conduct or omissions, ASIC may take enforcement action, as we did with RI Advice, which can result in significant penalties.”