Cybersecurity threats facing financial advisors/AFS licensees
- David Sy
- 3 hours ago
- 2 min read
Follow us on LinkedIn for the latest industry updates and trending news.
The Australian Securities and Investment Commission (ASIC) used a 2023 report to warn financial services organizations that cyber security and cyber resilience must be a top priority. Specifically, the regulator said it expected this to include oversight of cyber security risk throughout the organization's supply chain as third-party relationships often provide criminals with easy access to systems and networks.
Landmark case: XX Advice Group cybersecurity negligence case
A landmark 2022 legal decision found an Australian financial services (AFS) licensee had breached its license obligations by failing to adequately manage its cybersecurity risks. In the judgment, it was noted that XX Advice Group Pty Ltd had a number of inadequate risk management practices across its network. This included some of its authorized representatives failing to:
have up-to-date antivirus software.
system backups.
email filtering or quarantining.
and poor password practices.
Inadequacies in its cybersecurity risk management led to cyber incidents affecting clients in the six-year period to May 2020.
Three ways to reduce risk
In XX Advice Group judgement, Justice made it clear that cybersecurity should be front of mind for all AFS licensees. Justice acknowledged that while ‘it is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls …’ As a result, ASIC released a range of expectations for AFSLs to ensure that they are effectively managing cybersecurity risks.
These guidelines can be broadly categorized into three areas:
Risk management – Having robust risk management frameworks in place to identify, assess and manage cybersecurity risks.
Incident management – Having effective incident management processes in place to detect, respond to, and recover from cybersecurity incidents. This includes communicating with affected clients and stakeholders, as well as having business continuity plans in the case of an attack.
Disclosure and reporting – Being transparent and accountable in relation to cybersecurity risks and incidents. This applies to both disclosing any material cybersecurity incidents to ASIC as soon as possible, and keeping clients informed about any risks or incidents that may affect them.
Conclusion
The XX Advice case once again serves as a wake-up call. A failure in cybersecurity is not merely a technical lapse — it is a governance failure. For financial advisory institutions, building a robust cybersecurity framework is not just about meeting regulatory requirements — it is about safeguarding the very foundation of client trust.
Source:
