Ground breaking Federal Court Decision on Cybersecurity Risk Management Obligations

In an Australian first, the Federal Court on 5/5/22 has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. 

ASIC said the finding came after a “significant number” of cyber incidents at authorised representatives of RI Advice between June 2014 and May 2020 had potentially compromised thousands of clients. This had resulted in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons

Managing cybersecurity risk is critical for all businesses – and this decision can be seen as a forerunner of how regulators will hold regulated entities  to account under financial services regulation for failing to properly manage these risks. 

The ASIC release is well worth reading.