ASIC proceeding against AFS licensee for cyber and data security breaches may impact all licensees
ASIC asserts that, in the circumstances described in its claim, the licensee's failure to review properly the effectiveness of its cyber security controls and its response to the incidents was inadequate and gives rise to a breach of the licensee's obligations to:
- do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly (section 912A(1)(a));
- comply with the conditions on its licence, which include a requirement to establish and maintain compliance measures that ensure, as far as is reasonably practicable, that it complies with the provisions of the financial services laws (section 912A(1)(b));
- comply with the financial services laws (section 912A(1)(c));
- have available adequate resources (including financial, technological and human resources) to provide the financial services covered by its licence and to carry out supervisory arrangements (section 912A(1)(d)); and
- have adequate risk management systems (section 912A(1)(h)).
ASIC asserts that, because the licensee has authorised representatives (ARs) to provide financial services on its behalf and they receive and store, electronically, confidential and sensitive client information and documents, including relating to financial matters, it is incumbent on the licensee in discharging its duties and functions as a licensee to have adequate systems, policies, procedures and controls in place that "meet the reasonable standard that would be expected by the public in appropriately managing risks in relation to cybersecurity and cyber resilience across its AR network".
What this means for AFS licensees and credit licensees
We expect the outcome of the proceeding will clarify more specifically the obligations that both AFS licensees and credit licensees have regarding cyber and data security measures implemented by their networks of ARs and credit representatives (CRs) and what a licensee must do in response to a cyber or data security incident. However, the implications could be more far reaching.
Licensee general obligations
The proceeding has the potential to clarify and expand the scope of certain general obligations of an AFS licensee in section 912A and the analogous obligations of a credit licensee in section 47 of the National Consumer Credit Protection Act. For example, to establish a breach of section 912A(1)(a), ASIC would effectively be asserting that having adequate oversight of the cyber and data security controls of ARs and/or rectifying deficiencies in response to an identified incident is one of the "things" that must be done to ensure financial services covered by the licence are provided efficiently, honestly and fairly.
This would draw into question what other business practices not directly related to the performance of regulated financial services or credit activities might also give rise to breaches of general obligations.
Authorised representative networks
For licensees with networks of ARs or CRs this could potentially mean that the licensee would need to supervise and control a much broader category of functions undertaken by an AR or CR on the basis that those functions are incidental to the provision of services on behalf of the licensee. This will of course be particularly challenging in the context of a "self-employed" representative model (where the representative is not related to the licensee group) where access and control is necessarily remote. Licensees may need to reconsider the terms of their agreements with their AR/CRs or otherwise look to reflect enhanced controls through revised 'licensee standards'. There is then the question as to what further activities could be impacted. As an example, could matters such as the account keeping of a representative be considered as sufficiently incidental to the provision of services by the representative on behalf of a licensee so as to be captured by the licensee's general obligations?
Breaches and reporting
The proceeding involves a series of alleged cyber incidents. ASIC asserts that the licensee, after becoming aware of each of the alleged cybersecurity incidents in question, failed:
- to properly review the effectiveness of a wide range of cybersecurity controls relevant to the incidents across its AR network; and
- to ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.
It appears from the position taken by ASIC that licensees who are compromised by a cyber-attack will need to consider promptly their cybersecurity documentation and controls in a range of cybersecurity domains. There may also be a need to consider breach reporting.
Finally, if a decision in this proceeding by ASIC ultimately expands the scope of the general obligations on a licensee beyond that which may have been understood by participants in the industry, it may impact the assessment of potential breaches and decisions regarding breach reporting obligations. That is particularly so having regard to the increased penalties for breaches of general obligations and failing to report breaches.
We will be updating clients with further insights into these issues. In the meantime, we recommend a close watch on these proceedings.