In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, ASIC brought a claim against a financial services licensee, RI Advice, for failures by its authorised representatives to manage their cyber security risks. While the matter ultimately settled, the approval of the settlement and the proposed orders demonstrate that obligations under section 912A of the Corporations Act 2001 (Cth) (Corporations Act) may extend to the cyber security risks faced by licensees and the adequacy of the risk management systems implemented by the licensees to mitigate that risk.
It was agreed by the parties that RI Advice had breached sections 912A(1)(a) and (h) of the Corporations Act. These subsections require financial services licensees to:
- do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly
- have adequate risk management systems.
RI Advice authorised independent representatives to provide financial services on its behalf (authorised representatives). From June 2014 to May 2020, a series of cyber security incidents occurred at the practices of a number of authorised representatives. These incidents involved unknown…
