An AFS Licensee First: Receiving An Order To Pay AU$2.5 Million For Cybersecurity Failures

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices worldwide, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, healthcare, energy, and more.

Explore Firm Details

In a key decision against an Australian financial services licence (AFSL) holder, the Federal Court of Australia has ordered the AFSL holder to pay AU$2.5 million in penalties for inadequate cybersecurity measures.

Australia Technology

Article Insights

Cameron Abbott’s articles from K&L Gates LLP are most popular:

with readers working within the Business & Consumer Services industries

K&L Gates LLP are most popular:

within Immigration topic(s)

In a key decision against an Australian financial services licence (AFSL) holder, the Federal Court of Australia has ordered the AFSL holder to pay AU$2.5 million in penalties for inadequate cybersecurity measures. The Australian Securities and Investments Commission (ASIC) took action following a cyberattack on the AFSL holder’s IT systems, resulting in approximately 385GB of data being downloaded from its servers.

This is the first time civil penalties have been imposed for cybersecurity failures pursuant to general AFSL obligations. The Court found the AFSL holder failed to comply with the following obligations under the Corporations Act 2001 (Cth):

Efficient, honest, and fair financial services (s 912A(1)(a)): the AFSL holder lacked an adequate incident response plan such as monitoring threat alerts or providing mandatory cybersecurity awareness training.

Adequate resources (s 912A(1)(d)): the AFSL holder delegated responsibility for its IT security measures to staff without adequate skills or knowledge and did not dedicate sufficient financial resources towards adequate cybersecurity measures.

Adequate risk management systems (s 912A(1)(h)): the AFSL holder failed to implement, maintain and monitor controls outlined in its risk management system, including under its IT Information Security Policy, Cyber and Information Security Policy, and its annual audits of custodial services.

In addition to the AU$2.5 million penalty and $500,000 in costs awarded to ASIC, the AFSL holder must undertake a compliance programme which involves engaging an independent expert to ensure its cybersecurity and cyber resilience systems are reasonably managed. Importantly, the court found the penalties and remediation costs far exceeded what it would have cost the AFSL holder to implement adequate controls in the first place.

Key Takeaways:

AFS licensees must fully implement controls in their risk management systems and maintain adequate resources, systems and training.

ASIC will penalise underinvestment in cybersecurity, with penalties likely to exceed the costs of initially implementing adequate controls.

You can read more from ASIC’s media release here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

An AFS Licensee First: Receiving An Order To Pay AU$2.5 Million For Cybersecurity Failures

Contributor

Technology

Contributor

Australia