Future cybersecurity breaches could incur $525m penalties

Firms which fail to have adequate risk management systems to manage cybersecurity risk could be fined as much as $525 million by the regulator in the future.

Yesterday, RI Advice was found to have breached its Australian Financial Services license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage cybersecurity risks. This occurred between June 2014 and May 2020.

While RI Advice had to pay $750,000 in costs, it did not receive a penalty now or in any later hearing as the breach occurred before it was a civil penalty.

Related News:

However, for any future breaches, firms would incur significant penalties which could be as high as $525 million, the regulator said.

Speaking to Money Management, an ASIC spokesperson said:  “The maximum penalties available for a breach of section 912A(1) are now:

  • The greatest of $10.5 million;
  • Three times the benefit obtained; or
  • 10% of annual turnover (capped at $525 million).

“If appropriate, ASIC may seek substantial civil penalties in future cases, if licensees breach their obligations to manage cybersecurity risk”.

Recommended for you




Advisers who have done far less has been named, shamed, banned, fined or possibly jailed. Can ASIC explain why RI receives no penalty outside of covering ASIC's costs? Can ASIC advise who from RI has lost their job over this? It's clear if you are big enough, and have a large legal team, ASIC does nothing. ASIC is the bully who only ever goes after the small players and runs away from the bigger bully causing the most client harm.

How exactly is it an AFSL's responsibility to ensure a separate small business for whom they really have no control over in terms of their cyber security arrangements? ASIC is expecting small businesses with limited resources to have IT systems in place that only a large institution can afford to pay. My business receives multiple phishing attempts a day. We have all sorts of security measures in place, but it is only a matter of time before one of my staff (or me!) clicks on a link in an email. For the record, we have been audited for our cyber security capabilities, have cyber insurance and complete regular training with our team.

It is an AFSL's responsibility to ensure a huge range of things, quite apart from cyber security, are handled in certain ways by separate small businesses licensed by them. This is why the current licensing regime is so ludicrous. It was set up as an evolution of the old "tied agent" arrangements, and was primarily intended to facilitate selling the licensee's product, not to ensure responsible monitoring and supervision of advisers. It is only in recent years that the monitoring and supervision elements have come under scrutiny, and shown to be unworkable with large numbers of self employed advisers.

There should be no such thing as corporate authorised representatives. The only advisers operating under an AFSL should be direct employees of the licensee, so they can be properly monitored and controlled. Self employed advisers should get their own AFSL. If they are unwilling or unable to do so they should become employees of someone else. Financial advice business ownership comes with responsibilities that can't be outsourced.

I agree with all your comments. We are self-licensed.

In my assessment, the large AFSLs will not exist within 5 years. Everyone will need to be licensed directly with ASIC. To achieve professional status, it is the only possible pathway. I also expect it to dramatically reduce the cost to serve clients because there won't be inefficient institutions clipping the ticket at every opportunity.

Add new comment