How licensees can ensure they are cyber-secure

Two law firms have highlighted the responsibility of licensees to ensure they have sufficient cyber security measures in light of the enforcement action against Fortnum Private Wealth. 

Last month, ASIC announced it was suing Fortnum, a subsidiary of Australia’s largest AFSL Entireti, over claims that Fortnum failed to meet its AFSL obligations due to inadequate policies, frameworks, systems and controls in place to deal with cyber security risks.  

The action relates to a number of cyber breaches dating back to 2021 and 2022, one of which ASIC referred to as a “major breach” that led to more than 9,000 clients’ data being published on the dark web.

While ASIC acknowledged that Fortnum had introduced a specific cyber security policy from April 2021, the regulator said it “was not an adequate response to manage cyber security risk”. 

This followed actions by the corporate regulator against fixed income securities deal FIIG Securities earlier this year and AFSL RI Advice Group in 2020. ASIC stated licensee failures to have adequate cyber security protections is an enforcement priority for 2025.

VIEW ALL

View all

Commenting on the news, Hall & Wilcox said: “Licensees must allocate sufficient financial, technological, and human resources to cyber security. This includes engaging cyber security personnel to assess, implement and maintain cyber framework. Generic or outdated policies without specialist input will not meet ASIC’s standards.

“Licensees are responsible not only for their own systems, but also for the cyber security posture of their ARs and must mandate ongoing cyber security training and education for staff and ARs. Such training should evolve as novel cyber security threats emerge to avoid becoming outdated.”

Meanwhile, Holley Nethercote recommended multiple steps that licensees could take to ensure they are cyber-secure, with the law firm having previously found cyber security is the number one compliance concern for licensees. 

These steps include implementing policies and procedures, working with IT security experts, training staff and contractors on privacy and information security, implementing information systems, and holding an incident response plan. 

Necessary policy and procedures include cyber and information management policies, data breach response plans, privacy management policy, and business continuity plans.

Early data from Adviser Ratings’ Landscape Report found advisers are increasing investment in material compliance enhancements – including cyber security – by a substantial 31 per cent. This includes strengthening existing systems, enhancing staff training, developing and testing incident response plans, and appropriate cyber insurance coverage.

Holley Nethercote commented: “ASIC expects that you will engage IT security experts to ensure that your cyber security systems, processes and procedures are sufficiently robust. This may include employing or outsourcing from a third-party with the skills, knowledge and experience in IT security.

“All employees and contractors should be subject to appropriate security, intellectual property and confidentiality processes before, during and after termination of their engagement. This includes measures such as limiting access to information or systems (depending on the requirements of their role) and terminating access to IT resources at the end of their employment. Access requirements should be regularly reviewed.

“You should have a robust incident response plan to help you respond swiftly to a cyber incident. Some organisations are using ‘war gaming’ techniques to better understand and plan their defence against malicious cyber activities and to test their cyber incident response plans in action.”

It also flagged that a cyber incident may constitute a reportable situation which needs to be reported to ASIC.