“Detect, understand and respond!” Uh-oh! ASIC shifts its focus to Licensee’s cyber security


Increased reliance on information technology comes with an increased reliance on securing that information.

For dedicated scholars of the Australian financial advice industry, “ASIC’s Corporate Plan 2017/18 to 2020/21” makes for some heavy but necessary reading, for within it lies ASIC’s regulatory intentions for the next three years.

One of the less surprising key take outs is that ASIC considers digital disruption as a major challenge for financial services industries in the immediate years to come. Okay, that’s not exactly breaking news, but ASIC’s consideration of the risks of digital transformation certainly deserves thought.



Many advice providers have spent the 18 months or so undergoing major digital transformations of their CRMs, client engagement approach and advice provision systems. While the benefits of digital transformations are increasingly obvious, the self-evident conclusion is that digital transformations will also, only ever increase our industries reliance on information systems.

The problem with an increased reliance on information technology is that it comes with an increased reliance on securing that information. Easier said than done of course (and getting more difficult as each day goes by).

And so along with identifying digital disruption as a challenge, ASIC have correctly identified the key risk of cyber resilience in financial services and markets over the next four years.

So, how is ASIC intending to manage that cyber risk?

ASIC’s philosophy here is to use a ‘detect, understand and respond’ approach. ASIC intends to detect wrongdoing through surveillance, using continual market scanning to then respond to wrongdoing.

To that end, ASIC have set up an “Emerging Risk Committee” to analyse, monitor and respond to changes in cyber risks (in addition to other emerging risks). Underpinning this is increased emphasis on ASIC standardising their processes, further developing expertise in data management, and the application of new technology-based regulatory techniques to transform ASIC into a data-driven law enforcement agency.

Licensee cyber risks

It worth reminding ourselves of some of the licensee requirements when it comes to the cyber security of personally identifiable information.

ASIC’s RG 104.85 states that having “adequate technological and human resources is crucial to your ability to demonstrate that you have the capacity to carry on your financial services business in full compliance with the law and to supervise your representatives.” This means that ASIC has pointed out technology as a critical component of Licensees being able to supervise their representatives.

ASIC’s RG 104.90 go on to further say that Licensees “need to have enough technological resources to enable you to:

(a) comply with all of your obligations under the law;

(b) maintain client records and data integrity;

(c) protect confidential and other information; and

(d) meet your current and anticipated future operational needs

It is evident that Licensees have an obligation to ensure that confidentiality and integrity of their clients’ information is adequately maintained in order.

So, it’s Licensees, not just financial planners that need to put cyber security at the top of this year’s priority list. Failures to meet these obligations will have consequences for Australian Financial Services Licensees (AFDL) – including the usual assortment of fines, penalties, enforceable undertakings, licensing conditions, or a license suspension or cancellation.

You must be logged in to post or view comments.