Federal Court confirms AFS Licensee obligations include adequate cyber risk management

On 5 May 2022, the Federal Court in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 found that an Australian Financial Services Licence (AFSL) holder contravened licensee obligations under section 912A of the Corporations Act 2001 by failing to have adequate cyber risk management systems and procedures between 15 May 2018 and 5 August 2021. This landmark decision is a first in Australia. Whilst it holds confirms AFSL holders must have adequate cyber risk management procedures to meet their licensee obligations, uncertainty remains as to what licensees must have in place to meet their regulatory obligations. AFSL holders should also consider their notification obligations to ASIC following a cyber incident in light of the decision. Background RI Advice is a financial services provider that was owned by Australia and New Zealand Banking Group Limited until 30 September 2018 and was acquired by IOOF Holdings Limited (IOOF). Between June…