Financial services regulators are increasingly focusing on cybersecurity, putting all organisations operating in this sphere on notice. A recent development is that the Australian Securities and Investments Commission (ASIC) has begun exploring enforcement action against Australian Financial Services Licensee (AFSL) holders for alleged defects in cyber security compliance.
AFSL holders can be found responsible for the cybersecurity of their own IT environment, as well as the cyber posture of the various IT assets and systems relied upon by their authorised representatives (ARs).
In a speech by ASIC Deputy Chair Karen Chester last year, she indicated the risks facing AFSL holders in the coming years will be even greater, saying ASIC would take “decisive, deterrence-based enforcement action” and to “ensure regulatory incentives for cyber resilience remain in open play”.
Further, one of ASIC’s four strategic priorities in its Corporate Plan 2021-25 is “supporting enhanced cyber resilience and cybersecurity among ASIC’s regulated population”.
Against this backdrop it is critical that every AFSL holder understands:
An AFSL authorises an organisation or individual and their representatives to provide financial services to clients in Australia. ASIC assesses applications and the suitability of AFSL holders to continue holding a licence. In assessing applications for an AFSL, ASIC considers whether an applicant is:
ASIC analyses cybersecurity through the lens of whether an organisation has adequate risk management systems and adequate resources, such as technology resources. AFSL holders are also required under the Corporations Act 2001 (Cth) to comply with a range of obligations, including those in sections 912A and 912B. Relevant to these sections, the AFSL holder and their ARs are required to have implemented policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which are reasonably appropriate to adequately manage risk, including cybersecurity and cyber resilience. The licensee must also have adequate technology resources to provide the financial services to consumers.
While there is no direct court guidance, commentators and ASIC have referred to the importance of adopting a framework to assess risk and create minimum standards that promote cybersecurity and cyber resilience. ASIC has said controls must be “adequate to manage the risk”, and AFSL holders cannot solely rely on cybersecurity industry frameworks (such as NIST) or compliance-bound exercises. Processes should focus on situational awareness and building an understanding of the realistic key exposures that can impact the AFSL holder based on its service offering, IT infrastructure, and exposure landscape.
ASIC has also identified that AFSL holders should have in place cybersecurity documentation and controls that adequately address each of its 13 Cybersecurity Domains:
In each situation these Domains should be tailored to the organisation’s circumstances to ensure that cybersecurity measures are fit for purpose.
ASIC has stressed that adequate cybersecurity and cyber resilience measures must also be adopted by ARs working under the AFSL holder. ASIC has also highlighted that AFSL holders:
To meet these broad demands, the AFSL holder must realistically perform cybersecurity and cyber resilience risk assessments across its entire AR network and assess each AR for gaps or deficiencies across their cybersecurity documentation and controls. Processes will also need to consider the security controls used by ARs to protect key IT assets across desktop computers, servers, network infrastructure and the cloud-based environment.
Cyber resilience must also be addressed including through the development of cybersecurity remediation plans that encourage prompt triage and remediating gaps and deficiencies identified across cybersecurity documentation and controls.
A practical challenge for AFSL holders is the significant cost impacts and volume of work required to review and uplift AR IT networks. The use of minimum baselining and transitional work to align and onboard ARs into the AFSL holder’s IT environment can offset some of these costs. However, where there are operational differences between ARs and AFSL holders these steps may not be possible, and the wider AFSL and AR relationship should be framed to contemplate the significant cybersecurity work and risk which the AFSL holder bears in the event ARs do not adopt adequate documentation and controls.
The regulatory focus on an AFSL holder’s cyber posture is also becoming a growing concern for insurers. Given the extent of catastrophic cyber losses which insurers have sustained in the previous 12 months, the industry is demanding cyber resilience from insured organisations and undertaking deeper investigations into compensating controls. AFSL holders seeking to obtain or renew cyber and professional indemnity insurance policies must present a compelling message to carriers, demonstrate they understand their relevant regulatory demands and have adequate processes in place to address these exposures.
There is commonality between ASIC’s 13 Domains and current areas of cyber risk focus for underwriters. Typically, for AFSL holders, cyber carriers will require evidence of good controls and processes across the following security functions:
At first blush, the cybersecurity areas identified by ASIC can seem all encompassing and impossible to navigate. This is a common problem when examining cybersecurity, as it is easy to be overwhelmed by the complexity of the exposure landscape and the many layers of people, processes and technology that can create cyber vulnerabilities.
Importantly, AFSL holders must ensure their cyber maturity work is underpinned by strong risk assessment, including exposure identification work and action planning tailored to key exposures. This work cannot be done solely using compliance frameworks and should include situational awareness and an understanding of key IT systems and the realistic cyber threats. Beginning from this footing ensures that uplift work is tailored, proportionate and ultimately cost effective.
We also recommend that AFSL holders and their ARs examine cybersecurity, through the prism of the 13 Domains ASIC has identified. Many of those do not require expensive technical controls or IT network architecture work and can instead be addressed through internal mechanisms that promote accountability, governance and documented processes. Others, such as continuity and recovery planning, can be readily examined through Business Continuity Planning processes, back-up culture and conducting tabletop exercises.
It is also important that organisations avoid exercises which seek to ‘boil the ocean’ and focus on how to uplift cyber maturity across the short, medium and long term. Organisations should also avoid detailed benchmarking projects which often fail to account for the fact that each organisation has unique circumstances and different cyber exposures, IT assets and support needs.
Because of both the exposure landscape and regulatory focus, insurance will continue to be an invaluable resource for AFSL holders and their ARs. Specific analysis should be undertaken to make sure insurance is fit for purpose and responsive to an AFSL holder’s needs, including whether IT assets of ARs fall within policy-insuring clauses and that acts, errors or omissions taken by ARs can be deemed insurable events.
Organisations can also obtain strong support from working with partners who have deep expertise across the cyber risk, resilience and regulatory environment which AFSL holders and their ARs operate in. WTW has built a unique cross functional Cyber and Technology Risk team made up of former CISOs, incident response managers, dispute lawyers, insurance brokers and regulatory risk experts. If you would like any further assistance on these points, do not hesitate to reach out to our team.
