Funds Update - 11 April 2025

In this Funds Update for 11 April 2025:

1. ASIC issues sustainability reporting regulatory guide
2. Proceedings against AFS licensee re cybersecurity risk management
3. ASIC consults on plan to increase visibility of firms’ breach and complaints data

 

---

 

ASIC issues sustainability reporting regulatory guide

On 31 March 2025, ASIC published a regulatory guide on sustainability reporting following a public consultation with stakeholders.

Regulatory Guide 280 Sustainability reporting (RG 280) provides guidance for entities that are required to prepare a sustainability report containing climate-related financial information under Chapter 2M of the Corporations Act 2001 2001 (Cth) (Corporations Act). This may include companies, registered schemes, registrable superannuation entities, and retail corporate collective investment vehicles.

Herbert Smith Freehills has published a detailed article on the contents of the regulatory guide, which can be found here.

Back ^

 

Proceedings against AFS licensee re cybersecurity risk management 

On 13 March 2025, ASIC announced that it had issued proceedings against an Australian financial services (AFS) licensee for allegedly failing to have in place adequate cybersecurity measures.

ASIC claims that the AFS licensee did not comply with its AFS licence obligations under section 912A(1) of the Corporations Act to:

• do all things necessary to ensure that financial services were provided efficiently, honestly and fairly, by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
• have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence; and 
• have in place a risk management system that adequately identified and evaluated the risks faced by the AFS licensee and its clients, adopt controls adequate to manage or mitigate those risks to a reasonable level and implement those controls.

This is the first case of this nature since the RI Advice case reported on in our funds alert of 6 May 2022.

In this new case ASIC’s court documents provide some detail about its cyber risk management expectations of that AFS licensee, which are of interest to other AFS licensees, including that it should:

• Planning and training: have a cyber incident plan accessible to employees which is tested at least annually, and mandatory cyber security training (at onboarding and annually);
• Access restrictions: properly manage access to accounts, including revoking non required access and configuring group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates:
  • undertake vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • implementing next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • use endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • have patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with  compensating controls to systems incapable of patching or updates; and
  • have security incident event management software configured to collect and consolidate security information across all systems with appropriate analysis of the same (daily monitoring);  
• Testing: have processes to review and evaluate efficacy of technical controls at least quarterly and run penetration and vulnerability tests from internal and external points; and
• Implementation: ensure that the risk management system is implemented (eg conducting regular perimeter testing).

Herbert Smith Freehills has published a detailed article on the new proceedings, which can be found here.

Back ^

 

ASIC consults on plan to increase visibility of firms’ breach and complaints data

On 10 April 2025, ASIC announced that it has launched a consultation on plans to publish two dashboards containing firm-level Reportable Situations (RS) and Internal Dispute Resolution (IDR) data in the second half of 2025.

ASIC stated that the proposals detailed in CP 383 Reportable situations and internal dispute resolution data publication (CP 383) build on the high-level insight reports ASIC has previously published.

Under the proposal, ASIC will exercise its legislative powers to publish the firm-level data reported to ASIC, which ASIC asserts will support the objectives of both the RS and IDR regimes by:

• enhancing transparency and accountability to encourage improved behaviour and increase confidence in the financial system;
• highlighting areas of concentration of significant breaches and complaints; and
• enabling firms to target improvements in their compliance outcomes, consumer outcomes and firm performance.

Stakeholders should provide feedback by close of business on Wednesday 14 May 2025.

Back ^