For the first time the Federal Court has held that an Australian Financial Services Licensee has breached its obligations under the Corporations Act by failing to adequately manage cybersecurity risk.  We discuss the implications of this decision.

On 5 May 2022, the Federal Court declared that RI Advice Group Pty Ltd (RI Advice) contravened ss 912A(1)(a) and (h) of the Corporations Act (the Act) for failing to adequately manage cybersecurity risk and to maintain documentation and controls in relation to cyber resilience. The decision stands as an Australian first relating to cybersecurity risk management obligations, and holds great significance for Australian businesses, in particular Financial Services Licensees.

ASIC v RI Advice Group Pty Ltd

RI Advice is a wholly-owned subsidiary of IOOF Holdings (now Insignia Financial), and prior to 2018 was a wholly-owned subsidiary of ANZ. RI Advice provides financial advice and planning services through independently owned corporate authorised representatives and individual authorised representatives.

The Court heard there were 9 separate incidents which occurred between June 2014 and May 2020, including hacked email accounts, fraudulent emails urging clients to transfer funds, ransomware attacks on client personal information files, and other phishing emails sent to clients. The most notable of these was an incident in December 2017, in which the personal information of thousands of clients was compromised – some of whom reported unauthorised use of this personal information.

After IOOF purchased RI Advice in 2019, IOOF required its licensees to implement a program to increase awareness of cybersecurity and adopt cyber resilience best practices. The program was labelled the Cyber Resilience Initiative. Security in Depth (a cybersecurity risk management consultancy firm) was engaged to oversee and facilitate the program. Security in Depth was satisfied that the majority of RI Advice’s authorised representatives had implemented most of the Cyber Resilience Initiative by 6 August 2021. Prior to the Cyber Resilience Initiative, RI Advice had minimal to no cyber risk management systems in place and possessed only basic documentation or controls relating to cybersecurity.^[1]

RI Advice admitted that it took too long to implement the Cyber Resilience Initiative and to ensure that it was in place across its authorised representative practices and that it had contravened s912A(1)(a) and (h) from 15 May 2018 to 5 August 2021.

In bringing proceedings against RI Advice, ASIC initially sought substantial penalties   However, a settlement between the parties saw no imposed penalty. The settlement involved an agreed statement of facts and jointly proposed orders and declarations. The Court was of the view that the orders and declarations were appropriate in the circumstances.

The Court made declarations under section 21 of the Federal Court of Australia Act 1976 (Cth), that RI Advice had contravened ss 912A(1)(a) and (h) of the Act,^[2] which requires a financial services licensee to:

1. do all things necessary to ensure that the financial services are provided efficiently, honestly and fairly (912(1)(a)); and
2. have adequate risk management systems (s912(1)(h)).

Further, the Court made orders under section 1101B of the Act, that RI Advice engage Security in Depth to identify and implement any further necessary documentation or controls, in order to adequately manage RI Advice’s cybersecurity risk and cyber resilience. RI Advice was also ordered to pay $750,000 towards ASIC’s costs.^[3]

Takeaways

Efficiency in the context of section 912(1)(a) and Cyber Risk Management

Services are not provided efficiently if performance falls short of the reasonable standard of performance. Her Honour held that ‘in a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area.’^[4]

Adequacy in the context of section 912A(1)(h) and Cyber Risk Management

Her Honour noted that the question of what are “adequate risk management systems” is highly technical. In this regard, Rofe J stated that ‘[t]he assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.’

An acceptable level

In connection with understanding the adequacy of cyber risk management and cybersecurity documentation, Rofe J stated that:

Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.^[5]

What is an acceptable level is a question for the Court to decide, ‘informed by the evidence’ of experts in the field.^[6]

Timeliness

By its own admission, RI Advice took too long to implement the Cyber Resilience Initiative. Timely implementation of cyber risk management systems goes to both efficiency and adequacy.^[7]

What it means for you

While no pecuniary penalty was imposed in the matter, it stands as a warning shot from ASIC to Australian Financial Service Licensees to maintain prudent cybersecurity risk management systems and controls, as these fall within a Licensee’s obligations under s 912A. Not only this, but the implementation of these systems and controls must be efficient and without delay.

The judgment also highlights the importance of prudent cybersecurity and data-management practices for Australian businesses more broadly, as the incidence, complexity, and scale of cyber-attacks continues to rise. In a statement made in response to the decision, ASIC Deputy Chair Sarah Court said:

ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.^[8]

It is likely that other regulators will take a similar approach to cybersecurity risk management to ASIC.  In addition, businesses that fail to ensure they have prudent cybersecurity and data management practices are potentially exposed to negligence claims by third parties who suffer foreseeable damage and to shareholder class actions. All Australian businesses generally should to take a cyber resilience health check by visiting (or re-visiting) the information provided by both the Australian Cyber Security Centre and ASIC.

Resolve Litigation Lawyers are experienced in acting for businesses including Australian Financial Services Licensees, their directors and executives in regulatory investigations and disputes.

 

Nicola Nygh and Hugo Hosie

 

23 May 2022

^[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 [20]-[25].

^[2] Ibid.

^[3] Ibid.

^[4] Ibid at [49]

^[5] Ibid [58].

^[6] Ibid [55].

^[7] Ibid [64].

^[8] ‘22-104MR Court finds RI Advice failed to adequately manage cybersecurity risks’, Australian Securities and Investments Commission (Web Page Media Release, 5 May 2022) < https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/>.