For the first time in Australia, a court has held in an action brought by Australia’s financial services regulator, ASIC, that the failure by a company to have adequate risk management systems in place to manage cybersecurity incidents was a breach of financial services licensee obligations.

Although the declaration and orders in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 were made by consent of the parties, this represents a landmark decision in Australia’s enforcement of cybersecurity principles. It serves as a warning to Australian companies operating pursuant to an Australian financial services licence that the risks they are obliged to manage as a condition of their licence include cybersecurity risks, and that their cybersecurity risk management systems face increasing scrutiny, and enforcement action, by regulators. It is not clear how these particular incidents were brought to ASIC’s attention. However, the Chair of ASIC has confirmed that whilst “ASIC does not seek to prescribe technical standards or to provide expert guidance on cyber security… where we consider that a firm has not met its cyber risk management obligations, we will consider enforcement action to drive changes in behaviour.”¹

Facts

RI Advice Group Pty Ltd (RI Advice) is an Australian company that provides financial services advice. Prior to 1 October 2018, it was a subsidiary of a major Australian bank until it was bought by a large financial conglomerate. It holds an Australian Financial Services Licence (AFSL) under which it permitted independently owned corporate and individual representatives to provide financial services to retail clients on its behalf. In the course of providing financial services, RI Advice’s authorised representatives would electronically receive, store and access confidential and sensitive personal information and documents in relation to their clients (such as names, addresses, health information, contact information and copies of personal documents).

Between June 2014 and May 2020, nine cybersecurity incidents occurred involving RI Advice’s authorised representatives. The incidents included hacked emails and websites, computers being physically hacked, fraudulent and phishing emails, ransomware attacks, and unauthorised access to servers and emails. These attacks had the effect of compromising, and allowing unauthorised third party access to, clients’ personal information.

Following these cybersecurity incidents, inquiries revealed issues in RI Advice’s authorised representatives’ management of cyber risk. For example:

• computer systems did not have up-to-date antivirus software installed and operating;
• there was no filtering or quarantining of emails;
• there were no backup systems in place, or backups were not being performed; and
• poor password practices existed, including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.²

Up to 15 May 2018, RI Advice had taken some steps to manage cybersecurity risk, including:

• training sessions, professional development events, and information provided via its weekly newsletter for its representatives;
• an incident reporting process where cyber incidents could be discussed; and
• inputting obligations in the “Professional Standards” contractual terms between authorised representatives and RI Advice relating to information security and other relevant areas.³

However, by 15 May 2018, RI Advice did not have adequate documentation, controls and risk management systems for managing risk in respect of cybersecurity across its representative network.

The court noted, however, that after its acquisition by a large financial conglomerate, RI Advice had addressed these historic issues and made significant improvements to its existing cybersecurity risk management systems. These improvements were achieved through:

• independent investigation and review of past failures and cybersecurity practices by external advisors;
• monitoring and auditing compliance with the cybersecurity requirements contained in RI Advice’s Professional Standards; and
• the implementation of a program directly with the authorised representative practices to increase awareness of cybersecurity and assist authorised representatives in identifying and adopting cyber resilience good practices (the Cyber Resilience Initiative) which, by 6 August 2021, the majority of authorised representatives had implemented to a good level (and which RI Advice has continued to implement since).

Outcome

RI Advice admitted, and the court found that:

• by failing to do all things necessary to ensure that the financial services covered by the AFSL were provided efficiently and fairly (by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its authorised representatives from 15 May 2018 until 5 August 2021), RI Advice had contravened s 912A(1)(a) of the Corporations Act 2001 (Cth) (Corporations Act); and
• by failing to have adequate risk management systems, failing to implement adequate cybersecurity and cyber resilience measures, and exposing its authorised representatives’ clients to an unacceptable level of risk, RI Advice had contravened s 912A(1)(h) of the Corporations Act.

There was no penalty ordered however RI Advice was ordered by the court to pay AUD750,000 toward ASIC's costs. RI Advice was also ordered to take certain steps to engage a cybersecurity expert to advise and assist RI Advice’s authorised representative network.

Although the Cyber Resilience Initiative that RI Advice developed and implemented improved cyber security and cyber resilience, the court noted, and RI Advice admitted, that it took too long to implement and ensure such measures were in place across its network.

Key takeaways

• Cybersecurity risk is a significant risk connected with the provision of financial services.
• Even if there are a relatively small number of cybersecurity incidents over a period of time, when considered cumulatively these incidents may be indicative of inadequate cybersecurity systems and processes.
• Providers of financial services, as potential targets for cyber-crime, need to adequately manage cyber risks in order to protect client information and meet their licensing obligations. In particular, companies should manage risk adequately by avoiding delay when taking steps to investigate, monitor and improve identified breaches.
• Though it is not possible to reduce cybersecurity risk to zero, it is possible to materially reduce cybersecurity risk to an acceptable level through adequate cybersecurity documentation and controls. Companies cannot simply be reactive and should proactively engage with cybersecurity experts, provide training to staff, monitor and audit compliance with cybersecurity requirements.
• This is the first case of its kind in Australia and signals that ASIC and other regulators are likely to continue to focus on cyber risk in their regulation of licence conditions relating to financial and professional service providers, and will take enforcement actions when adequate technological systems, policies and procedures are not in place to protect client information.

Looking after data and expecting more attention from regulators and enforcement agencies regarding cybersecurity failures was one of the ten key challenges we identified for in-house counsel in the 2022 Allen & Overy Cross-Border White Collar Crime and Investigations Review.

Footnotes

1. https://asic.gov.au/about-asic/news-centre/speeches/reflections-from-the-asic-chair/
2. See ASIC v RI Advice Group Pty Ltd [2022] FCA 496 [17]
3. Ibid [18]