AFSL holders on notice for cyber security failings
By Eden Winokur, Adrian Verdnik, Jacob Uljans, and Alison Baker
RI Advice failed to maintain adequate cyber security controls and contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), the Federal Court has found on 5 May 2022 in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 1193 (ASIC v RI Advice).
The case is the first proceeding of its kind in Australia, and Australian Financial Services Licence (AFSL) holders should be aware that adequate cyber security protocols are now a core obligation in the provision of financial services.
ASIC v RI Advice is likely a signal of both further regulatory guidance by ASIC and cyber security-related enforcement proceedings. AFSL holders should engage carefully with cyber security experts, draw from ASICs existing guidance on the issue (REP 429, REP 555, REP 651) and seek legal advice if they are unsure of the extent of their obligations.
Background
RI Advice provides financial services advice to retail clients through a network of authorised representatives (ARs). These ARs were located throughout Australia, including in regional centres, and ranged in scale from having one to seven employee advisers to being sole traders operating from home.
Up until 30 September 2018, RI Advice was a wholly owned subsidiary of the Australia and New Zealand Banking group. From 1 October 2018, RI Advice became part of the IOOF Holdings Limited group of companies (IOOF Group).
Between 2014 and May 2020, various RI Advice ARs experienced nine cyber security incidents. The incidents included:
- a client making transfers totalling $50,000 after receiving a fraudulent email from the hacked account of an AR;
- an unknown hacker gaining unauthorised access to an AR’s server for over three months, compromising the personal information of several thousand clients; and
- an AR’s server being compromised by a ‘brute force’ attack, with the hacker holding the personal information of 220 clients to ransom.
When RI Advice became aware of one such cyber security incident in May 2018, the company made efforts to improve its network’s deficient cyber security policies and procedures. By its own admission, these efforts were inefficiently and ineffectually implemented prior to at least 5 August 2021.
ASIC’s case and the proceedings
ASIC alleged that RI Advice contravened its duties under section 912A of the Corporations Act due to:
- its failure to implement appropriate cyber security controls and documents;
- failing to identify the cause of cyber security incidents; and
- its failure to use information it had obtained about cyber attacks within its network of ARs to mitigate the risk of future attacks.
RI Advice was aware of the deficiencies in its cyber security controls and repeatedly engaged external consultants to assist in developing cyber risk mitigation strategies. The failure to follow the recommendations of those consultants in a timely fashion was likely critical to the findings against RI Advice.
Section 912A(1) imposes on AFSL holders duties to, among other things:
- do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (section 912A(1)(a)); and
- have adequate risk management systems (section 912A(1)(h)).
Shortly prior to trial, the case settled and the parties jointly sought orders for declaratory relief instead of proceeding to a full hearing. The parties agreed that RI Advice had obligations to ensure that adequate cyber security risk management systems were in place and that RI Advice’s cyber security documentation, controls and risk management systems were inadequate between 15 May 2018 and 5 August 2021.
Although jointly requesting the same orders as ASIC, in its role as contradictor, RI Advice argued that it had not breached its obligation to act honestly and that it has engaged in continual improvements in its cyber security management systems between 2018 and the present.
In providing declaratory relief, Her Honour held that:
- a breach of section 912(1)(a) need not involve ‘dishonesty’, for a contravention to be established – it is enough that the licensee’s conduct be inefficient or unfair;
- cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level; and
- breaches of obligations of ‘adequacy’ and ‘efficiency’ regarding cyber security should not be determined in the sense of ‘social and commercial norms’ or the ‘expectations of the general public’. Instead, they should be assessed by reference to a reasonable standard of performance determined by experts with knowledge in the field of cyber security.
Her Honour made orders requiring RI Advice to:
- pay ASIC $750,000 towards its costs;
- engage (as its own expense) an independent cyber security firm to identify what further cyber security documentation and controls are necessary for RI Advice to adequately manage risk in respect of cyber security and cyber resilience; and
- provide written reports to ASIC identifying any further measures required to adequately manage cyber security risk, the agreed timeframe for the implementation of those measures and the outcome of that implementation within 30 days of the agreed timeframe.
Following judgment, ASIC Deputy Chair Sarah Court commented that
‘it is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access… ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cyber security position to improve cyber resilience in light of the heightened cyber-threat environment.’
Key takeaways from ASIC v RI Advice
The key takeaways from the decision are:
- The obligation on AFSL holders to ‘have adequate risk management systems’ includes cyber security systems. Most advisers would have considered this to be the case, as cyber security is now a fundamental aspect of risk management, but this decision confirms it.
- AFSL holders should take advice from experts on what a baseline standard of cyber security is, in the context of the size and scale of their operations. As there is no agreed industry standard endorsed by ASIC in relation to cyber security, the advice of experts, both IT and legal, will be crucial for licensees in determining what systems they ought to implement and maintain to discharge their obligations under section 912A(1).
- AFSL holders should be implementing cyber risk mitigation strategies as soon as possible. As the RI Advice proceeding illustrates, ASIC is of the view that a delay in implementing appropriate cyber risk mitigation strategies can itself amount to a breach of the section 912A obligations. It will not be enough for organisations to simply contemplate cyber security improvements – risk mitigation strategies, such as network security enhancements, should be being implemented now.
- Cyber risk will continue to be an area of regulatory focus for ASIC. Cyber governance and resilience are key components of ASIC’s 2021-25 Corporate Plan and cyber risk is one of ASIC’s highest current priority issues. This judgment is expected to embolden ASIC in pursuing regulatory enforcement action against AFSL holders to drive behavioural change, in circumstances where ASIC considers the licensee has fallen significantly short of its obligations.
- It is not new law, and the parties agreed, that the obligation in section 912A(1)(a) to ‘do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly’ is compendious, such that a licensee’s conduct must satisfy all three elements to comply with the obligation. As the facts of the matter that underpinned the contraventions were agreed, and the system failures involved were not in dispute, the finding of the Court that the licensee had failed to deliver their financial services ‘efficiently’ is not particularly surprising. What is interesting about the judgment is that the Court also considered such systems failures by the licensee to breach its duty to provide the financial services covered by its licence ‘fairly’. Unfortunately, the Court did not provide detailed analysis of how it came to this position, so we must wait to see whether ASIC and the courts consider the content of this obligation in section 912A(1)(a) further in the future.
- ASIC’s pursuit of a claim solely on the basis of a breach of section 912A is troubling. In the past, section 912A has typically served as an ancillary cause of action to the breach of a different, often more specific, obligation. Although the settlement did not account for any pecuniary damages, ASIC did seek civil penalties, indicating a willingness to pursue such penalties for breaches of general obligations in their own right (at least in regard to cyber security failings on the part of licensees).
Hall & Wilcox’s cyber and financial services experts can assist your organisation handle its regulatory compliance and cyber risk. To discuss whether the right cyber risk mitigation strategies are in place, or what to do if a cyber incident occurs, contact our team.
This article was written with the assistance of Sam Tempone, Lawyer, and Samuel Gard, Law Graduate.