AFSL holders on notice for cyber security failings

By Eden Winokur, Adrian Verdnik, Jacob Uljans, and Alison Baker

RI Advice failed to maintain adequate cyber security controls and contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), the Federal Court has found on 5 May 2022 in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 1193 (ASIC v RI Advice).

The case is the first proceeding of its kind in Australia, and Australian Financial Services Licence (AFSL) holders should be aware that adequate cyber security protocols are now a core obligation in the provision of financial services.

ASIC v RI Advice is likely a signal of both further regulatory guidance by ASIC and cyber security-related enforcement proceedings. AFSL holders should engage carefully with cyber security experts, draw from ASICs existing guidance on the issue (REP 429, REP 555, REP 651) and seek legal advice if they are unsure of the extent of their obligations.

Background

RI Advice provides financial services advice to retail clients through a network of authorised representatives (ARs). These ARs were located throughout Australia, including in regional centres, and ranged in scale from having one to seven employee advisers to being sole traders operating from home.

Up until 30 September 2018, RI Advice was a wholly owned subsidiary of the Australia and New Zealand Banking group. From 1 October 2018, RI Advice became part of the IOOF Holdings Limited group of companies (IOOF Group).

Between 2014 and May 2020, various RI Advice ARs experienced nine cyber security incidents. The incidents included:

• a client making transfers totalling $50,000 after receiving a fraudulent email from the hacked account of an AR;
• an unknown hacker gaining unauthorised access to an AR’s server for over three months, compromising the personal information of several thousand clients; and
• an AR’s server being compromised by a ‘brute force’ attack, with the hacker holding the personal information of 220 clients to ransom.

When RI Advice became aware of one such cyber security incident in May 2018, the company made efforts to improve its network’s deficient cyber security policies and procedures. By its own admission, these efforts were inefficiently and ineffectually implemented prior to at least 5 August 2021.

ASIC’s case and the proceedings

ASIC alleged that RI Advice contravened its duties under section 912A of the Corporations Act due to:

• its failure to implement appropriate cyber security controls and documents;
• failing to identify the cause of cyber security incidents; and
• its failure to use information it had obtained about cyber attacks within its network of ARs to mitigate the risk of future attacks.

RI Advice was aware of the deficiencies in its cyber security controls and repeatedly engaged external consultants to assist in developing cyber risk mitigation strategies. The failure to follow the recommendations of those consultants in a timely fashion was likely critical to the findings against RI Advice.

Section 912A(1) imposes on AFSL holders duties to, among other things:

• do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (section 912A(1)(a)); and
• have adequate risk management systems (section 912A(1)(h)).

Shortly prior to trial, the case settled and the parties jointly sought orders for declaratory relief instead of proceeding to a full hearing. The parties agreed that RI Advice had obligations to ensure that adequate cyber security risk management systems were in place and that RI Advice’s cyber security documentation, controls and risk management systems were inadequate between 15 May 2018 and 5 August 2021.

Although jointly requesting the same orders as ASIC, in its role as contradictor, RI Advice argued that it had not breached its obligation to act honestly and that it has engaged in continual improvements in its cyber security management systems between 2018 and the present.

In providing declaratory relief, Her Honour held that:

• a breach of section 912(1)(a) need not involve ‘dishonesty’, for a contravention to be established – it is enough that the licensee’s conduct be inefficient or unfair;
• cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level; and
• breaches of obligations of ‘adequacy’ and ‘efficiency’ regarding cyber security should not be determined in the sense of ‘social and commercial norms’ or the ‘expectations of the general public’. Instead, they should be assessed by reference to a reasonable standard of performance determined by experts with knowledge in the field of cyber security.

Her Honour made orders requiring RI Advice to:

• pay ASIC $750,000 towards its costs;
• engage (as its own expense) an independent cyber security firm to identify what further cyber security documentation and controls are necessary for RI Advice to adequately manage risk in respect of cyber security and cyber resilience; and
• provide written reports to ASIC identifying any further measures required to adequately manage cyber security risk, the agreed timeframe for the implementation of those measures and the outcome of that implementation within 30 days of the agreed timeframe.

Following judgment, ASIC Deputy Chair Sarah Court commented that

‘it is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access… ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cyber security position to improve cyber resilience in light of the heightened cyber-threat environment.’