Thinking | 10 May 2022

AFSL holders on notice for cybersecurity failings

By Eden Winokur, Adrian Verdnik, Jacob Uljans, and Alison Baker

RI Advice failed to maintain adequate cybersecurity controls and contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), the Federal Court has found on 5 May 2022 in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 1193 (ASIC v RI Advice).

The case is the first proceeding of its kind in Australia, and Australian Financial Services Licence (AFSL) holders should be aware that adequate cybersecurity protocols are now a core obligation in the provision of financial services.

ASIC v RI Advice is likely a signal of both further regulatory guidance by ASIC and cybersecurity-related enforcement proceedings. AFSL holders should engage carefully with cybersecurity experts, draw from ASICs existing guidance on the issue (REP 429, REP 555, REP 651) and seek legal advice if they are unsure of the extent of their obligations.

Background

RI Advice provides financial services advice to retail clients through a network of authorised representatives (ARs). These ARs were located throughout Australia, including in regional centres, and ranged in scale from having one to seven employee advisers to being sole traders operating from home.

Up until 30 September 2018, RI Advice was a wholly owned subsidiary of the Australia and New Zealand Banking group. From 1 October 2018, RI Advice became part of the IOOF Holdings Limited group of companies (IOOF Group).

Between 2014 and May 2020, various RI Advice ARs experienced nine cybersecurity incidents. The incidents included:

  • a client making transfers totalling $50,000 after receiving a fraudulent email from the hacked account of an AR;
  • an unknown hacker gaining unauthorised access to an AR’s server for over three months, compromising the personal information of several thousand clients; and
  • an AR’s server being compromised by a ‘brute force’ attack, with the hacker holding the personal information of 220 clients to ransom.

When RI Advice became aware of one such cybersecurity incident in May 2018, the company made efforts to improve its network’s deficient cybersecurity policies and procedures. By its own admission, these efforts were inefficiently and ineffectually implemented prior to at least 5 August 2021.

ASIC’s case and the proceedings

ASIC alleged that RI Advice contravened its duties under section 912A of the Corporations Act due to:

  • its failure to implement appropriate cybersecurity controls and documents;
  • failing to identify the cause of cybersecurity incidents; and
  • its failure to use information it had obtained about cyberattacks within its network of ARs to mitigate the risk of future attacks.

RI Advice was aware of the deficiencies in its cybersecurity controls and repeatedly engaged external consultants to assist in developing cyber risk mitigation strategies. The failure to follow the recommendations of those consultants in a timely fashion was likely critical to the findings against RI Advice.

Section 912A(1) imposes on AFSL holders duties to, among other things:

  • do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (section 912A(1)(a)); and
  • have adequate risk management systems (section 912A(1)(h)).

Shortly prior to trial, the case settled and the parties jointly sought orders for declaratory relief instead of proceeding to a full hearing. The parties agreed that RI Advice had obligations to ensure that adequate cybersecurity risk management systems were in place and that RI Advice’s cybersecurity documentation, controls and risk management systems were inadequate between 15 May 2018 and 5 August 2021.

Although jointly requesting the same orders as ASIC, in its role as contradictor, RI Advice argued that it had not breached its obligation to act honestly and that it has engaged in continual improvements in its cybersecurity management systems between 2018 and the present.

In providing declaratory relief, Her Honour held that:

  • a breach of section 912(1)(a) need not involve ‘dishonesty’, for a contravention to be established – it is enough that the licensee’s conduct be inefficient or unfair;
  • cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level; and
  • breaches of obligations of ‘adequacy’ and ‘efficiency’ regarding cybersecurity should not be determined in the sense of ‘social and commercial norms’ or the ‘expectations of the general public’. Instead, they should be assessed by reference to a reasonable standard of performance determined by experts with knowledge in the field of cybersecurity.

Her Honour made orders requiring RI Advice to:

  • pay ASIC $750,000 towards its costs;
  • engage (as its own expense) an independent cybersecurity firm to identify what further cybersecurity documentation and controls are necessary for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience; and
  • provide written reports to ASIC identifying any further measures required to adequately manage cybersecurity risk, the agreed timeframe for the implementation of those measures and the outcome of that implementation within 30 days of the agreed timeframe.

Following judgment, ASIC Deputy Chair Sarah Court commented that

‘it is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access… ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.’

Key takeaways from ASIC v RI Advice

The key takeaways from the decision are:

  • The obligation on AFSL holders to ‘have adequate risk management systems’ includes cybersecurity systems. Most advisers would have considered this to be the case, as cybersecurity is now a fundamental aspect of risk management, but this decision confirms it.
  • AFSL holders should take advice from experts on what a baseline standard of cybersecurity is, in the context of the size and scale of their operations. As there is no agreed industry standard endorsed by ASIC in relation to cybersecurity, the advice of experts, both IT and legal, will be crucial for licensees in determining what systems they ought to implement and maintain to discharge their obligations under section 912A(1).
  • AFSL holders should be implementing cyber risk mitigation strategies as soon as possible. As the RI Advice proceeding illustrates, ASIC is of the view that a delay in implementing appropriate cyber risk mitigation strategies can itself amount to a breach of the section 912A obligations. It will not be enough for organisations to simply contemplate cyber security improvements – risk mitigation strategies, such as network security enhancements, should be being implemented now.
  • Cyber risk will continue to be an area of regulatory focus for ASIC. Cyber governance and resilience are key components of ASIC’s 2021-25 Corporate Plan and cyber risk is one of ASIC’s highest current priority issues. This judgment is expected to embolden ASIC in pursuing regulatory enforcement action against AFSL holders to drive behavioural change, in circumstances where ASIC considers the licensee has fallen significantly short of its obligations.
  • It is not new law, and the parties agreed, that the obligation in section 912A(1)(a) to ‘do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly’ is compendious, such that a licensee’s conduct must satisfy all three elements to comply with the obligation. As the facts of the matter that underpinned the contraventions were agreed, and the system failures involved were not in dispute, the finding of the Court that the licensee had failed to deliver their financial services ‘efficiently’ is not particularly surprising. What is interesting about the judgment is that the Court also considered such systems failures by the licensee to breach its duty to provide the financial services covered by its licence ‘fairly’. Unfortunately, the Court did not provide detailed analysis of how it came to this position, so we must wait to see whether ASIC and the courts consider the content of this obligation in section 912A(1)(a) further in the future.
  • ASIC’s pursuit of a claim solely on the basis of a breach of section 912A is troubling. In the past, section 912A has typically served as an ancillary cause of action to the breach of a different, often more specific, obligation. Although the settlement did not account for any pecuniary damages, ASIC did seek civil penalties, indicating a willingness to pursue such penalties for breaches of general obligations in their own right (at least in regard to cybersecurity failings on the part of licensees).

Hall & Wilcox's cyber and financial services experts can assist your organisation handle its regulatory compliance and cyber risk. To discuss whether the right cyber risk mitigation strategies are in place, or what to do if a cyber incident occurs, contact our team.

This article was written with the assistance of Sam Tempone, Lawyer, and Samuel Gard, Law Graduate.

Contact

You might be also interested in...

Cybersecurity | 22 Apr 2022

Primary targets – cyber risk in the health, aged care and community sectors

The health and aged care sectors are arguably the primary target for cyber criminals in Australia. Read why and how you can protect your organisation.

Financial Services | 22 Apr 2022

Getting ready for the CCIV regime: ASIC offers unilateral AFSL variations to licensees to facilitate the transition

In the most recent development of the new CCIV regime, ASIC has begun sending out letters to existing AFS licensees offering an ‘opt in’ licence variation.