Cyber on ASIC's mind: AFS licensees told to manage cyber risk adequately or face enforcement action
The Federal Court of Australia has handed down its judgment in the first proceedings brought by ASIC against a company for failing to have adequate cybersecurity systems in place.
On 5 May 2022, the Federal Court of Australia declared that RI Advice Group Pty Ltd (RI Advice) breached its obligations under section 912A of the Corporations Act 2001 (Cth) (Corporations Act) in relation to cybersecurity risk management. The decision clarifies obligations in relation to adequate cyber resilience and risk management. Read our earlier blog post in relation to this test case.
Background
In August 2020, ASIC commenced landmark proceedings against RI Advice alleging breach of RI Advice’s general obligations under section 912A of the Corporations Act to act efficiently and fairly, and to have adequate risk management systems when it failed to have in place adequate cyber resilience systems and practices. This is the first time ASIC has pursued enforcement action against a company for failure to maintain adequate cybersecurity practices.
An Australian Financial Services Licence (AFSL) holder, RI Advice manages a network of Authorised Representatives (ARs) who each receive, store and access personal information in respect of retail clients.
Nine cybersecurity incidents took place between June 2014 and May 2020 across the national network of ARs. These involved the hacking of email accounts and file servers, the use of ransomware and the compromise of personal information of several thousand clients.
ASIC brought proceedings against RI Advice for its failure to have implemented “policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls” which were reasonably appropriate to adequately manage risk in relation to cybersecurity.
Decision
Shortly before the final hearing in the matter due to commence both parties ultimately agreed to settle the proceedings and orders were ultimately made by consent. RI Advice admitted that at all material times it was required to identify the risks faced by its ARs in the course of providing financial services including in respect of cybersecurity and resilience
The Federal Court defined cybersecurity as the ability of an organisation to protect and defend the use of cyberspace from attacks, and cyber resilience as the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources.
In handing down its decision, the Federal Court considered the general obligations of AFSL holders under section 912A(1) of the Corporations Act with respect to cybersecurity, in particular to:
- do all things necessary to ensure that the financial services covered by the AFSL are provided efficiently, honestly and fairly; and
- have adequate risk management systems.
The Federal Court made the following key findings:
- Adequate cyber risk management includes having documentation, controls and risk management systems in place that are adequate to manage risk in respect of cybersecurity and cyber resilience.
- Assessing “adequate risk management systems” requires consideration of the risks faced by a business in respect of its operations and IT environment. The Court will also rely on qualified experts in the cyber field to inform it of the risk environment.
- The phrase “efficiently, honestly and fairly” is to be read ‘compendiously’ rather than as containing three discrete behavioural norms.
- Conduct may fail to meet the statutory definition even if it cannot be described as dishonest. Accordingly, acts or omissions can breach the statutory standard by reason of a failure by the AFSL holder to act “efficiently and fairly” without there being a need to also prove a failure to act honestly.
- Services are to be provided with “competence” in complying with relevant statutory obligations.
Her Honour Justice Rofe noted the link between the increased reliance on technology in financial services and the increase in cybersecurity risk, and how cybersecurity risk forms a significant risk connected with the conduct of the business and the provision of financial services. Rofe J further stated that whilst it is not possible to reduce cybersecurity risk to zero, it is possible to materially reduce the risk through adequate documentation and controls.
RI Advice was ordered to pay $750,000 towards ASIC’s costs and to consult with a specified cybersecurity expert to identify and implement any further documentation and controls and report to ASIC on the outcome of the implementation of any further measures.
Lessons for AFSL holders
At the time of most of the contraventions by RI Advice, a breach of section 912A did not give rise to a pecuniary penalty. Since the expansion of the civil penalty regime in February 2019, individuals or body corporates who breach section 912A may be subject to pecuniary penalties. ASIC has stated that it will seek pecuniary penalties against AFSL holders for breaches of section 912A, including in relation to a failure to manage cyber risk.
Whilst the Federal Court decision itself does not lay down any specific guidance as to what adequate risk management controls are – and whether certain controls are considered to be adequate will differ from business to business – it does make clear that the standard of care and adequacy in relation to cyber risk management systems for a particular business will require an assessment by a cybersecurity expert – who could be external or internal – who possesses relevant technical expertise. To extent not done already, this approach should be adopted by AFSL holders looking to enhance their systems.
It remains clear that cybersecurity will continue to be an enforcement priority for ASIC. At FINSIA's ‘The Regulators’ event on 13 May 2022, ASIC Commissioner Cathie Armour identified cybersecurity as a business strategy requiring greater board engagement and capability to respond to a cyber incident, and that cybersecurity should be considered a "business issue", not only as an "IT issue".
ASIC has published its expectations for AFSL holders to:
- be aware of the potential consumer harms that arise from cybersecurity shortcomings;
- adopt good cybersecurity risk management practices to reduce potential harm to consumers;
- actively manage cyber risks and continuously improve cybersecurity, including assessing cyber incident preparedness and reviewing incident response and business continuity plans;
- act quickly in the event of a cyber incident to minimise the risk of ongoing harm; and
- report cyber incidents to the Australian Cyber Security Centre, which has separately put in place eight essential mitigation strategies for organisations to protect themselves against many cyber vulnerabilities.
ASIC has also highlighted that dual regulated AFSL holders will have obligations to comply with the standards of other regulators, such as the Australian Prudential Regulation Authority.
Organisations can review more detailed information on cybersecurity and cyber resilience contained in ASIC’s good practice guidance.