In the recent case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court of Australia considered for the first time the cybersecurity obligations of Australian Financial Services ("AFS") licensees and their authorised representatives ("ARs").

While the matter was settled by consent orders, the case is still important because it paves the way towards establishing that the "core obligations" under section 912A of the Corporations Act 2001 (Cth) ("Corporations Act") require that AFS licensees and their ARs have adequate cybersecurity and cyber resilience measures in place.

This article provides an overview of the case and offers guidance to organisations on what they can do to ensure they have adequate procedures in place.

The proceedings

In 2020, ASIC commenced proceedings against RI Advice Group Pty Ltd (RI Advice) in the Federal Court of Australia, alleging they had failed to comply with their obligations as an AFS licensee under section 912A of the Corporations Act (the core obligations).

The core obligations include obligations for an AFS licensee to:

  • do all things necessary to ensure that the financial services covered by the AFS licence are provided efficiently, honestly and fairly;
  • have available adequate resources (including financial, technological and human resources), to provide the financial services covered by the AFS licence and to carry out supervisory arrangements; and
  • have adequate risk management systems.

ASIC argued that these core obligations extend to cybersecurity and cyber resilience, and required RI Advice to:

  • identify the risks that it and its ARs faced in the course of providing financial services on RI Advice's behalf, including in relation to cybersecurity and cyber resilience; and
  • have strategies, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in place that were adequate to manage risk in respect of cybersecurity and cyber resilience for itself and across its network of ARs.

ASIC argued that RI Advice had not met these requirements, and as evidence of this cited its handling of and response to nine cybersecurity incidents experienced by ARs of RI Advice between 2014 and 2020.

The inquiries made by RI Advice following the incidents revealed a variety of issues with the AR's management of cybersecurity risk, including:

  1. computer systems which did not have up-to-date antivirus software installed and operating;
  2. no filtering or quarantining of emails;
  3. no backup systems in place, or backups not being performed; and
  4. poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

Outcome

In May 2022, the proceedings were settled by consent orders. In making the orders and declarations requested by the parties, Justice Rofe was required to consider whether those orders and declarations were consistent with the public interest and appropriate in the circumstances. Her Honour held that they were appropriate, on the basis that RI Advice had admitted that it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network prior to May 2018, and acknowledged that the measures it developed from 2018 to 2021 to improve cybersecurity and cyber resilience for the ARs took too long to implement.

On this basis, Her Honour found that RI Advice had failed to comply with its obligations under its AFS licence to:

  • do all things necessary to ensure that the financial services covered by the AFS licence are provided efficiently, honestly and fairly; and
  • have adequate risk management systems.

In addition, the consent orders required that RI Advice:

  1. engage a cybersecurity expert to conduct an audit to identify what further documentation and controls are necessary for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience across its network of ARs, and implement any further measures recommended by that consultant; and
  2. pay a contribution to ASIC's costs in the amount of $750,000.

Key implications

As the matter was settled before it proceeded to trial and was resolved by consent orders, it is important not to overstate its importance as legal precedent. Some commentators do not make clear that the court's orders were agreed to by the parties as part of their settlement, rather than being determined by a judge after a trial. Others mischaracterise the $750,000 as a penalty imposed on RI Advice, rather than an amount RI Advice agreed to pay towards ASIC's costs.

Nevertheless, the court's decision remains important because the orders included an admission by RI Advice that the core obligations do extend to cybersecurity and cyber resilience as alleged by ASIC, and required RI Advice to:

  • identify the risks that it and its ARs faced in the course of providing financial services on RI Advice's behalf, including in relation to cybersecurity and cyber resilience; and
  • have strategies, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in place that were adequate to manage risk in respect of cybersecurity and cyber resilience for itself and across its network of ARs,

and that RI Advice had failed to meet those requirements.

While ASIC might have preferred a trial and a judicial determination of the precise extent of these obligations, these orders, and the admissions by RI Advice, will still go some way towards establishing these obligations in the minds of judges, ASIC and AFS licensees. It is not difficult to foresee this case giving ASIC the confidence to take similar action against other AFS licensees who do not have adequate cybersecurity and cyber resilience measures in place in the future.

The obligation to have adequate cybersecurity and cyber resilience measures in place is a significant one for AFS licensees. Heavy civil penalties can apply to a breach of the core obligations in section 912A of the Corporations Act. For corporations, the maximum financial penalty is the greater of:

  • 50,000 penalty units ($11.1m);
  • three times the value of the benefit obtained or detriment avoided by the contravention; or
  • 10 per cent of the corporation's annual turnover (capped at a maximum of $555m).

Furthermore, the breach reporting regime under the Corporations Act requires an AFS licensee to notify ASIC of any breach of the core obligations, regardless of severity or impact. As such, AFS licensees who suffer, or whose ARs suffer, a cyber incident will need to consider whether that cyber incident is indicative of a breach of the core obligations and, if so, report the matter to ASIC.

What can AFS licence holders do to ensure they have adequate cybersecurity and cyber resilience?

In her judgment, Justice Rofe notes that:

Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level."

In light of this case, it is imperative that AFS licensees and their ARs ensure that they have strategies, policies, plans and controls in place to manage their cybersecurity risk.

This process should begin by conducting a risk assessment of systems and devices, to consider the security risks that they pose by assessing the nature of the systems and the data they store. The assessment should also consider broader information handling processes within the organisation, and business activities which may be vulnerable to fraud or social engineering (such as the processing of payment instructions).

Following that assessment, the organisation should prepare a written set of security policies and processes to mitigate the risk of a security breach, including a plan for responding to a breach once detected.

Once these policies and processes have been developed, they should be implemented without delay. Training should be conducted and other resources made available to staff and ARs to ensure they understand and follow these policies and processes. AFS licensees will also need to revisit their contracts with ARs, to ensure that the ARs have clear contractual obligations regarding cybersecurity, including to follow the AFS licensee's policies and processes and to promptly notify the AFS licensee of incidents.

In this case, Justice Rofe highlighted that, while RI Advice did take steps to improve their cybersecurity in 2018, it took too long (over three years) to implement its improved measures and did not have adequate auditing and compliance mechanisms to ensure its ARs actually understood and implemented those measures.

After cybersecurity measures are implemented, regular audits should be conducted to ensure they are operating as intended in all parts of the organisation. Most security measures create a degree of inconvenience for staff and are therefore vulnerable to "workarounds", that can be as simple as propping open a secure door.

Finally, as Her Honour points out, cybersecurity risks and controls evolve over time. Cybersecurity policies and processes should be revisited regularly and updated to address new threats and lessons learned.