ASIC puts AFS Licensees on Notice Following Landmark Case: Fail to Adequately Manage Cyber Security Risks and Face the Consequences

For the first time in Australia, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court has found that an Australian Financial Services (AFS) Licensee, RI Advice, has breached its obligations to provide services ‘efficiently, honestly and fairly’ and to have ‘adequate risk management systems’ due to its inadequate cyber security risk management controls.

This case demonstrates that ASIC is willing to take action against AFS Licensees that fail to have appropriate systems, controls, policies and resources to adequately manage cyber security risks, and has implications for all organisations who hold sensitive or confidential data.

AFS Licensees and other organisations are urged to regularly review their cyber security measures to ensure they remain up to date with evolving risks and regulatory requirements.

Facts

RI Advice, a subsidiary of IOOF Holdings, is an AFS Licensee who had engaged a number of authorised representatives to provide financial services on its behalf.

Between June 2014 and May 2020, nine cyber security incidents occurred at the practices of RI Advice’s authorised representatives, including ransomware attacks, unauthorised access to email accounts, and the unauthorised remote access of a representative’s server from December 2017 to April 2018, which resulted in third party actors gaining unauthorised access to confidential and sensitive client information.

While RI Advice had organised cyber security training sessions for its representatives and had implemented limited information security controls throughout the business and privacy obligations in its contracts, RI Advice conceded that these steps were inadequate to manage its cyber security risk across its authorised representative practices.

RI Advice took action after May 2018 to engage cyber security consultants and independent experts to conduct investigations into specific incidents and to identify and implement measures to address key risks. RI Advice also updated its cyber security policies and introduced measures that required its authorised representatives hold cyber insurance, but admitted that it took too long to implement these measures across its practices.

Decision

Due to its failure to appropriately manage cyber security risks across its practices, the Court held that RI Advice breached its obligations under section 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), which required that RI Advice ‘provide services efficiently, honestly and fairly’ and to ‘have adequate risk management systems’.

In handing down her judgment, Justice Rofe made it clear that cyber security should be at the front of mind of all AFS Licensees. While acknowledging that it is not possible to eliminate all risks of a cyber attack or security breach, Justice Rofe noted that it is possible to materially reduce cyber security risk through the introduction of appropriate processes, controls, documentation and training.

The Court ordered that RI Advice:

  • pay $750,000 towards ASIC’s costs;
     
  • engage an independent cyber security expert, at its own cost, to identify and implement any additional measures as are necessary to adequately manage cyber security risks across RI Advice’s authorised representative practices; and
     
  • provide a written report to ASIC identifying any additional measures that are required to be implemented, as well as the agreed timeframe for implementation and the outcome of the implementation of those measures.

The orders were made by consent of both parties.

Implications

As cyber threats become an increasing and significant risk, it is clear that businesses who hold sensitive or confidential data, such as financial information, will be held accountable if they fail to have measures in place to adequately manage risk in respect of cyber security.

ASIC has urged organisations to review their cyber security systems and practices in light of this decision.

Key Take-Aways

This case highlights the need to:

  • Engage cyber security experts to conduct periodic reviews and audits of the data security policies and controls used across your organisation to inform your business regarding the adequacy of your cyber security risk management controls and to identify any further risks that need to be addressed.
     
  • Promptly implement improved controls and compliance measures if any deficiencies are identified within organisation.
     
  • Implement documented cyber security and data protection strategies, principles, policies, rules and procedures within the business that are appropriately tailored to the particular business.
     
  • Implement and maintain appropriate technical measures to identify and protect against cyber threats, such as encryption, firewalls, access controls, two-factor authentication and the use of continuous monitoring systems to monitor abnormal events on the organisation’s network.
     
  • Organise regular staff training regarding data management, security and awareness.
     
  • Ensure board members are educated regarding cyber security and take responsibility for the cyber security strategy of the business.
     
  • Have a tailored data breach response plan for the business that assists you to alert key stakeholders and mitigate the impact of a data breach.
     
  • Ensure that appropriate assessments and remedial steps are taken after cyber incidents occur.

To discuss how Hamilton Locke can assist you in ensuring your business is sufficiently protected against cyber threats, please contact Alex Ninis (Partner), Sarah Gilkes (Partner) or Marcus Hannah (Senior Associate) in Hamilton Locke’s IP & Technology team.

KEY CONTACTS