Lessons from ASIC’s cyber security test case
May 2022 | Litigation & Dispute Resolution Cyber RiskOn 5 May 2022, the Federal Court declared that RI Advice Group (RI), a holder of an Australian Financial Services Licence (AFS Licence), had contravened s 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Act) as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place to manage associated risks.1
The Court made consent orders requiring RI Advice to engage cybersecurity experts to identify what further documentation and controls were necessary to ensure cybersecurity and cyber resilience, implement such measures and report back to ASIC.
While this case is concerned with the obligations of AFS Licence holders, and the declarations and orders were made by consent, the reasoning of the Court paves the way for future litigation based on inadequate cyber security measures within corporate entities, especially when considered in light of the obligations APP Entities are already required to comply with pursuant to the Australian Privacy Principles under the Privacy Act 1988 (Cth).
Relevant facts
RI’s financial advisory business involved a network of authorised representatives who, in the course of providing advice, received, stored and accessed confidential and sensitive personal information and documents electronically.
Over a period of six years, RI’s business was the subject of nine separate cybersecurity incidents, the most significant of which occurred in December 2017 and compromised the personal information of several thousand clients. RI did not become aware of this incident until May 2018.
The December 2017 incident triggered RI to engage third party consultants to assist in investigation of cybersecurity events and implementation of preventative measures. Those investigations revealed a number of issues in RI’s management of cybersecurity risk. For example, there was no filtering or quarantining of emails, antivirus software was not kept up-to-date, and there were poor password practices and no back-up systems.
Some immediate steps were taken by RI to strengthen its cybersecurity measures, however they were not fully completed until August 2021.
On 21 August 2020, ASIC commenced proceedings against RI alleging it had contravened s 912A(1)(a) to (d), (h) and (5A) of the Act for failing to have appropriate measures in place to guard against cyber risks. The parties agreed to declarations that RI had only contravened (a) - which required it to do all things necessary to ensure that the financial services covered by the AFS Licence were provided efficiently, honestly and fairly and (h) - which required it to have adequate risk management systems.
Standard by which cyber security is to be measured
The Court relevantly noted ‘It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level’.2
The relevant question is to what standard will licensees be held when assessing their compliance with s 912A(1)(a) and (h). In this regard, the Court noted:
‘The assessment of “adequate risk management systems” in the context of cyber risk management, requires consideration of the risks faced by a business in respect of its operations and IT environment. As I have noted above in relation to s 912A(1)(a), cyber risk management is a highly technical area of expertise. While the standard of “adequacy” is ultimately one for the Court to decide, the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field.’3
Implications
Given the ever-evolving threats, this decision reinforces the importance of corporate entities having corporate governance systems in place that facilitate the continual identification and evaluation of cybersecurity risks (using qualified experts) and, where deficiencies are identified, ensure they are addressed in a timely manner. While the focus of this matter was on the obligations imposed on AFS Licence holders under the Act, it is arguably not a giant leap to apply the reasoning in this case to directors’ duties pursuant to s 180(1) of the Act to exercise their powers and discharge their duties with the degree of ‘care and diligence’ that a reasonable person would exercise. This is especially so when considering obligations of APP Entities under the Australian Privacy Principles to keep personal information secure, other statutory obligations (such as under the Security of Critical Infrastructure Act 2018), or contractual obligations.
1 Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496.
2 Ibid [58].
3 Ibid [55].
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.
