ASIC v RI Advice Group: Key lessons in cybersecurity for AFSL … – Lexology

Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
On 5 May 2022, the Federal Court of Australia made a declaration in relation to proceedings commenced by the Australian Securities and Investments Commission (ASIC) against RI Advice Group Pty Limited (RI Advice), an Australian Financial Services Licence (AFSL) holder that maintained a network of authorised representatives across up to 119 practices.
After having suffered a number of cybersecurity incidents, and despite RI Advice having taken steps to manage cybersecurity risks in its authorised representative network in the wake of these incidents, the Federal Court declared that RI Advice had failed to have adequate documentation and controls in place to adequately manage those risks and accordingly, had contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act).
While cybersecurity and information security obligations imposed by regulation is not an unfamiliar concept for certain sectors of the economy (for example, entities regulated by the Australian Prudential Regulation Authority (APRA), who are required to comply with prudential standard CPS 234 on Information Security, and who will soon be required to comply with CPS 230 on Operational Risk Management – see our article on this draft prudential standard here), this case is the first of its kind in Australia to identify statutory obligations for AFSL holders (Licensees) under the Corporations Act in respect of cybersecurity. By virtue of this decision, it is now clear that Licensees in Australia will need to ensure that they have adequate cybersecurity measures in place to manage cyber risk in their businesses and networks.
Significantly, this decision will cause a shift in the threshold for what is best practice in respect of cybersecurity in business and will confer a greater level of responsibility on Licensees’ boards for ensuring that adequate safeguards and risk mitigation strategies are in place – cybersecurity will no longer be pigeonholed as an ‘IT issue’ and will be rebranded as a dynamic and all-encompassing corporate and risk management issue.
Further, this decision makes it clear that cybersecurity risks, vulnerabilities and incidents cannot be viewed in isolation, as a number of smaller incidents, while not appearing significant individually, may indicate a cumulative deficiency in a company’s broader cybersecurity practices and processes.
ASIC v RI Advice Group [2022] FCA 496
Over a six-year period from 2014 to 2020, RI Advice suffered nine separate cybersecurity incidents, ranging from hacking incidents, to payment fraud, to phishing scams. In some circumstances, these incidents led to the unauthorised disclosure of customers’ personal information.
Following a primary incident in December 2017, RI Advice engaged several independent cybersecurity experts to audit RI Advice’s current practices and processes, and recommend improvements to their existing cyber risk management systems and controls. These experts made recommendations that led to RI Advice, three years later in January 2020, implementing its ‘Cyber Resilience Initiative’, which would enable RI Advice to comply with best practice in respect of cybersecurity risk management. However, as RI Advice admitted to the Federal Court, it failed to adopt those recommendations in a timely manner, and ought to have adopted a more robust approach to that implementation, including in respect of its authorised representative network.
In bringing proceedings against RI Advice, ASIC alleged that RI Advice had breached its duties under the Corporations Act by failing to implement appropriate cybersecurity controls and documents, identify the cause of the relevant incidents and mitigate the risk of future incidents.
The case was ultimately settled prior to trial, with the parties seeking declaratory relief from the Federal Court. Ultimately, the parties agreed, and the Federal Court declared, that RI Advice fell-short of its obligations under the Corporations Act, to ensure that’s its financial services were provided ‘efficiently, honestly and fairly’ (section 912A(1)(a)) and to have adequate risk management systems in place (section 912A(1)(h)). Specifically, RI Advice’s cybersecurity documentation and controls, and risk management systems were declared to be inadequate. Further, the occurrence of the nine separate incidents indicated material defects in RI Advice’s compliance measures and ability to detect and manage weaknesses and vulnerabilities in its cyber risk profile.
The Honourable Justice Rofe stated, in relation to the concept of ‘adequacy’ in the context of RI Advice’s cybersecurity controls and systems, at [58]:
‘Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time… It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
Further, the Federal Court found that the incidents primarily arose out of a lack of up-to-date anti-virus software, no filtering or quarantine of emails, and poor password practices, such as the limited use of multi-factor authentication.
As a result of the Federal Court’s declaration, RI Advice was required to implement specific cybersecurity and cyber resilience measures by an agreed date and pay contribution to ASIC’s costs of the proceeding in the amount of USD750,000. Further, the Federal Court decided not to make any penalty orders against RI Advice.
The potential impact
Clear statutory obligations
Previously, the key obligations of companies in respect of cybersecurity and information security were found in the Privacy Act 1988 (Cth) (in relation to the protection of personal information and reporting of data breaches) and arose by virtue of directors’ duties under the Corporations Act (as noted by ASIC’s Report 429 ‘Cyber resilience: Health check’ (2015) (Report 429) – aside from sector-specific regulation. However, by virtue of this case, Licensees now have clear obligations under the Corporations Act in respect of cybersecurity in respect of their businesses, IT systems and networks.
Possible penalties
Although RI Advice was only ordered to contribute to ASIC’s costs, the Federal Court could have ordered a more severe penalty. Given that this case places clear statutory responsibilities on Licensees to ensure the implementation of cybersecurity practices, processes and risk mitigation strategies, the next Licensee to find themselves in a similar position to RI Advice may not be able to escape a penalty. This is especially so, as, since the Federal Court’s declaration, section 912A of the Corporations Act has been deemed a civil penalty provision.
What is ASIC’s view?
ASIC states that while cybersecurity practices among regulated entities is getting better, there is more to do. As a result of the Federal Court’s declaration, ASIC also thinks that management of cybersecurity risks should form part of Licensees’ AFSL conditions, and that Licensees must have adequate IT systems, policies and procedures in place to manage cybersecurity risks.
In its Corporate Plan 2022-26 released in August 2022 (Corporate Plan), ASIC has signaled its intention to become a ‘digitally-enabled, data-informed regulator’ and has named cyber risk and operational resilience as a main priority over the next four years, with an intention to develop a regulatory framework focusing on the impact of the use of technology in financial markets (including digital assets, cryptocurrency and decentralised finance (De-Fi)), and take a more proactive hand in enforcement, with a renewed focus on digitally-enabled misconduct.
ASIC also intends to:
Key takeaways for businesses
There are a number of strategies that may be implemented by Licensees, and companies more broadly, in order to ensure that their IT systems and information are protected from cyber risks.
Cybersecurity to be given priority
Given that inadequate cybersecurity measures can now result in a Licensee breaching the Corporations Act, Licensees and their directors should prioritise the enhancement of their cybersecurity infrastructure, processes and practices and should treat cybersecurity as a board responsibility, rather than an ancillary issue relegated to IT departments.
Licensees must, in particular, ensure that robust security and compliance measures are rolled out across the board, with respect to any authorised representatives or credit representatives. These measures should ideally be enforced via contractual obligations and protections, and backed by appropriate indemnities in respect of an affiliated party’s failure to comply with such obligations.
Take a proactive approach
In an increasingly digitised world, cyber threats and risks evolve in sophistication daily. Accordingly, Licensees should take a proactive approach to cybersecurity, and implement measures within their businesses to consistently monitor for and deal with threats, as well as weaknesses and vulnerabilities in respect of their IT systems. Further, Licensees must be careful to ensure that their contractual relationships with downstream IT suppliers are adequate to ensure that Licensees are protected in the event that any cybersecurity incidents affect any information or infrastructure being managed by those downstream suppliers, including by way of indemnities.
Develop a cybersecurity policy
Given that Licensees now have a clear statutory responsibility towards cybersecurity, it would be prudent for Licensees to ensure that a board policy relating to cybersecurity is developed and maintained. This is essential, not only for the protection of customers’, employees’ and confidential commercial information, but it is extremely important to ensure that the Licensee can remain agile and vigilant against the growing threats posed by cybercrime.
In line with ASIC’s recommendations to following the advice of theAustralian Cyber Security Centre, a good cybersecurity policy should:
Further, such a policy should also take into account the extent to which an AFSL holder’s obligations to different regulators (ASIC, APRA, the Office of the Australian Information Commissioner) may overlap, including in respect of notification and reporting of any cybersecurity-related incidents.
Internal education
In addition to having a robust cybersecurity strategy, Licensees should ensure that they implement comprehensive internal cybersecurity education programs, in order to ensure internal compliance, limit exposure to cybersecurity risks and threats and therefore mitigate the risk of:
A high proportion of cyber incidents occur due to human error and inadequate education – a pertinent example of this is employees clicking on emails that are phishing scams. Accordingly, Licensees should take a ground-up view of cybersecurity that starts with building a culture of best practice internally. Such an internal culture should ideally be agile and scalable so it can cater for growth and shift in business operations.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page