The decision in ASIC v RI Advice Group has wide-reaching implications for AFSL holders, and should prompt many to review their cyber-security arrangements ASAP. The AB Cyber team explains in more detail below.
What does this decision mean for AFS Licensees?
Not everyone needs the detail, so let's start with what's important.
Two key takeaways from the case as we see them:
ASIC v RI Advice Group
In a landmark decision, the Federal Court has found that financial services firm, RI Advice, had breached its licence obligations by failing to implement adequate risk management systems to manage its cybersecurity risks.
Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496 is the first time that ASIC has exercised its enforcement powers in relation to the adequacy of cybersecurity risk management controls.
RI Advice Group Pty Ltd (RI Advice) holds an Australian Financial Services Licence (AFSL) (the Licence) which allows it to authorise independently-owned corporate authorised representatives (AR) to provide financial services to retail clients on its behalf pursuant to the Licence. These ARs electronically received, stored, and accessed confidential and sensitive personal information and documents in relation to their retail clients.
Between June 2014 and May 2020, nine cybersecurity incidents occurred at the practices of RI's ARs. Notably, in May 2017 an incident occurred where an AR's server was hacked by brute force through a remote access port. This resulted in files containing personal information of approximately 220 clients being held for ransom and ultimately rendered not recoverable.
Obligations under the Corporations Act 2001
Under s 912A, the Act does not impose any AFSL obligations that are specific to cybersecurity or privacy – so ASIC sought to rely on two general obligations – in particular the obligations to:
Efficiency requirement under s 912A(1)(a)
In this case, Rofe J indicates at  that cyber risk management is a “highly technical area of expertise” and accordingly, the “assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person“.
Her Honour elaborates that this is not to be assessed by the expectations of the general public (at ). It is clarified at  that the public is “entitled to expect a reasonable standard of performance from a financial licensee“. This expectation must be differentiated from knowledge of the “content” of cybersecurity risk management (at ).
Adequacy requirement under s 912A(1)(h)
At , Rofe J comments that the focus of “adequacy” is on the risk management systems. In the case of RI Advice, Her Honour observes that this would place the focus on the risks to AR's and the “necessity for RI Advice to have “adequate” systems to manage those risks“.
The assessment of this adequacy requirement, in the context of cyber risk management, “requires consideration of the risks faced by a business in respect of its operations and IT environment” (at ). Similar to the aforementioned efficiency requirement, the adequacy requirement would also likely be informed by evidence from relevantly qualifed experts in the field.
The Court held that RI contravened:
RI Advice has been ordered to pay $750,000 towards ASIC's costs and to engage a cybersecurity expert.
Significance of cybersecurity risk management
Cybersecurity risks are a significant risk in relation to the conduct of businesses and the provision of financial services. Its importance is reinforced by the increasing use of and reliance on technology in financial services.
Importantly, Rofe J comments at  that while “it is not possible to reduce cybersecurity risk to zero…it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation an controls to an acceptable level.“
Sarah Court, Deputy Chair at ASIC, further illuminates the importance of having an adequate cybersecurity systems in place to protect against unauthorised access and encourages following the advice of the Australian Cyber Security Centre.
Rofe J's judgment was reasonably limited in this decision because ASIC and RI Advice had settled beforehand, meaning that some of ASIC's claims are still untested.
However, ASIC's original pleadings, particularly its Second Amended Statement of Claim, provides insight into ASIC's significant expectations as to how financial services entities ought to manage cyber risks. Summarily, this includes an extensive and prescriptive list of steps to undertake following a cybersecurity incident as well as ensuring an appropriate incident response and remediation plan.
Notably, we may see an increased use of s 912A, which previously was more used as a secondary pleading. This landmark decision may signal a new emphasis on s 912A as a primary pleading for enforcement actions.
Get in touch
AB has a deep expertise in Cyber and Privacy, and provides a suite of services in this space including Cyber Health Checks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.