Managing Cyber Security Risks: Key Learnings From Australia’s First Test Case – Jd Supra

Managing cyber security risks: key learnings from Australia’s first test case – JD Supra

Allen &Amp; Overy Llp
For the first time in Australia, a court has held in an action brought by Australia’s financial services regulator, ASIC, that the failure by a company to have adequate risk management systems in place to manage cybersecurity incidents was a breach of financial services licensee obligations.
Although the declaration and orders in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 were made by consent of the parties, this represents a landmark decision in Australia’s enforcement of cybersecurity principles. It serves as a warning to Australian companies operating pursuant to an Australian financial services licence that the risks they are obliged to manage as a condition of their licence include cybersecurity risks, and that their cybersecurity risk management systems face increasing scrutiny, and enforcement action, by regulators. It is not clear how these particular incidents were brought to ASIC’s attention. However, the Chair of ASIC has confirmed that whilst “ASIC does not seek to prescribe technical standards or to provide expert guidance on cyber security… where we consider that a firm has not met its cyber risk management obligations, we will consider enforcement action to drive changes in behaviour.”1
RI Advice Group Pty Ltd (RI Advice) is an Australian company that provides financial services advice. Prior to 1 October 2018, it was a subsidiary of a major Australian bank until it was bought by a large financial conglomerate. It holds an Australian Financial Services Licence (AFSL) under which it permitted independently owned corporate and individual representatives to provide financial services to retail clients on its behalf. In the course of providing financial services, RI Advice’s authorised representatives would electronically receive, store and access confidential and sensitive personal information and documents in relation to their clients (such as names, addresses, health information, contact information and copies of personal documents).
Between June 2014 and May 2020, nine cybersecurity incidents occurred involving RI Advice’s authorised representatives. The incidents included hacked emails and websites, computers being physically hacked, fraudulent and phishing emails, ransomware attacks, and unauthorised access to servers and emails. These attacks had the effect of compromising, and allowing unauthorised third party access to, clients’ personal information.
Following these cybersecurity incidents, inquiries revealed issues in RI Advice’s authorised representatives’ management of cyber risk. For example:
Up to 15 May 2018, RI Advice had taken some steps to manage cybersecurity risk, including:
However, by 15 May 2018, RI Advice did not have adequate documentation, controls and risk management systems for managing risk in respect of cybersecurity across its representative network.
The court noted, however, that after its acquisition by a large financial conglomerate, RI Advice had addressed these historic issues and made significant improvements to its existing cybersecurity risk management systems. These improvements were achieved through:
RI Advice admitted, and the court found that:
There was no penalty ordered however RI Advice was ordered by the court to pay AUD750,000 toward ASIC’s costs. RI Advice was also ordered to take certain steps to engage a cybersecurity expert to advise and assist RI Advice’s authorised representative network.
Although the Cyber Resilience Initiative that RI Advice developed and implemented improved cyber security and cyber resilience, the court noted, and RI Advice admitted, that it took too long to implement and ensure such measures were in place across its network.
Looking after data and expecting more attention from regulators and enforcement agencies regarding cybersecurity failures was one of the ten key challenges we identified for in-house counsel in the 2022 Allen & Overy Cross-Border White Collar Crime and Investigations Review.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Allen & Overy LLP | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC


Leave a Comment

Leave a Reply

Your email address will not be published.

Bringing New Voices to Cybersecurity – Government Technology

NIST updates HIPAA cybersecurity guidance – Security Magazine

170 cybersecurity trainees have graduated from the USIU Cyber Shujaa program – HapaKenya – HapaKenya

Major Updates to the CMMC: What You Need to Know –