Business lessons from insufficient cybersecurity measures
The case of ASIC v RI Advice Group [2022] FCA 496
With the current online landscape and the recent 2022 Optus and Medibank cyberattacks, cybersecurity measures should be at the forefront of many businesses. The landmark cybersecurity case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is the first of its kind to acknowledge a financial institutions contravention of the Corporations Act 2001 (Cth) (Act) for breaches of insufficient cybersecurity measures.
This case follows on from ASIC’s previous 2020 proceedings against RI Advice group (to read more about these proceedings, click here). This 2022 case study demonstrates ASICS’s regulatory role and highlights the importance of companies compliance with cybersecurity legislation.
Background
The Defendant, RI Advice Group, was a subsidiary of the ANZ Banking Group that held an Australian Financial Services License. They had between 89-119 Authorised Representatives (ARs). These AR provide financial services on the Defendant’s behalf. Since 15 May 2018, they had at least 60,000 clients.
During the period of 15 May 2018 to 6 August 2021, the Defendants were held to have contravened sections 912A(1)(a) and (h) of the Act. Since they had failed to have documentation and controls adequate enough to manage cybersecurity risks, it was determined that the financial services the Defendants were providing was not done so efficiently, honestly and fairly.
The relevant sections of the Act are provided below:
(1) A financial services licensee must:
(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and …
(h) …have adequate risk management systems; …
Prior to 15 May 2018, the Defendants acknowledged that they had no documentation, controls and risk management systems that were adequate to manage cybersecurity risks. However, the Defendants were not audited for their compliance with the professional standard requirements for financial advisers.
The lack of cybersecurity measures of the Defendants were highlighted as they had no up-to date antivirus software, filtering or quarantining of emails or backup systems in place. They also had poor password practices which involved the sharing of passwords, continued use of default passwords and storage of passwords in easily accessible locations.
Between 2014 and 2020, 9 cybersecurity incidents occurred, including the hacking of email accounts, website providers, servers and reception computer. In some events notably, fraudulent emails were sent to clients requesting fund transfers and client’s personal information was compromised, held for ransom and used without authorisation.
Since early 2018 in response to some of the incidents, the Defendants undertook various security steps which included the implementation of training sessions, incident reports, professional standards, compliance auditing and engagement of external security advisory firms. However, these practices were adequately incorporated or complied with by all the Defendant’s ARs until 6 August 2021.
Since the parties had settled the matter and the Defendants admitted they were in breach and should have had more robust cybersecurity measures implemented, the Judge had to consider whether there was a proper basis for making the parties proposed declarations and orders.
Judgement Reasons
It was declared that the Defendants were in breach of sections 912A(1)(a) and (h) of the Act.
Further, under section 1101B(1) of the Act, the Defendants were ordered to establish a cyber security compliance program and continue their engagement of the external cybersecurity expert.
To be in breach of section 912A(a) of the Act, there does not need to be a dishonest act. An act or omission that fails to meet a reasonable performance of fair and efficient services is sufficient. Further, services must be provided with competence, with reference to social and commercial norms and standards. While it was held that having inadequate procedures and training is a failure to act efficiently and fairly, there was no social or commercial norm that the Defendants were in breach of.
It was also considered that since cyber risk management is a highly technical area, it requires the expertise of a relevantly skilled person. Therefore, the adequacy of risk management must be informed by people with technical expertise in the area, not the general public.
The Court believed it appropriate to make the declaration to deter future contraventions of financial services laws, notwithstanding the Defendant’s acts were careless and unintentional.
ASIC had a real interest in bringing the matter as a public regulator to ensure licensees are aware that the relevant provisions of the Act apply to the management of cybersecurity risks and the public are protected from sensitive information breaches.
Need Assistance? We can help
With criminals moving into the cyberspace to target victims, it is vital for businesses to maintain adequate and updated cybersecurity measures including security protocols and systems. Adhering to ASICS cybersecurity standards requires the consideration of an individual business’s circumstances and capacity.
Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures, the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice or call us on (07) 3252 0011 to book an appointment with one of our Lawyers today.
This article was written by a Corney & Lind law clerk
Related Cybersecurity Articles
https://corneyandlind.com.au/litigation/cyber-security-for-australian-business/
https://corneyandlind.com.au/commercial-litigation/asic-cybersecurity-privileged-documents-test-case/
https://corneyandlind.com.au/litigation/cyber-security/guide-notifiable-data-breaches-scheme/