Yesterday in an industry first, the Federal Court of Australia set an extraordinary precedent and provided clarity on the standard of care required in managing cyber risk in the financial services industry as well as many other regulated sectors.
The consent judgement made in the matter ASIC v RI Advice found that an Australian Financial Services Licensee (RI Advice) had ‘failed to have adequate cybersecurity systems in place’, and therefore breached its legal obligation to ‘act efficiently and fairly’ and to ‘have adequate risk management systems in place’.
RI Advice up until 2018 was wholly-owned by ANZ until they were bought by IOOF as part of the bank’s divestment following fallouts from the Royal Commission. RI Advice has a third-party business model under which it authorises independently-owned financial advice firms to provide financial services using their AFSL. Since May 2018, RI Advice shared their AFS licence with approximately 120 third-party Authorised Representatives (AR) practices – these are generally small practices owned by independent Financial Planners.
Key Take-Away Points from ASIC v RI Advice
The judgement makes for an interesting read, some highlights include:
- Between June 2014 and May 2020 – RI Advice had nine cyber-related incidents that had occurred at the practices of its AR’s which included several instances of ransomware, payment fraud attacks and business email compromise (BEC’s) that led to advice customers receiving targeted fraud attempts directly from AR’s compromised emails. It would appear that at least between June 2014 and May 2018, very little was done by the licensee to implement its own controls and force it’s ARs to adopt more secure practices.
- It took RI Advice 6 months to appoint KPMG to conduct a forensic investigation following a cyber security incident that occurred in December 2017.
- Its AR practices clearly had no grasp of good information security practices. Some of the AR’s mentioned that they used ‘Cloud software’ and therefore did not require information security practices.
the AR Practice used ‘Microsoft Outlook 365’, all of its information was stored ‘in the Cloud’ and that, as such, it had no anti-virus software installed on its systems; and there was one password which everyone in the practice used to access the information stored ‘in the Cloud’
Federal Court of Australia, ASIC v RI Advice, May 2022
- RI Advice published guidelines and procedures including an ‘Information Security Procedures’ for its AR practices that recommended, among other things: ARs should password-protect documents sent via email which contained personal client information; avoid using personal email addresses like Gmail; use passwords for IT devices and implement a password policy; use up-to-date security software including anti-virus. However, these were not mandatory nor were they audited, which led to more of the same incidents repeating, and the Federal Court finding that RI Advice had in fact breached its obligation to have adequate risk management systems in place.
- RI Advice made several attempts to right its wrongs – including commissioning two independent experts to conduct risk assessments and launching a “Cyber Resilience Initiative” program in 2019. Whilst this was a good start, the Court attacked its slow implementation with RI Advice acknowledging “it took too long to implement and ensure such measures were in place across its AR Practices.”
- The Court required RI Advice to pay ASIC over $750,000 in legal costs.
What does this mean for Australian businesses?
ASIC v RI Advice has set a new precedent by demonstrating that regulated entities must have adequate cybersecurity practices in place and are required to manage cybersecurity similar to any other legal obligation. This means that a regulated entity would be breaking the law if they are not adequately managing their cybersecurity risks.
It also means that a standard of care has been established for regulated entities to have mature cybersecurity programs in place to avoid paying fines or face legal action from ASIC.
This reaffirms ASICs jurisdiction on the management of cyber risks and we are likely to see more activity in this space.
The full Federal Court’s judgement can be viewed here.
What can my organisation do to improve their cybersecurity practices?
Organisations looking to improve their cybersecurity should contact our Governance, Risk and Compliance experts that specialise in assessing and improving your cybersecurity resilience.