ASIC v RI Advice Group: Key lessons in cybersecurity for AFSL holders and ASIC’s plan ahead

On 5 May 2022, the Federal Court of Australia made a declaration in relation to proceedings commenced by the Australian Securities and Investments Commission (ASIC) against RI Advice Group Pty Limited (RI Advice), an Australian Financial Services Licence (AFSL) holder that maintained a network of authorised representatives across up to 119 practices.

After having suffered a number of cybersecurity incidents, and despite RI Advice having taken steps to manage cybersecurity risks in its authorised representative network in the wake of these incidents, the Federal Court declared that RI Advice had failed to have adequate documentation and controls in place to adequately manage those risks and accordingly, had contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act).

While cybersecurity and information security obligations imposed by regulation is not an unfamiliar concept for certain sectors of the economy (for example, entities regulated by the Australian Prudential Regulation Authority (APRA), who are required to comply with prudential standard CPS 234 on Information Security, and who will soon be required to comply with CPS 230 on Operational Risk Management – see our article on this draft prudential standard here), this case is the first of its kind in Australia to identify statutory obligations for AFSL holders (Licensees) under the Corporations Act in respect of cybersecurity. By virtue of this decision, it is now clear that Licensees in Australia will need to ensure that they have adequate cybersecurity measures in place to manage cyber risk in their businesses and networks.

Significantly, this decision will cause a shift in the threshold for what is best practice in respect of cybersecurity in business and will confer a greater level of responsibility on Licensees’ boards for ensuring that adequate safeguards and risk mitigation strategies are in place – cybersecurity will no longer be pigeonholed as an ‘IT issue’ and will be rebranded as a dynamic and all-encompassing corporate and risk management issue.

Further, this decision makes it clear that cybersecurity risks, vulnerabilities and incidents cannot be viewed in isolation, as a number of smaller incidents, while not appearing significant individually, may indicate a cumulative deficiency in a company’s broader cybersecurity practices and processes.

ASIC v RI Advice Group [2022] FCA 496

Over a six-year period from 2014 to 2020, RI Advice suffered nine separate cybersecurity incidents, ranging from hacking incidents, to payment fraud, to phishing scams. In some circumstances, these incidents led to the unauthorised disclosure of customers’ personal information.

Following a primary incident in December 2017, RI Advice engaged several independent cybersecurity experts to audit RI Advice’s current practices and processes, and recommend improvements to their existing cyber risk management systems and controls. These experts made recommendations that led to RI Advice, three years later in January 2020, implementing its ‘Cyber Resilience Initiative’, which would enable RI Advice to comply with best practice in respect of cybersecurity risk management. However, as RI Advice admitted to the Federal Court, it failed to adopt those recommendations in a timely manner, and ought to have adopted a more robust approach to that implementation, including in respect of its authorised representative network.

In bringing proceedings against RI Advice, ASIC alleged that RI Advice had breached its duties under the Corporations Act by failing to implement appropriate cybersecurity controls and documents, identify the cause of the relevant incidents and mitigate the risk of future incidents.

The case was ultimately settled prior to trial, with the parties seeking declaratory relief from the Federal Court. Ultimately, the parties agreed, and the Federal Court declared, that RI Advice fell-short of its obligations under the Corporations Act, to ensure that’s its financial services were provided ‘efficiently, honestly and fairly’ (section 912A(1)(a)) and to have adequate risk management systems in place (section 912A(1)(h)). Specifically, RI Advice’s cybersecurity documentation and controls, and risk management systems were declared to be inadequate. Further, the occurrence of the nine separate incidents indicated material defects in RI Advice’s compliance measures and ability to detect and manage weaknesses and vulnerabilities in its cyber risk profile.

The Honourable Justice Rofe stated, in relation to the concept of ‘adequacy’ in the context of RI Advice’s cybersecurity controls and systems, at [58]:

‘Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time… It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’

Further, the Federal Court found that the incidents primarily arose out of a lack of up-to-date anti-virus software, no filtering or quarantine of emails, and poor password practices, such as the limited use of multi-factor authentication.

As a result of the Federal Court’s declaration, RI Advice was required to implement specific cybersecurity and cyber resilience measures by an agreed date and pay contribution to ASIC’s costs of the proceeding in the amount of USD750,000. Further, the Federal Court decided not to make any penalty orders against RI Advice.

The potential impact

Clear statutory obligations

Previously, the key obligations of companies in respect of cybersecurity and information security were found in the Privacy Act 1988 (Cth) (in relation to the protection of personal information and reporting of data breaches) and arose by virtue of directors’ duties under the Corporations Act (as noted by ASIC’s Report 429 ‘Cyber resilience: Health check’ (2015) (Report 429) – aside from sector-specific regulation. However, by virtue of this case, Licensees now have clear obligations under the Corporations Act in respect of cybersecurity in respect of their businesses, IT systems and networks.

Possible penalties

Although RI Advice was only ordered to contribute to ASIC’s costs, the Federal Court could have ordered a more severe penalty. Given that this case places clear statutory responsibilities on Licensees to ensure the implementation of cybersecurity practices, processes and risk mitigation strategies, the next Licensee to find themselves in a similar position to RI Advice may not be able to escape a penalty. This is especially so, as, since the Federal Court’s declaration, section 912A of the Corporations Act has been deemed a civil penalty provision.

What is ASIC’s view?

ASIC states that while cybersecurity practices among regulated entities is getting better, there is more to do. As a result of the Federal Court’s declaration, ASIC also thinks that management of cybersecurity risks should form part of Licensees’ AFSL conditions, and that Licensees must have adequate IT systems, policies and procedures in place to manage cybersecurity risks.

In its Corporate Plan 2022-26 released in August 2022 (Corporate Plan), ASIC has signaled its intention to become a ‘digitally-enabled, data-informed regulator’ and has named cyber risk and operational resilience as a main priority over the next four years, with an intention to develop a regulatory framework focusing on the impact of the use of technology in financial markets (including digital assets, cryptocurrency and decentralised finance (De-Fi)), and take a more proactive hand in enforcement, with a renewed focus on digitally-enabled misconduct.

ASIC also intends to:

• implement a cross-industry self-assessment program to benchmark cyber resilience among regulated entities;
• conduct surveillance to monitor cyber and operational resilience among regulated entities;
• harmonise the approach to enforcement and action through partnership with Australia’s other financial regulators and support the implementation of whole-of-government cyber resilience initiatives;
• update Report 429 to incorporate the current thinking on cyber resilience, as well as proposed legal and compliance obligations for regulated entities; and
• take enforcement action against regulated entities in respect of failures to mitigate cybersecurity risks.

Key takeaways for businesses

There are a number of strategies that may be implemented by Licensees, and companies more broadly, in order to ensure that their IT systems and information are protected from cyber risks.

Cybersecurity to be given priority

Given that inadequate cybersecurity measures can now result in a Licensee breaching the Corporations Act, Licensees and their directors should prioritise the enhancement of their cybersecurity infrastructure, processes and practices and should treat cybersecurity as a board responsibility, rather than an ancillary issue relegated to IT departments.

Licensees must, in particular, ensure that robust security and compliance measures are rolled out across the board, with respect to any authorised representatives or credit representatives. These measures should ideally be enforced via contractual obligations and protections, and backed by appropriate indemnities in respect of an affiliated party’s failure to comply with such obligations.

Take a proactive approach

In an increasingly digitised world, cyber threats and risks evolve in sophistication daily. Accordingly, Licensees should take a proactive approach to cybersecurity, and implement measures within their businesses to consistently monitor for and deal with threats, as well as weaknesses and vulnerabilities in respect of their IT systems. Further, Licensees must be careful to ensure that their contractual relationships with downstream IT suppliers are adequate to ensure that Licensees are protected in the event that any cybersecurity incidents affect any information or infrastructure being managed by those downstream suppliers, including by way of indemnities.

Develop a cybersecurity policy

Given that Licensees now have a clear statutory responsibility towards cybersecurity, it would be prudent for Licensees to ensure that a board policy relating to cybersecurity is developed and maintained. This is essential, not only for the protection of customers’, employees’ and confidential commercial information, but it is extremely important to ensure that the Licensee can remain agile and vigilant against the growing threats posed by cybercrime.

In line with ASIC’s recommendations to following the advice of theAustralian Cyber Security Centre, a good cybersecurity policy should:

• be tailored in accordance with the size, complexity and particular risk factors of the relevant Licensee and its IT infrastructure;
• contemplate the types of data held by that Licensee in order of criticality and sensitivity (e.g. commercially-sensitive information, third party information, customer/personal information), as well as the way in which that data flows throughout the organisation;
• outline relevant arrangements with third party IT suppliers or any other third parties with whom a Licensee shares information;
• provide for limitations on personnel’s access to information where appropriate, as well as conventions for information access (e.g. passwords and multi-factor authentication);
• articulate the perceived IT system weaknesses and vulnerabilities and implement tailored controls to address them;
• provide for a procedure for ongoing threat analysis;
• identify the roles and responsibilities internally in respect of information security and establish a robust governance framework to deal with cybersecurity issues;
• identify internal policies and protocols for responding to and dealing with cybersecurity incidents, including data breaches – if these do not exist, they should also be developed; and
• implement monitoring strategies in respect of unauthorised access to information.

Further, such a policy should also take into account the extent to which an AFSL holder’s obligations to different regulators (ASIC, APRA, the Office of the Australian Information Commissioner) may overlap, including in respect of notification and reporting of any cybersecurity-related incidents.

Internal education

In addition to having a robust cybersecurity strategy, Licensees should ensure that they implement comprehensive internal cybersecurity education programs, in order to ensure internal compliance, limit exposure to cybersecurity risks and threats and therefore mitigate the risk of:

• statutory/regulatory/legal liability (data breach penalties etc);
• financial loss through ransomware attacks and theft of commercial or proprietary information; and
• loss of customer confidence/reputation – such cybersecurity incidents can even affect share prices if customer confidence is lost.

A high proportion of cyber incidents occur due to human error and inadequate education – a pertinent example of this is employees clicking on emails that are phishing scams. Accordingly, Licensees should take a ground-up view of cybersecurity that starts with building a culture of best practice internally. Such an internal culture should ideally be agile and scalable so it can cater for growth and shift in business operations.

How can DLA Piper help?

DLA Piper has extensive experience in advising clients (including Licensees) in respect of issues pertaining to cybersecurity, information security and privacy. To this end, DLA Piper can assist clients in coming to understand the particular risks unique to its business and assisting in risk mitigation strategies via the development and implementation of policies, review and negotiation of vendor arrangements and advising in relation to all matters technology, privacy and data security-related.

DLA Piper also has extensive experience in dealing with technology or cyber-related disputes. Our Litigation & Regulatory and Intellectual Property & Technology teams can work side-by-side to handle, in a collaborative an efficient manner, any technology-related disputes arising out of cyber incidents such as ransomware, social engineering, phishing and fraud.