Federal Court confirms AFS Licensee obligations include adequate cyber risk management
On 5 May 2022, the Federal Court in ASIC v RI Advice Group Pty Ltd  FCA 496 found that an Australian Financial Services Licence (AFSL) holder contravened licensee obligations under section 912A of the Corporations Act 2001 by failing to have adequate cyber risk management systems and procedures between 15 May 2018 and 5 August 2021.
This landmark decision is a first in Australia.
Whilst it holds confirms AFSL holders must have adequate cyber risk management procedures to meet their licensee obligations, uncertainty remains as to what licensees must have in place to meet their regulatory obligations. AFSL holders should also consider their notification obligations to ASIC following a cyber incident in light of the decision.
RI Advice is a financial services provider that was owned by Australia and New Zealand Banking Group Limited until 30 September 2018 and was acquired by IOOF Holdings Limited (IOOF).
Between June 2014 and May 2020, authorised representatives (ARs) of RI Advice suffered 9 cyber incidents. The incidents included business email compromises (BEC) resulting in the transfer of funds by clients to fraudsters, supply chain attacks resulting in the compromise of an AR’s website, ransomware attacks, and unauthorised access to email accounts resulting in phishing attacks.
The most significant incident involved unauthorised access to an AR’s server between December 2017 and April 2018, which resulted in the exfiltration of personal information for thousands of clients.
RI Advice only became aware of this incident on 15 May 2018 and acknowledged that the documentation, controls, and risk management measures that were in place at that time to address cyber risk were not adequate to manage the risk across its AR network.
Investigations and reports following each of the incidents identified a range of issues with the cyber security risk management. This included (among others):
- a failure to use up to date antivirus software;
- there was no filtering or quarantining of emails;
- backup systems and procedures were either not in place or not being performed; and
- poor password and security practices.
After being acquired by IOOF in October 2018, RI Advice significantly improved its cyber risk management systems. This included the development of a program called the Cyber Resilience Initiative with an external provider in 2019, which was implemented by most ARs by 5 August 2021.
Shortly before the hearing date, ASIC and RI Advice agreed to a settlement and provided the Court with proposed orders, agreed facts and submissions in support.
After considering these documents, Justice Rofe held that RI Advice:
- failed to have adequate cyber risk management documents, controls, systems and procedures between 15 May 2018 and 5 August 2021;
- failed to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, in contravention of s 912A(1)(a) of the Corporations Act; and
- failed to have adequate risk management systems, in contravention of s 912A(1)(h) of the Corporations Act.
RI Advice admitted that, although it had identified and implemented measures between 15 May 2018 to 5 August 2021 to improve cyber security and resilience to meet its understanding of its obligations, it took too long to implement those measures. On account of the above, RI Advice admitted that it contravened the Corporations Act.
RI Advice was also ordered to pay ASIC’s costs in the sum of $750,000.
In addition, the Court made orders requiring RI Advice to engage a cyber security expert to identify and implement any additional measures required to adequately manage cyber risk and to keep ASIC suitably informed of the process.
As ASIC and RI Advice agreed to the outcome of the matter and did not require the Court to consider their positions in any detail, there is limited guidance on what licensees need to do to meet their cyber risk management obligations under s 912A.
However, in her reasons for Judgment, her Honour stated that:
- the assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person; and
- while the standard of “adequacy” is for the Court to decide, the Court’s assessment of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts.
It is now clear that AFSL holders must have in place adequate cyber risk management policies and procedures to comply with their license obligations under the Corporations Act. In particular, they must ensure that ARs under their license have implemented and are complying with any policies and procedures.
There is uncertainty around the standard an AFSL holder needs to meet. However, the decision indicates that experts should be engaged to identify and implement suitable cyber risk management systems. This is an important but complex process.
For example, the measures implemented by RI Advice after engaging suitable experts encompassed a broad range of matters including training and awareness, patching of software and applications, personal information storage and transmission, multi factor authentication, backup requirements, contractual warranties and obligations, incident response planning, and cyber insurance. These are all matters an organisation should be incorporating into their cyber risk management systems.
The Court also noted that adequate risk management will materially limit but not eliminate cyber risk. However, incident response planning forms part of adequate risk management and it is important that suitable experts are engaged to respond to and manage an incident.
Given the terms of this decision, an AFSL holder should be assessing whether it needs to notify ASIC of a cyber incident given its obligations under the Corporations Act as part of its response to an incident.
ASIC has been increasingly investigating cyber incidents. AFSL holders should now expect to hear from ASIC if they have suffered an incident and prepare a suitable response.
If you need help to gauge or improve your cyber resilience, or to deal with a cyber incident, Gilchrist Connell can assist with a range of services and expertise. We also assist businesses with identifying their regulatory and contractual system and data security obligations.