During the 2020–21 financial year, the Australian Cyber Security Centre received over 67,500 cybercrime reports, with incidents targeting large scale companies with increasing frequency. The rise in risk has forced many businesses to address cyber security issues, but it wasn’t until recently that companies faced regulatory consequences for breaching their obligations.
On 5 May 2022, the Federal Court finalised its judgment in the matter of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. In an Australian first, it was held that RI Advice Group Pty Ltd (RI) had breached its obligations as an Australian Financial Services Licensee (Licensee) by failing to have adequate risk management systems in place to manage its cyber security risks.
The decision is an important lesson for all regulated entities, as it flags ASIC’s increased regulatory focus on business’ cyber security processes. However, the lesson remains the same for all businesses – big or small. All companies should ensure they have the appropriate measures in place to address cyber security breaches or risk receiving significant civil penalties.
how did RI breach cyber security obligations?
RI provides financial services under a third-party business owner model, with authorised representatives providing financial services to clients. Between 2014-2020, RI experienced nine cyber-related incidents. ASIC argued that RI failed to proactively react to these incidents and put into place appropriate measures. ASIC alleged that RI’s failure to have proper cyber security risk management in place breached the general obligations of Licensees under section 912A of the Corporations Act 2001 (Cth) (the Act).
minimum standards for cyber security
During the case, ASIC detailed a set of 68 security documentation and control standards which, in its view, would constitute the minimum standards for a Licensee, however, there are currently no published standards for Licensees. At this early stage, the controls put forward by ASIC during the RI matter can be used as a guideline but, given the ambiguity, it is recommended that businesses seek bespoke legal and IT advice when implementing cyber security measures.
RI failed to implement control processes
Although not at the level considered suitable by ASIC, RI did still have control processes in place to manage its cyber security risks. This included professional standards, incident reporting processes, and seeking confirmation from its authorised representatives that they had understood these standards and processes. Their processes improved significantly during 2020/2021. This was not, however, enough to satisfy ASIC as the Regulator still brought proceedings against RI.
outcome
The parties agreed on settlement terms which were accepted by the Court. In her judgment, the Hon. Justice Rofe recognised that it is “not possible to reduce cyber security risk to zero”, but that such risk could still be reduced to an acceptable level.
The Court ordered RI to pay part of ASIC’s legal costs ($750,000) and to engage a cyber security expert to identify and implement further measures, if necessary, to manage their cyber security risks.
Interestingly, ASIC looked to use this as a test case to establish cyber security standards, however, this was not considered in the judgment, with the standards required for licensees to meet their general obligations no clearer.
takeaways
This case highlights the need for Licensees, and all businesses, to review their cyber security processes and ensure they have appropriate measures in place. Given there are no clear standards or obligations, a legal team(whether in-house or external) should be used in collaboration with IT in establishing the appropriate processes required.
Having compliance measures in place will not necessarily mean your business meets its general obligations. Businesses must remain vigilant, have adequate auditing procedures in place, and commit to continue to build upon existing procedures. Technology is constantly evolving, so it is important that businesses’ cyber security risk management strategies and procedures continue to evolve too.
