The regulatory stakes for financial services organisations were highlighted in a recent case, with judicial recognition of the heightened cyber risk environment and the obligation to take steps to mitigate that risk.
On 5 May 2022, the regulatory stakes for Australian Financial Services (AFS) licensees were highlighted in the Federal Court’s decision in ASIC v RI Advice Group Pty Ltd  FCA 496.
In the first ever enforcement action undertaken by ASIC in relation to AFS licensee obligations in the context of cyber security, Justice Rofe found that RI Advice Group Pty Ltd (RI Advice) had contravened the Corporations Act 2001 (Cth) (Corporations Act) by failing to have adequate 'controls and documentation' in place to manage cyber security risks across its authorised representative (AR) network. The AR network of RI Advice had experienced nine cyber security attacks over six years. Whilst ASIC had originally argued that the appropriate controls and documentation constituted a detailed set of 68 cyber security measures, the findings (which were agreed between the parties on the eve of trial) abandoned this position.
Although no civil penalty was imposed, the Court ordered RI Advice Group to engage a cyber security expert to report on measures required to improve its cyber security and cyber resilience across its AR network and agree to timing for implementation. It also ordered RI Advice to report back to ASIC and contribute to ASIC's costs in the proceedings.
Justice Rofe held (based on agreed facts and orders made by consent between the parties) that there was a proper basis for making declarations that from 15 May 2018 to 5 August 2021, RI Advice had contravened:
- section 912A(1)(a) of the Corporations Act – by failing to do all things necessary to ensure the financial services covered by its AFS licence were provided 'efficiently, honestly and fairly'. This is because it failed to ensure that adequate cyber security measures were in place or adequately implemented across its ARs; and
- section 912A(1)(h) of the Corporations Act – by failing to have adequate risk management systems. In doing so, it failed to implement adequate cyber security and cyber resilience measures and exposed its ARs' clients to an unacceptable level of risk,
and that certain remedial steps be taken under ASICs supervision (i.e. engaging a cyber security expert to monitor and report remediation and implementation measures).
Key observations regarding cyber risk and financial services
Her Honour made the following key observations in relation to cyber risk and the financial services sector:
- cyber security is the ability of organisations to protect and defend its use of cyberspace (digital or computer technologies, systems or networks) from attacks;
- cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyberspace;
- controls are needed that can be deployed to address evolving cyber risks over time;
- cyber risk increases as financial services are increasingly conducted using digital and computer technologies;
- it is not possible to completely eliminate cyber risk, but it is possible to materially reduce cyber risk to an acceptable level through the implementation of adequate cyber security documentation and controls;
- the practices of RI Advice’s ARs, as providers of financial services, were potential targets for cyber attacks by malicious actors targeting personal information, and that risk increased over time; and
- while external cyber security organisations were engaged in September 2018 to identify risks, identify best practice measures and monitor implementation, RI Advice's ARs took too long to implement those changes (which took place in 2020 to 2021).
Key takeaways for AFS licensees
The decision is a clarion call to financial services organisations to ensure that their risk management systems keep up with heightened risks in the financial services sector.
For AFS licensees, the case highlights the need to:
- conduct cyber maturity and threat assessments in order to understand where their organisation sits against their specific risk management and mitigation needs;
- ensure that cyber risk is integrated into their broader strategic approach of an organisation, in order to maximise the efficiency of risk management from the perspective of people, processes and systems;
- ensure their risk management processes and systems include adequate measures to manage cyber security and integrate cyber resilience;
- ensure their ARs implement and comply with such measures including by undertaking training and monitoring (because the failure of ARs to meet the requirements will give rise to failures by the AFS licensees);
- review these systems periodically aided by appropriately skilled persons to ensure the measures remain up to date with evolving cyber security risks faced by the organisation; and
- ensure that a robust approach is taken to ensure timely implementation (having regard to what the cyber security expert considers is a reasonable practicable time period) of recommendations made regarding changes to such measures.
Her Honour also commented on and clarified recent case law regarding the application of section 912A(1)(a), which requires AFS licensees to 'do all things reasonably necessary to provide financial services efficiently, honestly and fairly' (including where it acts through ARs), stating that:
- the remarks by Justice Allsop in the Westpac Securities case that section 912A(1)(a) was part of the statute's legislative policy to require adherence to 'social and commercial norms or standards of behaviour', did not constitute a test or benchmark but merely provided an overview of the purpose of section 912(1)(a);
- the example provided by Justice Foster in the Camelot Derivatives case that the 'efficiency' requirement will not be met if the performance of a licensee's functions falls short of the 'reasonable standard of performance … that the public is entitled to expect' did not give rise to a test that 'efficiency' always be tested by reference to the expectation of the public (albeit that it may sometimes be appropriate); and
- while the public would expect an AFS license to have adequate cyber security measures, in a technical area such as cyber security, the standard of performance would need to be assessed by reference to evidence from an expert rather than the general public.
This case highlights ASICs increasing focus on cyber security risks, and its willingness to take enforcement action against organisations who fail to adequately mitigate those risks. For more information regarding the cyber security landscape and how organisations (including financial services organisations) can effectively manage contemporary risks, see our recent Perspectives on Cyber Risk Report (2022).
This case is yet another example of the need for AFS licensees to be well informed about cyber risk and take appropriate steps to adequately manage those risk or else risk breaching their AFS licence obligations.
When viewed in conjunction with other recent developments more broadly, including the commencement of the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 on 2 April 2022, this case should further prompt organisations to take a strategic view of their risk management practices. MinterEllison’s latest report on cyber risk and cyber resilience, Perspectives on Cyber Risk 2022 explores the cyber risk landscape, regulatory obligations and steps organisations can take to mitigate risk.