On 5 May 2022, judgment was handed down in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. The judgment provides crucial insight to holders of Australian Financial Services Licences (Licensees) and their authorised representatives (ARs or AR network) in respect of their cybersecurity obligations.

Gilbert + Tobin acted for RI Advice and its parent company, Insignia Financial (formerly IOOF).

RI Advice had significant success in the proceeding with ASIC withdrawing much of its case and agreeing to seek orders that no penalty should be imposed.

ASIC’s case

ASIC brought proceedings against RI Advice, a Licensee, alleging that RI should have had, but did not have, adequate cybersecurity risk management in place for itself and for each of the independently-owned financial advice practices within RI’s network. ASIC alleged that the “minimum” cybersecurity standard for a Licensee such as RI Advice was a detailed set of 68 cybersecurity “documentation and controls”, and that RI’s failure to have this in place across its network was a breach of section 912A of the Corporations Act 2001.

ASIC heralded this as a test case and has used it to publicly illustrate its stance on cybersecurity. Throughout the conduct of the matter, ASIC maintained that, although there was no published cybersecurity standard for Licensees, the appropriate standard was the one it put forward in the proceeding.

Outcome

On the eve of trial the parties negotiated agreed settlement terms, which were adopted and confirmed by the Court in the judgment.

On any view, the orders ultimately made were a significant departure from ASIC’s pleaded case. Not only did ASIC retreat from its “minimum” cybersecurity standard, it (unusually) agreed to a “no penalty” finding. This was all the more significant given ASIC was seeking significant penalties against RI Advice under the new civil penalty regime for a range of asserted breaches.

The Judge did not find that the breaches actually caused any cyber incident (contrary to some media regarding the case) and specifically noted that it is “not possible to reduce cybersecurity risk to zero” but that such can be reduced to an acceptable level through adequate documentation and controls.

RI Advice did acknowledge two historic contraventions of section 912A arising from its delay in implementing adequate cybersecurity risk management systems. As the Judge found however, “most of the historical issues were addressed by the significant improvements made by RI Advice to its existing cybersecurity risk management systems (after its acquisition by IOOF in October 2018) including taking steps to monitor and audit compliance with the cybersecurity requirements contains in RI Advice’s Professional Standards. The improvements included engaging multiple external advisory firms to investigate past failures and review cybersecurity practices.

The judgment recognises that Insignia Financial’s cybersecurity program, which was implemented across 2020 and 2021, brought the majority of RI Advice’s practices to a good level of cybersecurity.

Key takeaways

  • whereas ASIC had been seeking to effectively set a far-reaching and prescriptive legal standard for cyber security for all Licensees – the judgment sets no such standard;
  • however, cybersecurity risks do fall within the risks Licensees are required to identify and manage under section 912A, including the cyber risks present in the businesses of their authorised representatives;
  • in addition to the identification and management of risks through different controls and measures, it is important to also monitor and audit compliance and where appropriate use the services of external experts;
  • cybersecurity risks must be managed “adequately”. The standard of “adequacy” under section 912A is one for the Court to decide, but the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts. In short, it is not for ASIC to set the standard.