News

AFSL holders the target of both cybercriminals and ASIC: Failure to protect against cyberattacks results in judgment against financial services licensee

“Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”1

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is ASIC’s first successful action against an Australian Financial Services Licence (AFSL) holder for failure to have adequate cyber security systems in place. The case is a warning to all AFSL holders that they must take cyber security seriously and implement adequate risk management systems. Failure to do so could result in a breach of their licence conditions and a contravention of the law.

Section 912A(1)(h) of the Corporations Act 2001 (Cth) requires an AFSL holder to “have adequate risk management systems”. The recent decision against RI Advice Group Pty Ltd (RI Advice) confirmed this includes management of cyber security risks. The case demonstrates that ASIC will not hesitate to commence proceedings against AFSL holders for failing to have sufficient cyber security measures to protect their clients and others.

The case

On 5 May 2022 the Federal Court handed down its decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd. The Court made declarations and orders by consent on the basis of facts agreed between ASIC and RI Advice, by which RI Advice:

  1. admitted to contravening sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (the Act) by failing to implement proper policies and controls for its authorised representatives to adequately manage risk, cyber security and cyber resilience;
  2. agreed to compliance orders requiring RI Advice to engage a cybersecurity expert and to provide the cybersecurity expert’s report to ASIC on RI Advice’s efforts to improve its cyber security; and
  3. agreed to pay ASIC’s costs of $750,000.

RI Advice had many authorised representatives providing financial services to at least 60,000 retail clients under its AFSL between May 2018 and May 2020. The authorised representatives electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients.

Between June 2014 and May 2020 RI Advice’s authorised representatives were involved in 9 significant cyber security incidents. These included:

  1. a fake home page being placed on an authorised representative’s website;
  2. an authorised representative’s main reception computer being subject to ransomware attack making certain files inaccessible;
  3. personal information of 220 clients being held for ransom and not recovered after a server was hacked through a remote access port;
  4. unauthorised access to email addresses and fraudulent emails requesting bank transfers; and 5 phishing emails sent from employees’ email addresses.2

A review of RI Advice’s management of cyber security risk found that some of the authorised representatives’ computer systems:

  1. did not have up to date antivirus software;
  2. did not filter or quarantine emails;
  3. had no backup systems in place; and
  4. did not implement good password practices among employees.

As the AFSL holder, RI Advice was required to ensure adequate measures were in place to protect it, its authorised representatives, their clients and others from cyber security risks.

Once the evident lack of adequate cyber security measures was identified, RI Advice implemented stricter cyber security controls over a period of 18 months. However (as part of its agreed settlement terms with ASIC), RI Advice admitted that it took too long to implement adequate cyber security measures across all of its authorised representatives.3

The Court considered that by failing to ensure its authorised representatives maintained adequate cyber security measures, RI Advice had contravened section 912A (1)(a) of the Act, which requires licensees to do all things necessary to ensure that the financial services covered by their license are provided efficiently, honestly and fairly.4

Section 912A(1)(h) of the Act requires an AFSL holder to “have adequate risk management systems”. The Court found that RI Advice also contravened section 912A (1)(h) of the Act in that it failed to have adequate risk management systems and exposed the clients of its authorised representatives to an unacceptable level of risk.5 The Court considered that whether a licensee had “adequate risk management systems” to manage cyber security risks was likely to be informed by evidence from relevantly qualified experts in the field,6 on the basis that:

“Cyber risk management is not an area were the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area”.7

RI Advice’s failure to have adequate systems in place to manage cyber security risks, and failure to update its systems once it became aware of inadequacies resulted in RI Advice being ordered to report its steps to improve cybersecurity to ASIC and ultimately being required to pay ASIC’s costs of the proceedings in the amount of $750,000.

“But it won’t happen to us…”

“The [authorised representatives] as providers of financial services were potential targets for cyber related attacks and cybercrime by malicious actors targeting personal information. That risk increased over time”.8

The onus on AFSL holders to manage the threat posed by cyber-attacks will only become greater. In the past year, both overseas and in Australia, companies have been victims of high profile cyber-attacks, including (and increasingly) ransomware attacks.9 Ransomware is a malicious software which renders a computer or its files unusable until the payment of a ransom to release data. Ransomware has evolved to include stealing sensitive data with the threat of releasing it. In 2021 it was reported that there had been a 15% increase in ransomware attacks reported to the Australian Cyber Security Centre (ACSC).10

In 2021 the Federal Government announced its Ransomware Action Plan.11 A key aspect of the Ransomware Action Plan was the inclusion of a mandatory reporting scheme for large companies affected by ransomware who are required to provide the Australian Government with information about the cyber-attack, including whether a ransom was paid.12 Currently those affected by cyber-attacks can choose to but are not required to report the incident to the ACSC. 13

The Ransomware Action Plan is intended to only apply to companies with a turnover of more than AU$10 million.14 In Australia it is not just large businesses that are targeted: there is evidence that small businesses are the target of nearly half of all cybercrimes.15 It follows that as large and better resourced targets strengthen their cyber security, those larger targets become unattractive and it becomes more likely that medium and small businesses (which generally have fewer resources to dedicate to cyber security) will become the next targets.

Key takeaways

The decision in RI Advice emphasises that AFSL holders must understand the importance of cyber resilience and cyber security, take advice from suitably qualified experts, and ensure that advice is acted on promptly and regularly audited. An adequate cyber security system today may not be adequate tomorrow.

AFSL holders are responsible for the cyber security and resilience of their authorised representatives and must have controls in place to adequately manage the risk of a cyberattack.16 Failure to do so could expose the AFSL holder to regulatory action from ASIC in addition to the business, financial and reputational risk of a cyber security breach.

The best way to ensure compliance is to regularly take advice from qualified cyber security experts and implement their recommendations. While the costs of implementing adequate systems can be significant, those costs will become insignificant in comparison to the potential costs which may result if your business is targeted by cyber criminals—or ASIC.

For more information, please contact the authors:
Thaw Thaw Htin | Principal
Alex Tharby | Senior Associate

Disclaimer: The information published in this article is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.

Footnotes

  1. Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 496, [58].
  2. Ibid [16].
  3. Ibid [24].
  4. Ibid [65].
  5. Ibid [66].
  6. Ibid [53]–[55].
  7. Ibid [47].
  8. Ibid [59].
  9. See for example the high profile ransoms of $5 million paid by Colonial Pipeline and $14.2 million paid by JBS Foods in 2021.
  10. Ransomware Action Plan, pp 1–2; see following text.
  11. The Australian Government Ransomware Action Plan is accessible here. This is in addition to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which mandates reporting of serious cyber security incidents with respect to critical infrastructure assets.
  12. Ransomware Action Plan at page 6
  13. There are reporting obligations with respect the personal information under the Privacy Act 1988 (Cth)
  14. It is not explicit in the Ransomware Action Plan but widely reported including by the Liberal Party https://nsw.liberal.org.au/Shared-Content/News/2021/New-plan-to-protect-Australians-against-ransomware
  15. Small Business Cyber Security Best Practice Guide, Australian Small Business and Family Enterprise Ombudsman
  16. https://www.pwc.com.au/publications/audit-risk-insights/cyber-present-threat.html

Related articles

Protected: The dangers of ‘greenwashing’: Claiming to be ‘green’ or ‘sustainable’ may expose your business to liability for misleading or deceptive conduct

There is no excerpt because this is a protected post.

arrowRead article

Explainer: the result of the Palmer v McGowan defamation dispute

On 2 August, the defamation dispute between Clive Palmer and Premier Mark McGowan concluded, as Justice Lee of the Federal Court of Australia delivered his judgment. Palmer said McGowan defamed him; McGowan …

arrowRead article

New image search tool for Australian wine trade marks, courtesy of Wine Australia

In 2021 the Australian government’s wine regulator, Wine Australia, introduced a database called the Export Label Image Search System (ELISS). ELISS was introduced in conjunction with broader regulations aimed at strengthening the …

arrowRead article