Deficient Cybersecurity Risk Management – ASIC’s Test Case against RI Advice Group

On 5 May 2022, the Federal Court of Australia handed down judgment in ASIC’s first enforcement case in relation to inadequate management of cyber security risks. Justice Rofe (in the Victorian Registry) found that the general duties of Australian financial service licensees extend to ensuring that they, and their authorised representatives, have in place adequate cybersecurity and cyber resilience measures.

It had been widely expected that the judgment would lay down minimum required standards for cyber resilience and security. Instead, the judgment largely gives effect to a settlement reached shortly before trial, in which the defendant, RI Advice Group Pty Ltd (RI), admitted to various failures. Nevertheless, ASIC intends for this case to ‘drive a change in behaviour’ across not only the financial services sector but Australian businesses more generally, by encouraging all entities, under ASIC’s watchful eye, to ‘adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment’.[1]

Cybersecurity failures

RI carries on a financial services business through its large national network of independently-owned authorised representatives, who provide financial services to retail clients on its behalf. RI’s authorised representatives consisted of corporates (with 1 to 7 advisers) and sole traders operating from home.[2] In the four years from May 2018, RI’s network of authorised representatives had provided financial services to at least 60,000 retail clients.[3]

In the course of providing these financial services, RI’s authorised representatives electronically received, stored and accessed clients’ confidential and sensitive personal information (such as contact details, health information, driver’s licenses, passports and financial documents).

ASIC did not allege that RI itself was the subject of a cyber incident, but rather that a relatively small number of its authorised representatives were impacted.

Between June 2014 and May 2020 (as admitted by RI), nine cybersecurity incidents occurred at practices of RI’s authorised representatives, including:[4]

1. Unauthorised server access and installation of malicious software, resulting in the potential compromise of the personal data of several thousand individuals. A number of the affected individuals subsequently reported unauthorised use of their personal information (such as bank accounts being opened in their names).
2. Hacking or impersonation of authorised representatives’ email accounts, resulting in their clients receiving phishing emails or fraudulent emails requesting bank transfers. One client was tricked into transferring $50,000 (approximately half of which was later recovered).
3. Ransomware attacks, resulting in the information of at least 220 clients being encrypted and not recovered.
4. The installation of a fake home page on an authorised representative’s website, following the hacking of their third-party website provider.

ASIC’s case against RI

ASIC commenced its proceedings against RI in August 2020.

ASIC alleged, and RI eventually conceded, that the general duties of a financial services licensee under s 912A of the Corporations Act 2001 (Cth) encompass risk management obligations in respect of cybersecurity and cyber resilience, despite the absence of any statutory wording to that effect.

The overarching duties require a licensee to (among other things) ‘do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly’ (s 912A(1)(a)) and to ‘…have adequate risk management systems’ (s 912A(1)(h)).

ASIC contended that to properly discharge these s 912A duties, RI was required to:[5]

1. identify the cybersecurity and resilience risks that its authorised representatives faced in the course of providing financial services; and
2. have in place documentation, controls and risk management systems that were adequate to manage cyber risk across its authorised representative network.

ASIC sought declarations that RI had contravened its general s 912A obligations by failing to have, and to have implemented with its authorised representatives, policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience. ASIC also sought a civil penalty order (in an amount to be determined by the Court) and compliance orders.

More specifically, ASIC also alleged that RI was required to have certain ‘Minimum Cybersecurity Requirements’.[6] It identified 13 ‘Cybersecurity Domains’, with 68 expected documents that it said represented the minimum standard required to satisfy the general obligations of a financial services licensee in managing cyber risk.[7]

In the absence of any specific laws or regulations or compulsory industry standards mandating the alleged ‘Minimum Cybersecurity Requirements’, ASIC formulated these proposed baseline expectations by reference to publicly-available (but not mandatory) cybersecurity guidelines, including the Australian Cyber Security Centre’s Essential Eight Model, and an expert report.[8]

RI’s admissions

RI admitted that it did not have adequate documentation, controls or risk management systems for cybersecurity across its authorised representative network prior to May 2018. In 2018 (around the time of its acquisition by IOOF), RI had engaged external cybersecurity experts to undertake a review of its cybersecurity risk management systems. It had implemented initiatives to increase cybersecurity awareness amongst its authorised representatives and to assist them to adopt good cyber resilience practices.[9] RI acknowledged, however, that those measures had been implemented too slowly, and that it should have had ‘a more robust implementation of its program’ to ensure that a majority of its network complied with those measures earlier than August 2021.[10]

Federal Court judgment

Unsurprisingly, in light of RI’s admissions, the Federal Court found that RI:

1. breached s 912A(1)(a) in that it failed to do all things necessary to ensure that its financial services were provided efficiently and fairly, by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its authorised representatives; and
2. breached s 912A(1)(h) in that it failed to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing clients of its authorised representatives to an unacceptable level of risk.[11]

Given RI’s admissions, it was not necessary for the Federal Court to consider ASIC’s proposed minimum baseline for expected cybersecurity. Justice Rofe acknowledged that, while it fell to the Court to determine the adequacy of cyber risk management, this was a ‘highly technical area of expertise’ that must be informed by reference to qualified experts in the field, and not public expectation.[12] It is clear that expert evidence will play a critical role in any enforcement proceedings which ASIC may bring in the future against other entities.

After noting that cybersecurity risk is a significant business risk that evolves over time, the Federal Court observed that ‘[i]t is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’[13]

Ultimately, the Federal Court determined that it was appropriate to give effect to the parties’ settlement and ordered that RI:

1. engage, at its own cost, an independent cybersecurity expert to identify and assist with the implementation of any further documentation and controls necessary to adequately manage cyber risk across RI’s network of authorised representatives;
2. commission a written report from that expert on the implementation of any such further measures, to be provided to ASIC within 30 days of completion of an agreed timeframe; and
3. pay $750,000 towards ASIC’s costs of the proceedings.

Pursuant to the agreed settlement, ASIC did not press for a pecuniary penalty against RI.

Observations

The Federal Court’s judgment draws to a close ASIC’s test case in relation cyber risk governance, seven years after ASIC began warning Australian directors and entities of their responsibilities for building and maintaining cyber resilience.[14] The decision has a number of important implications.

• For financial services licensees: The case represents the first positive finding that the general s 912A statutory obligations owed by Australian financial services licensees extend to ensuring that they have adequate risk management measures to reduce cybersecurity risks to an acceptable level. Significantly, this extends to managing cybersecurity risks faced by any of their authorised representatives, even if they are independently owned.
• For Australian businesses: While this test case relates to s 912A, ASIC has made clear that it is intended to send a general message to Australian businesses that ‘cyber risk is very much the new frontier of market integrity’, and that all entities must adopt enhanced cybersecurity positions to improve cyber resilience.[15] ASIC has flagged that cyber governance and resilience failures are among its top three corporate governance priorities for 2022.
• For directors and officers: It is well-established that directors and officers owe a statutory duty of care and diligence pursuant to s 180(1) of the Corporations Act in managing all foreseeable risks to their entity and its interests.[16] Evidently, and increasingly, this duty includes cyber risk management. The decision serves as a stark reminder of this significant, known and continually evolving risk.
• Where to next: Leaving aside discrete regulatory regimes, and while recommended guidelines are available, neither Parliament nor the Courts have prescribed mandatory baseline criteria for cyber risk management. Both ASIC and the Federal Court’s decision in this case have separately emphasised the importance of guidance from qualified experts.[17] Against this backdrop and the cybersecurity focus signalled by ASIC and other regulators, entities and their Boards would be well-served to carefully and proactively review and monitor the adequacy of their own cyber risk management systems, controls and documentation, and consider whether independent expert assistance would be of value.

[1] ASIC Chair Joseph Longo, ‘ASIC’s corporate governance priorities and the year ahead’ (Speech delivered at the AICD Australian Governance Summit, Melbourne Convention Centre, 3 March 2022) (ASIC 2022 Priorities); ASIC, ‘Court finds RI Advice failed to adequately manage cybersecurity risks’ (Media Release 22-104MR, 5 May 2022) (ASIC May 2022 Media Release).

[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 1193 (Strike Out Decision) per Rofe J at [8].

[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (Enforcement Decision) per Rofe J at [15].

[4] Enforcement Decision at [16]; Agreed Facts annexed to Enforcement Decision at [9].

[5] Enforcement Decision at [27] – [28].

[6] Strike Out Decision at [47].

[7] Strike Out Decision at [47] – [48].

[8] Strike Out Decision at [75] – [77], [86] and [94] – [101].

[9] Enforcement Decision at [21] – [22] and [60].

[10] Enforcement Decision at [24].

[11] Enforcement Decision at [65] – [66].

[12] Enforcement Decision at [46] – [47] and [55].

[13] Enforcement Decision at [58].

[14] ASIC, Cyber resilience: health check, Report 429 (March 2015) at [9] – [10] and [180] – [192].

[15] ASIC 2022 Priorities and ASIC May 2022 Media Release.

[16] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 at [483].

[17] ASIC 2022 Priorities and Enforcement Decision at [46], [47], [49] and [55].