In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, ASIC brought a claim against a financial services licensee, RI Advice, for failures by its authorised representatives to manage their cyber security risks. While the matter ultimately settled, the approval of the settlement and the proposed orders demonstrate that obligations under section 912A of the Corporations Act 2001 (Cth) (Corporations Act) may extend to the cyber security risks faced by licensees and the adequacy of the risk management systems implemented by the licensees to mitigate that risk.

It was agreed by the parties that RI Advice had breached sections 912A(1)(a) and (h) of the Corporations Act. These subsections require financial services licensees to:

  • do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly
  • have adequate risk management systems.

RI Advice authorised independent representatives to provide financial services on its behalf (authorised representatives). From June 2014 to May 2020, a series of cyber security incidents occurred at the practices of a number of authorised representatives. These incidents involved unknown individuals gaining access to email accounts, online servers and website pages belonging to the authorised representatives, as well as the personal information of their clients. During one incident, an unknown person gained access to an authorised representative's server for several months and collected the private information of thousands of clients.

In 2018, RI Advice identified a number of issues in the management of cyber security risk by the authorised representatives, including failures to update antivirus software, not quarantining emails, using poor password management practices and not having backup systems in place.

From May 2018 to August 2021, RI Advice engaged a cyber security consultant and introduced a 'Cyber Resilience Initiative' to improve its risk management systems.

Rofe J made the following observations relating to the obligations imposed under sections 912(A)(1)(a) and (h):

  • standards of 'adequacy' relating to cyber risk management systems are ultimately decided by the Court, however, these will likely be informed by evidence from relevant experts
  • risks in relation to cyber security and the controls needed to address them have increased over time, especially as financial services are increasingly being conducted using computer and digital technology
  • RI Advice admitted that, prior to May 2018, it did not have documentation, controls and risk management systems adequate to manage cyber security risk across its authorised representative network
  • RI Advice had admitted that although the new risk management systems it introduced from May 2018 to August 2021 were intended to help it comply with its legal obligations, it took too long to implement them.

Rofe J concluded that RI Advice contravened sections 912A(1)(a) and (h) and made all declarations sought by the parties. Her Honour held that ASIC had a real interest in seeking the declarations as a public regulator and that it was in their best interest to clarify to licensees that sections 912A(1)(a) and (h) apply to the management of cyber security risk. Her Honour also made compliance orders under section 1101B of the Corporations Act compelling RI Advice to engage a cyber security expert to identify further documentation and controls necessary for the adequate management of cyber security and cyber resilience risk.

Going forward, it is imperative that financial services licensees ensure that their authorised representatives have proper controls in place to manage their cyber security risks and to ensure cyber resilience.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.