The decision in ASIC v RI Advice Group has wide-reaching implications for AFSL holders, and should prompt many to review their cyber-security arrangements ASAP. The AB Cyber team explains in more detail below.

What does this decision mean for AFS Licensees?

Not everyone needs the detail, so let's start with what's important.

Two key takeaways from the case as we see them:

  1. Every licensee should examine its cyber security measures - in its original statement of claim ASIC listed 72 chillingly granular cyber requirements which would now appear to be endorsed (an ASIC guidance note will no doubt follow). At the very least, every licensee needs a documented approach to cyber security.
  2. Both ASIC and the courts will not shirk at using the generalist licensing provisions (ss 912A(a) and (h)), to bring very specific obligations with the ambit of licensing conditions. Licensees should consider this when thinking about their risk management and other processes across the board.

ASIC v RI Advice Group

In a landmark decision, the Federal Court has found that financial services firm, RI Advice, had breached its licence obligations by failing to implement adequate risk management systems to manage its cybersecurity risks.

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is the first time that ASIC has exercised its enforcement powers in relation to the adequacy of cybersecurity risk management controls.

Background

RI Advice Group Pty Ltd (RI Advice) holds an Australian Financial Services Licence (AFSL) (the Licence) which allows it to authorise independently-owned corporate authorised representatives (AR) to provide financial services to retail clients on its behalf pursuant to the Licence. These ARs electronically received, stored, and accessed confidential and sensitive personal information and documents in relation to their retail clients.

Between June 2014 and May 2020, nine cybersecurity incidents occurred at the practices of RI's ARs. Notably, in May 2017 an incident occurred where an AR's server was hacked by brute force through a remote access port. This resulted in files containing personal information of approximately 220 clients being held for ransom and ultimately rendered not recoverable.

Obligations under the Corporations Act 2001

Under s 912A, the Act does not impose any AFSL obligations that are specific to cybersecurity or privacy – so ASIC sought to rely on two general obligations – in particular the obligations to:

  1. do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly: s 912A(1)(a); and
  2. have adequate risk management systems: s 912A(1)(h).

(emphasis added)

Efficiency requirement under s 912A(1)(a)

In this case, Rofe J indicates at [46] that cyber risk management is a "highly technical area of expertise" and accordingly, the "assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person".

Her Honour elaborates that this is not to be assessed by the expectations of the general public (at [47]). It is clarified at [48] that the public is "entitled to expect a reasonable standard of performance from a financial licensee". This expectation must be differentiated from knowledge of the "content" of cybersecurity risk management (at [49]).

Adequacy requirement under s 912A(1)(h)

At [54], Rofe J comments that the focus of "adequacy" is on the risk management systems. In the case of RI Advice, Her Honour observes that this would place the focus on the risks to AR's and the "necessity for RI Advice to have "adequate" systems to manage those risks".

The assessment of this adequacy requirement, in the context of cyber risk management, "requires consideration of the risks faced by a business in respect of its operations and IT environment" (at [55]). Similar to the aforementioned efficiency requirement, the adequacy requirement would also likely be informed by evidence from relevantly qualifed experts in the field.

The Outcome

The Court held that RI contravened:

  1. Section 912A(1)(a) by failing to:
    1. do all things necessary to ensure that the financial services covered by its Licence were provided efficiently and fairly, by
    2. failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its ARs.
  1. Section 912A(1)(h) by failing to:
    1. have adequate risk management systems, by
    2. failing to implement adequate cybersecurity and cyber resilience measures and exposing its AR's clients to an unacceptable level of risk.

RI Advice has been ordered to pay $750,000 towards ASIC's costs and to engage a cybersecurity expert.

Significance of cybersecurity risk management

Cybersecurity risks are a significant risk in relation to the conduct of businesses and the provision of financial services. Its importance is reinforced by the increasing use of and reliance on technology in financial services.

Importantly, Rofe J comments at [58] that while "it is not possible to reduce cybersecurity risk to zero...it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation an controls to an acceptable level."

Sarah Court, Deputy Chair at ASIC, further illuminates the importance of having an adequate cybersecurity systems in place to protect against unauthorised access and encourages following the advice of the Australian Cyber Security Centre.

Moving forward...

Rofe J's judgment was reasonably limited in this decision because ASIC and RI Advice had settled beforehand, meaning that some of ASIC's claims are still untested.

However, ASIC's original pleadings, particularly its Second Amended Statement of Claim, provides insight into ASIC's significant expectations as to how financial services entities ought to manage cyber risks. Summarily, this includes an extensive and prescriptive list of steps to undertake following a cybersecurity incident as well as ensuring an appropriate incident response and remediation plan.

Notably, we may see an increased use of s 912A, which previously was more used as a secondary pleading. This landmark decision may signal a new emphasis on s 912A as a primary pleading for enforcement actions.

Get in touch

AB has a deep expertise in Cyber and Privacy, and provides a suite of services in this space including Cyber Health Checks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.