Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022): ss 912A(1)(a) & (h) Corporations Act 2001 (Cth), failure to have adequate cybersecurity risk management in place,
May 14, 2022 |
The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.
The orders were made in terms agreed between the parties just before the trial was scheduled to commence.
I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,
FACTS
The Court provided a factual background about stating that RI Advice :
- was:
- a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
- from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
- carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
- authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]
The AR Practices (practices of groups of one or more Authorised Representatives):
- electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:
(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and
(c) copies of documents such as driver’s licences, passports and other financial information [14].
- since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
- had 9 cybersecurity incidents between June 2014 and May 2020, being:
- in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
- in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
- in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
- in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
- in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
- between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
- in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
- an unauthorised person used an AR Practice’s employee’s email address:
- in August 2019 to send phishing emails to over 150 clients ; and
- in April 2020 to send phishing emails to the AR Practice’s contacts [16].
Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:
- computer systems not having up-to-date antivirus software installed and operating;
- no filtering or quarantining of emails;
- no backup systems in place, or backups not being performed; and
- poor password practices including:
- sharing of passwords between employees,
- use of default passwords,
- passwords and other security details being held in easily accessible places or being known by third parties [17].
Regarding the incidents RI Advice:
- until 15 May 2018 it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network [20].
- in response to the data breaches had taken certain steps and had in place some documentation, controls and risk management measures in respect of cybersecurity risk for its ARs, including:
- training sessions,
- professional development events,
- information provided through RI Advice’s weekly newsletter for ARs;
- setting up an incident reporting process where cyber incidents could be discussed; and
- obligations in the “Professional Standards” contractual terms between ARs and RI Advice relating to:
- information security,
- electronic storage,
- incident notification requirements,
- fraud procedures and
- privacy [18].
- had the Professional Standards clauses in contracts with ARs which contained various recommendations and certain obligations designed to assist AR Practices in protecting client information from cybersecurity risks including
- password-protecting documents sent via email that contained clients’ personal information;
- not using personal email addresses;
- using up to date security software;
- backing up data; and
- implementing a password policy [19].
- after being acquired by IOOF in October 2018 it addressed most of the historic issues by :
- significantly improving its existing cybersecurity risk management systems including taking steps to monitor and audit compliance with the cybersecurity requirements contained in RI Advice’s Professional Standards.
- engaging multiple external advisory firms to investigate past failures and review cybersecurity practices [21].
- implementing an IOOF initiative developed in 2019 called the Cyber Resilience Initiative to increase awareness of cybersecurity and assist ARs in identifying and adopting cyber resilience good practices.
- engaging an external cybersecurity organisation, Security In Depth, to facilitate the Cyber Resilience Initiative during 2020 and 2021 [22] – [23]. By 6 August 2021, the majority of AR Practices implemented, and been approved as having implemented to a good level, the majority of the best practices contained in RI Advice’s Cyber Security Support Guide, which it had released to ARs in late 2019 [23].
- admitted the measures it assessed and developed in order to improve cybersecurity and cyber resilience took too long to:
- implement and
- ensure such measures were in place across its AR Practices.
- accepted it should have had a more robust implementation of its program so that the measures were more quickly in place at each AR Practice and the majority of the AR network was confirmed as operating pursuant to such cybersecurity and cyber resilience measures earlier than 6 August 2021 [24].
- since 5 August 2021, it continued to implement the Cyber Resilience Initiative across the AR network [26].
DECISION
In summarising the principles governing settlements Her Honour quoted Gordon J in Australian Competition and Consumer Commission v Coles Supermarkets Australia Pty Ltd [2014] FCA 1405 (ACCC v Coles) relevantly as follows (absent some citations):
[74] The Court has a wide discretionary power to make declarations under s 21 of the Federal Court Act:
[75] Where a declaration is sought with the consent of the parties, the Court’s discretion is not supplanted, but nor will the Court refuse to give effect to terms of settlement by refusing to make orders where they are within the Court’s jurisdiction and are otherwise unobjectionable
[76] However, before making declarations, three requirements should be satisfied:
(1) The question must be a real and not a hypothetical or theoretical one;
(2) The applicant must have a real interest in raising it; and
(3) There must be a proper contradictor:
Regarding RI Advice and section 912A:
- as the holder of an AFSL, RI Advice is required to comply with the general obligations of a financial services licensee set out in s 912A of the Act including
- pursuant to s 912A(1)(a), to do all things necessary to ensure that the financial services covered by the Licence are provided efficiently, honestly and fairly; and
- pursuant to s 912A(1)(h), to have adequate risk management systems [27].
- given the broad standards prescribed by ss 912A(1)(a) and (h) of the Act and the facts, RI Advice admitted that it was required to:
- identify the risks that the ARs faced including in relation to cybersecurity and cyber resilience; and
- have documentation, controls and risk management systems in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across the AR network [28].
The parties agreed on the following relevant principles:
- the phrase “efficiently, honestly and fairly” is to be read compendiously rather than as containing three discrete behavioural norms:
- Conduct may fail to meet the statutory definition even if it cannot be described as dishonest,
- a breach of the standard is not limited to conduct that is “morally wrong in the commercial sense”:
- acts or omissions can breach the statutory standard by reason of a failure by the licensee to act “efficiently and fairly”, without there being a need also to prove a failure to act honestly
- a contravention of the “efficiently, honestly and fairly” standard does not require a contravention or breach of a separately existing legal duty or obligation, whether statutory, fiduciary, common law or otherwise. The statutory standard itself is the source of the obligation
- the words “efficiently, honestly and fairly” indicate that, amongst other things, the services are to be provided with “competence” in complying with relevant statutory obligations:
- the provision is part of the statute’s legislative policy to require adherence to social and commercial norms or standards of behaviour.
- the boundaries and content of the relevant normative standard in any given case will be a matter for the Court to determine.
- the requirement of “efficiency” requires that the licensee is “adequate in performance, produces the desired effect, is capable, competent and adequate”.
- the obligation on a licensee under s 912A(1)(a) to ensure that the financial services provided on its behalf are provided “efficiently” imports a standard of reasonableness into the obligation [30]
The issues not agreed were
“social and commercial norms”
RI Advice submitted that:
- there is no basis for a finding that “social and commercial norms” require any particular standard, or any particular system, for cyber risk management [33].
- even if “social and commercial norms” were capable of having such application in this case, the Statement of Agreed Facts does not:
(a) identify any relevant standard; or
(b) identify any basis on which any such standard could apply.
- when defining the standard of conduct that s 912A(1)(a) imposes it is an obligation in respect of “social and commercial norms or standards of behaviour”.
Her Honour responded by citing with approval Westpac Securities regarding the purpose of s 912A(1)(a) & “social and commercial norms or standards of behaviour”:
The provision is part of the statute’s legislative policy to require social and commercial norms or standards of behaviour to be adhered to. The rule in the section is directed to a social and commercial norm, expressed as an abstraction, but nevertheless an abstraction to be directed to the “infinite variety of human conduct revealed by the evidence in one case after another”. By the phrase itself, emphasis must be given to substance over form and the essential over the inessential in a process of characterisation by reference to the stated norm. Care needs to be taken that phrases used by judges in individual cases, in which they explain and articulate their views as to the success or failure in satisfying the norm in s 912A(1)(a), do not become rules to apply as defaults for the proper process of characterisation by reference to the words used by Parliament as to whether a body of conduct satisfied or failed to satisfy the norm.
Her Honour found there was no requirement in this case to determine the appropriateness of the “social and commercial norms” language [40]
public expectations
The Court stated that
- Cyber risks, an adequate response to such risks and building cyber-resilience requires appropriate assessment of the risks faced by a business in respect of its operations and IT environment.
- Cyber risk management is a highly technical area of expertise requiring the technical expertise of a relevantly skilled person [46].
- Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation.
- the adequacy of risk management must be informed by people with technical expertise in the area [47]
- some conduct may be appropriate to assess through a public expectation lens:
- in a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public [49].
Section 912A(1)(h)
As a preliminary consideration the court stated that:
- Section 912A(1)(h) of the Act requires the licensee to have “adequate risk management systems” [53].
- the notion of “adequacy” imports a normative standard of conduct against which the licensee’s performance can be judged [54].
- the particular focus of this provision is on “risk management systems”,
- in the context of RI Advice, whose business is conducted on its behalf through its Authorised Representatives, this necessarily places the focus on the risks to Authorised Representatives, and the necessity for RI Advice to have “adequate” systems to manage those risks [54].
- the assessment of “adequate risk management systems”, for cyber risk management, requires consideration of:
- the risks faced by a business in respect of its operations and
- IT environment.
- as cyber risk management is a highly technical area the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field [55].
- cyberspace and cyber-attacks concern digital or computer technology or networks, and involve attacks directed at computers, computer systems or other information communication technologies.
- cybersecurity is the ability of an organisation to protect and defend the use of cyberspace from attacks.
- cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources [57].
- risks relating to cybersecurity and the controls that can be deployed to address such risks evolve over time.
- as financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased.
- cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services.
- it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level [58].
- the AR Practices as providers of financial services were potential targets for cyber related attacks and cybercrime by malicious actors targeting Personal Information. That risk increased over time.
In relation to RI Advice’s conduct the court noted that it:
- admitted that until 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network [62].
- acknowledged that it took too long to improve cybersecurity and cyber resilience for the ARs across its AR Practices.
- accepted that it should have had a more robust implementation of its program so that the measures were more quickly in place at each of the AR Practices and the majority of the AR network was confirmed as operating pursuant to such cybersecurity and resilience measures earlier than 6 August 2021 [64].
- it improved its cyber security and operations because:
-
- since September 2018, RI Advice engaged two external cybersecurity organisations to:
- review cybersecurity in a sample of AR Practices,
- identify key best practice measures for RI Advice and its ARs, and
- monitor implementation of those measures [60].
- the Cyber Resilience Initiative, designed by IOOF and implemented across 2020 and 2021 directly with the AR Practices implemented the majority of all the 11 best practices in the RI Advice Cyber Security Support Guide, to a good level [53].
- since September 2018, RI Advice engaged two external cybersecurity organisations to:
Having regard to the above principles her Honour considered that the declarations regarding breaches of ss 912A(1)(a) and (h) are appropriate [61] and found that:
- from 15 May 2018 to 5 August 2021, RI Advice contravened s 912A(1)(a) of the Act in that it failed to do all things necessary to ensure that the financial services covered by its Licence were provided efficiently and fairly, by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representatives [65].
- from 15 May 2018 to 5 August 2021, RI Advice contravened s 912A(1)(h) of the Act in that it failed to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing its Authorised Representatives’ clients to an unacceptable level of risk [66].
Declaratory relief
Regarding the power of the Court to order declaratory relief Her Honour stated that:
- Section 21 of the Federal Court of Australia Act 1976 (Cth) provides that, in civil proceedings in relation to a matter in which it has original jurisdiction, the Court may “make binding declarations of right, whether or not any consequential relief is or could be claimed”. That included declarations of contravention of provisions of the Act that are not civil penalty provisions.
- section 1101B(1) of the Act provides an alternate basis on which to make declarations of admitted contraventions of s 912A(1) of the Act [67].
- the Court has a wide discretionary power to make declarations bounded only by the limits of federal judicial power and the need to act judicially [68]
The court made the proposed declarations because:
- RI Advice’s admissions to the contravening conduct are set out in the SAFA, [75]
- the questions raised by the declarations are real and not hypothetical or theoretical [76].
- ASIC has a real interest in raising the questions that are to be the subject of the declarations where the declarations may clarify to licensees that the relevant provisions of the Act also apply to the area of the management of risks in respect of cybersecurity [77].
- they serve to record the Court’s disapproval of the contravening conduct,
- they will assist ASIC to carry out its duties, and will deter other persons and entities from contravening the provisions as a result of similar conduct or omissions [77].
- the proceeding involves a matter of public interest, because it relates to contraventions of provisions of the Act that are primarily concerned with the protection of the public, and in particular the protection of consumers of financial services who may provide sensitive and/or confidential information to a financial services licensee or its Authorised Representatives [78].
Orders under s 1101B of the Act
The court noted that:
- forward-looking compliance orders under s 1101B are aimed at ensuring specific deterrence in guarding against the possibility of the contravening conduct happening again [84]
- the Court has power under s 1101B(1) to order the establishment of a compliance program including the appointment of an external expert [86]
The Court made the proposed compliance orders because:
- given the inadequacies in its risk management systems regarding cybersecurity and cyber resilience meant the ARs’ clients faced an unacceptable level of risk up to 5 August 2021 it was appropriate that an external expert assess the adequacy of RI Advice’s current documentation and controls in respect of cybersecurity and cyber resilience and assess whether any further measures are required [88].
- following 5 August 2021 continued to implement the Cyber Resilience Initiative across the AR network and it was appropriate that orders are made for the appointment of an external cybersecurity expert [89]
- the fact that RI Advice made improvements and extensions to its existing cybersecurity risk management systems in the period from 15 May 2018 to 5 August 2021, does not remove the need for an external expert to now assess the adequacy of its cybersecurity risk management systems [90]
- the purpose of the compliance program is tied directly to the conduct that is the subject of the declarations — that is, any documentation and controls in respect of cybersecurity and cyber resilience which are necessary for RI Advice to implement to adequately manage risk in respect of cybersecurity and cyber resilience across its AR network [91].
- the orders are framed at an appropriate level of detail and the identification of any further measures is to be performed by the external expert
- the timeframe in which any further measures are to be implemented is not prescribed, but the earliest reasonably practicable date is to be agreed between RI Advice and the external expert once any further measures have been identified [92].
The Court made the following orders:
PURSUANT TO SECTION 21 OF THE FEDERAL COURT ACT AND SECTION 1101B OF THE CORPORATIONS ACT, THE COURT DECLARES THAT:
2. RI Advice contravened ss 912A(1)(a) and (h) of the Corporations Act from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR network, and as a result of this conduct, it:
(a) failed to do all things necessary to ensure the financial services covered by the Licence were provided efficiently and fairly, in contravention of s 912A(1)(a) of the Corporations Act; and
(b) failed to have adequate risk management systems, in contravention of s 912A(1)(h) of the Corporations Act.
AND THE COURT ORDERS THAT:
3. Pursuant to s 1101B of the Corporations Act:
(a) RI Advice must engage Security in Depth (or such other cybersecurity expert as agreed between RI Advice and ASIC), to identify what, if any, further documentation and controls in respect of cybersecurity and cyber resilience are necessary for RI Advice to implement to adequately manage risk in respect of cybersecurity and cyber resilience across its AR network (Further Measures);
(b) If as a result of the engagement referred to in paragraph 3(a), Further Measures are identified, RI Advice must in consultation with Security in Depth, agree upon the earliest reasonably practicable date by which RI Advice will implement the Further Measures (Agreed Date);
(c) Within 30 days of the completion of the steps in paragraph 3(a), and if required paragraph 3(b), RI Advice must provide ASIC with a written report from Security in Depth, reporting as to whether Further Measures are required to be implemented, and if so, what the Further Measures are and the Agreed Date;
(d) RI Advice must commence implementing the Further Measures by no later than 90 days from the engagement referred to in paragraph 3(a) and complete implementation by the Agreed Date; and
(e) RI Advice must provide ASIC with a written report from Security in Depth, within 30 days after the Agreed Date reporting on the outcome of the implementation of the Further Measures, including whether, and to what extent, the Further Measures have been fully and appropriately implemented.
4. The engagement of Security in Depth referred to in paragraph 3(a) is to commence by no later than 1 month from the date of these Orders and RI Advice must provide Security in Depth with a copy of these orders prior to the commencement of the engagement.
5. The costs of Security in Depth and the implementation of any Further Measures are to be paid by RI Advice.
OTHER ORDERS
6. RI Advice pay a contribution to the plaintiff’s costs of the proceeding fixed in the amount of $750,000.
7. The proceeding against the defendant is otherwise dismissed.
ISSUE
The judgment is very significant because it is the first decision relating to a failure to maintain proper cyber security results in section 912A of the Corporations Act 2001. It has been described as a “watershed” judgment.
The decision makes clear that a failure to provide proper cyber security is a failure of corporate governance. That is a very positive development. It also makes clear to companies that regulators are prepared to litigate on the issue of data security. It is good that ASIC has expressed a willingness to do so. The regulator that should be litigating on breaches of the Privacy Act 1988, the Information Commissioner, which include data breaches, has not done so even after it was given powers to bring civil penalty proceedings in 2014. Just as nature abhors a vacuum, similarly if there is a failure by one regulator to deal with breaches in the law another regulator may step in if able. ASIC and ACCC have both signalled an interest in regulating in this area.
There are curious, and in some ways disappointing, aspects to the decision. The first aspect is there was “no penalty” finding. No doubt RI Advice is pleased with that result. Why ASIC would agree to such an outcome is less clear. ASIC has not specified why it did not require some form of penalty or decide to press on and seek penalties at trial. ASIC sought in its pleadings penalties against RI Advice under the new civil penalty regime. The breaches were serious, the period within which 9 separate incidents occurred was reasonably lengthy and the poor response until the eleventh hour deserving of censure. In the United States the Federal Trade Commission would have imposed a significant penalty. In the United Kingdom the Information Commissioner would have imposed a monetary penalty at least in the tens of thousands of pounds. It is difficult to comment further without knowing the state of the evidence.
The decision went into some detail about the steps taken by RI Advice to remedy its poor state of data security with the court noting “..the historical issues were addressed by the significant improvements ..to its existing cybersecurity risk management systems …to monitor and audit compliance with the cybersecurity requirements …engaging multiple external advisory firms to investigate past failures and review cybersecurity practices.” Given penalty was not in issue how relevant those factors are is not clear. The fact that RI Advice remedied its inadequate data security is a proper response by any organisation to a data breach. It is what it should have done. No more, no less. Put another way, if it did not do those things then that would be an evidence of a continuing failure. In the United States and the United Kingdom the fact that malefactors have taken steps to rectify problems have not influenced the regulators in staying their hands in imposing penalties. The issue is seen correctly is the failure, not the remediation effort. Late remediation efforts notwithstanding, RI Advice was the subject to repeated data breaches, in a variety of ways, but did nothing of note to address those earlier breaches thereby permitting the later breaches .
The Judge’s comment that it is “not possible to reduce cybersecurity risk to zero” is otiose. In what form of human activity generally and business in particular can risks be reduced to zero? For example a company being subject to fraud and suffering misbehaviour by staff or agents are constant risks that can never be fully removed. Companies who have been the subject of data breaches, and commonly reluctant to remedy and are slow to respond, often comment that data breaches are a reality, that it is a matter of “when not if” etc.. Commentary about the likelihood of data breaches find very little favour in overseas jurisprudence for both good practical and legal reasons. The practical reasons are that companies which suffer data breaches and are prosecuted invariably have no basis for making such a claim. Their cyber security and privacy protections are so inadequate that such a claim is meaningless. In legal terms the consideration is whether the company complied with its obligations objectively measured against accepted practice, standards (such as ISOs or NIST guidelines or the regulators guidelines etc..) not the later frenzied remediation efforts.
What is clear is that now is that Licensees are required to identify cyber security risks and manage them under section 912A. That includes managing those risks thorugh the businesses of a company’s authorised representatives or agents.
The decision also highlights the importance of establishing proper processes, protocols and controls to implement and keep up to date with proper cyber security practices. That also encompasses monitoring and auditing.
While cybersecurity risks must be managed “adequately” what is meant by “adequacy” under section 912A is for the Court to decide depending on the facts and probably reliant on evidence from relevantly qualified experts. The Court was at pains to stress that cyber risk management is a highly technical area of expertise. That is true up to a point. Less technical issues are often as important, such as training staff and having proper administrative systems in place to keep up to date and respond to breaches. To that extent the court’s comment that the the adequacy of “..any particular set of cyber risk management systems..” must involve the “..technical expertise of a relevantly skilled person..” is perhaps focusing on one rather than the totality of the relevant issues. That is understandable given the pleadings focused on cyber security. It is an obiter comment.
The orders made by the court are not particularly onerous both in terms of obligations and time period. RI Advice should regard this as something of a win, even if it is an expensive one. That is particularly so when compared to orders made by the Federal Trade Commission in the United States in an equivalent case. The FTC commonly imposes detailed requirements in its orders, including reporting on compliance over a ten or twenty year period. The approach taken to date in Australia, including enforceable undertakings imposed by the Australian Information Commissioner, is far less onerous than that imposed by US, UK and European regulators.
Other matters worth considering are that:
- cases will be heavily fact-dependent. That may seem trite however there are many forms of data breaches and the damage inflicted varies widely.
- a data breach may require consideration of a range of obligations under financial services, security of critical infrastructure laws and prudential requirements.
- a data breach will, upon investigation, often reveal a history of poor practices. Overseas experience shows that one incident that triggers an investigation by a regulator can end up being the least egregious breach. Companies with poor cyber security practices often have systems and processes which, if they exist at all, are not updated and properly maintained so are unable to meet evolving threats and identify likely risks.
- there needs to be proper investment in systems, training and protocols. This makes good economic sense given the cost of defending a proceeding brought by a regulator are significant. RI Advice agreed to pay ASICs legal fees of $750,000. The fees it incurred in defending the proceeding would have been, conservatively, at least that. And then there would have been the premium paid in having experts working to fix problems long accumulated in a very short time.
- developing risk management strategies has to be a regular agenda item of companies which hold personal information.
- any proper data security strategy should not focus on cyber security only. Data breaches can arise in other ways, including insider misuse of information, documents removed from premises using USB sticks and then lost. it is a mistake to assume that data breaches only occur in the cyber realm.
- properly responding to one data breach will avoid many others occurring in the future. RI Advice was hit by repeated attacks. Its initial response to the identifed breaches was woeful.
- it is reasonable to assume that there will be an increased regulatory focus on cyber security.
- there is a risk of class actions by shareholders or customers for inadequate cyber measures,
- it is better to have a legal teams getting involved early, preferably before a data breach, to ensure there has been proper compliance. That should involve at some point legal and IT teams working together.
- reputational damage is common with highly publisised data breache. In relation to this case that involved Zdnet’s Federal Court finds RI Advice failed to manage cybersecurity risks in landmark decision, itnews with Federal Court puts cyber security onus on financial services firms and the Australian Financial Review with Insignia wealth firm failed to fend off cybercrime, court finds.
ASIC issued a detailed press release providing:
22-104MR Court finds RI Advice failed to adequately manage cybersecurity risks
In an Australian first, the Federal Court has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.
The finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
ASIC Deputy Chair Sarah Court said ‘These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
‘ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment,’ concluded Ms Court.
RI Advice has taken steps to address cybersecurity risk across its authorised representative network. In addition to the declaration of contravention, the Court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice’s authorised representative network.
When handing down judgment, Her Honour Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating, ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
Her Honour further stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct.
RI Advice has been ordered to pay $750,000 towards ASIC’s costs.
The orders were made by consent after ASIC and RI Advice agreed to resolve the proceedings.
Background
Since 13 March 2019, reforms introduced as a result of the Financial Services Royal Commission mean that a failure to comply with certain AFS licensing obligations, including obligations relating to how cyber risks are addressed, may give rise to a civil penalty. The majority of the cyber incidents in this case occurred before the reforms were introduced.
RI Advice provides financial services under a third-party business owner model whereby its authorised representatives provide financial services to retail clients. Since 15 May 2018, RI Advice has had between about 89 and 119 Authorised Representative Practices.
Until 1 October 2018, RI Advice was a wholly owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF), now known as Insignia Financial.
Peter, this blog is wonderful, I really enjoyed it. Very easy to understand and interesting to read. Very nice work.