The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

In Re J Build Developments Pty Ltd [2022] VSC 434 Hetyey AsJ set aside a statutory demand on the basis that there was a genuine dispute in the context of a notice being issued under the Building and Construction Industry Security of Payment Act 2002.

FACTS

The facts in applications to set aside statutory demand relating to construction contracts and building works invariably have complicated and involved factual issues.  This case is no exception.

On 26 June 2020, J Build entered into a $2.9 million building contract with Abboud Corporates Pty Ltd to construct three double-storey residential dwellings at 10 Glyndon Road, Camberwell, Victoria (‘the head contract’ and ‘the property’, respectively) [2].

AES is a mechanical and electrical services provider specialising in heating, ventilation, air conditioning and associated electrical work [2].

On or about 24 February 2020, Jamiel Daou (“Daou”),  a director of J Build, texted Wright, the sole director of AES, asking for  a quotation  for the supply and installation of ducted heating and cooling air-conditioning systems in each of the units at the property (‘the sub-contracting works’).  There was a subsquent telephone conversation between the two the contents of which are in contention.

On 5 March 2020, AES provided JB Build with a quotatio of $88,002.64 inclusive of GST.

Prior to 22 October 2020, JB Build requested that revisions be made to the quotation. On 22 October 2020, AES issued a second quotation for $101,507.09 (inclusive of GST) [6].

On or around 27 October 2020, the parties discussed a further variation which would provide a cost saving to the plaintiff of between $5,000 and $6,000 and reduce the contract price contained in the second quotation [7]. On 28 October 2020, Wright emailed Daou requested confirmation of the revised second quotation with Daou responding via email  with the word ‘[a]pproved’ [8].

On 31 October 2021, AES issued an invoice for $16,874.55 (inclusive of GST) regarding work performed between 28 October 2020 and 31 October 2020,  payable by 14 November 2020 but paid on 7 December 2020 [10].

Wright and Daou  had a site meeting at the property on or around 5 February 2021 where they discussed the need for further variations to AES’ scope of work [11]. AES issued J Build with a further revised quotation on 14 May 2021, documenting additional proposed revisions to the scope of work and increasing the contract price to $109,047.31 (inclusive of GST) (‘the third quotation’). A signed acceptance of the third quotation was returned to AES via email later that day [12].  AES rendered an invoice in the sum of $81,504.61 (inclusive of GST) (‘the second invoice’)  to J Build by email on 14 On 31 May 2021. AES required payment by 30 June 2021. J Build didn’t pay by this date and in or around July 2021, AES stopped work [13]. J Build paid AES $41,504.61 on 22 July 2021 and $5,000 on 20 September 2021 [15], leaving $35,000 owing in respect of the second invoice.

On 4 October 2021, AES served a notice under s 18(2) of the Building and Construction Industry Security of Payment Act 2002 (Vic) (‘the SOP Act’) on J Build,   J Build responded the next day by sending AES a payment schedule informing AES that it proposed paying nil in respect of the second invoice on the basis that works had not been completed. No adjudication application was ultimately pursued by AES [16].

On 14 October 2021 AES instructed its solicitors to issue and serve the statutory demand claiming the  $35,000 as ‘monies due and owing pursuant to [AES’] tax invoice no 6394 dated 31 May 2021,’ which refers to the second invoice. The statutory demand did not annex a copy of the second invoice [17].

J Build commenced this application  on 3 November 2021 [18].

The defendant contended that:

• the second invoice referred to in the statutory demand constitutes a ‘payment claim’ within the meaning of s 14 of the SOP Act which was not effectively challenged by way of a ‘payment schedule’ served within time and is therefore due and payable by force of statute and beyond challenge.
• J Build was precluded from contending the existence of any genuine dispute about the subject of the statutory demand in this proceeding.

DECISION

The court, at [21],defined the issues for determination as:

(a) is there a genuine dispute under s 459H(1)(a) of the Act that the defendant’s invoice the subject of the demand (ie the second invoice) is a ‘payment claim’ which satisfies the requirements of s 14 of the SOP Act? In particular, is there a genuine dispute whether: Read the rest of this entry »

In Re Australian Builders Group Pty Ltd [2022] VSC 254 the Supreme Court, per Hetyey AsJ, set aside a statutory demand based on a genuine dispute based on the construction of an agreement and default notice but also by a claim of duress.

FACTS

On or around 1 June 2017 Mind, a not-for-profit organisation providing community-managed specialist mental health services entered into an agreement with Australian Win Win Investment Pty Ltd (‘the landlord’) to lease a property located at 691 High Street, Thornbury, Victoria (‘the property’ and ‘the lease’ respectively) for an amount of $130,000 per annum (approximately $10,833.33 per calendar month) [1].

In early May 2018, Mind and ABG entered into a sublease agreement for the property (‘the sublease’). The parties to the sublease agreed that ABG would pay a reduced amount of rent of $121,000 per annum (approximately $10,083.33 per calendar month) [2].

From February 2019, ABG began to fall into arrears & by 15 April 2021, it owed Mind approximately eight months’ rent, totalling $82,279.92 (‘the arrears’). Pursuant to a repayment deed, ABG agreed to make regular payments of the arrears of $2,500 plus GST, together with interest, per week.

Regarding the repayment Read the rest of this entry »

The Federal Court, per Halley J, set aside a statutory demand in CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 in finding that an offsetting claim constitutes a genuine dispute. It is a very good decision setting out the complications of offsetting claims arising from building contracts relied upon in setting aside a statutory demand which is based on a certificate and judgment obtained under the Security of Payments Act.

FACTS

CBS engaged Axis as a sub-contractor to undertake work at a building site located in Gungahlin in the Australian Capital Territory [12].

The chronological events Read the rest of this entry »

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

• was:
  • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
  • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
• carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
• authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

• electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

• since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
• had 9 cybersecurity incidents between June 2014 and May 2020, being:
  • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
  • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
  • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
  • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
  • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
  • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
  • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
  • an unauthorised person used an AR Practice’s employee’s email address:
    • in August 2019 to send phishing emails to over 150 clients ; and
    • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

• computer systems not having up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including:
  • sharing of passwords between employees,
  • use of default passwords,
  • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

Justice Riordan considered an appeal against an order for security for costs in In the matter of Credit Clear Limited [2022] VSC 206.  The appellants were unsuccessful across the board. 

FACTS

By originating process filed 15 July 2020, the plaintiffs made an application under:

(a) sections 175, 232, 233, 461(1)(k), 1041H(1), 1324(1) and 1325 of the Corporations Act 2001 (Cth) (‘the Act’);

(b) sections 12DA and 12GM of the Australian Securities and Investments Commission Act 2001(Cth) (‘the ASIC Act’);

(c) Sections 237 and 243 of the Australian Consumer Law, being Schedule 2 of the Competition and Consumer Act 2020 (Cth) (‘ACL’); and

(d) the inherent jurisdiction of the Court [2].

The plaintiffs sought the following substantive relief in their points of claim [4]:

(a) The first plaintiff (‘Mr McKendrick’) sought to be reinstated as a director of the first respondent (‘Credit Clear’).

(b) The appellant sought the following relief:

B. Declarations and or orders under s 1325 of the Act, alternatively s 233(1)(c) and or (j) of the Act, s 12GM of the ASIC Act and or ss 237 and 243 of the ACL, that the Separation Agreement dated 11 November 2016 and Intellectual Property Assignment Agreement dated 11 November 2016 (by which the plaintiffs were forced to give up their interests in the first defendant together with the intellectual property rights owned by the first plaintiff) are void on the grounds they were procured under duress, undue influence, unconscionable conduct and or misleading and deceptive conduct in contravention of 1041H(1) of the Act, s 12DA of the ASIC Act and or s 18 of the ACL;

C. A declaration that the second plaintiff is entitled to hold 20% of the issued ordinary shares in the first defendant;

D. Rectification of the share register of the first defendant pursuant to s 175 of the Act to reinstate the second plaintiff as a member and to record that it holds a number of fully paid ordinary shares representing 20% of issued shares in the first defendant alternatively that it holds 6,805,555 fully paid ordinary shares in the first defendant;

E. A declaration that the affairs of the first defendant are being conducted contrary to the interests of the members as a whole and or are oppressive to, or unfairly prejudicial to, or unfairly discriminatory against the second plaintiff, or in the interests of and to the benefit of the second to third defendants and not the first defendant or its members;

F. An order that the second and or third defendants purchase the second plaintiff’s shareholding in the first defendant at fair value; Read the rest of this entry »

In Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 the Federal Court considered, for the first time by the courts, the deeming provisions of sections 105A and 105B of the Corporations Act regarding service applications to set aside a statutory demand within the 21 day time limit,.  

FACTS

By originating process filed on 3 February 2022, the plaintiff, Bioaction Pty Ltd, sought an order setting aside a statutory demand pursuant to s 459G of the Corporations Act dated 12 January 2022 served by the defendant, Gordon Ogborne (“Ogborne”) [5].

Bioaction  specialises in the design, manufacturing and installation of systems to eliminate or mitigate odorous, hazardous and corrosive gases & Ogborne was its Chief Financial Officer / Chief Operating Officer from December 2019 until November 2021, when he was made redundant [7].

Ogborne and Bioaction were in dispute as to his entitlements where Ogborne claimed he was entitled to any additional sum [8].

On 13 January 2022, Ogborne served the statutory demand on Bioaction seeking payment of $240,688.31 being unpaid:

• salary,
• superannuation,
• salary in lieu of termination,
• annual leave and
• redundancy

pursuant to an employment contract [9].

The statutory demand was Read the rest of this entry »

The postscript to Re Slodyczka & Farren Pty Ltd [2022] VSC 102 is a decision by Associate Justice Hetyey regarding costs of the application. 

FACTS

in the substantive judgment  the plaintiff’s application to wind up the defendant in insolvency was dismissed.

The relevant facts for the purpose of considering a costs order were:

• whilst the matter was commenced by originating process filed on 11 April 2021, there were delays and adjournments [2] resulted in two previous costs orders being made being:
  • on 7 July 2021, consent orders were made which, among other things, required the plaintiff to pay the defendant’s costs thrown away by reason of an adjournment of the hearing originally scheduled that day (‘the first costs order’).
  • at the next hearing date, on 27 July 2021, it was adjourned at the request of the defendant to enable it to put on supplementary material on the question of solvency, including audited accounts for the 2019/2020 and 2020/2021 financial years. The plaintiff’s costs of the hearing be reserved (‘the second costs order’).

The defendant opposed the winding up application on the following alternative bases [4]:

(a) service of the plaintiff’s statutory demand dated 3 February 2021 (‘the statutory demand’ or ‘the demand’) was defective;

(b) the defendant was solvent and could displace the statutory presumption of insolvency;

(c) the defendant should be given leave pursuant to s 459S of the Corporations Act2001 (Cth) (‘theCorporations Act’) to oppose the winding up application on a ground or grounds it could have relied on for the purpose of an application to set the demand aside. The grounds sought to be raised were: (i) there was a genuine dispute about the amount of the debt claimed in the statutory demand in accordance with s 459H(1)(a); (ii) the defendant had an offsetting claim for the purpose of s 459H(1)(b) of the Corporations Act; and (iii) the demand was defective and a substantial injustice would be caused to the defendant if the demand was not set aside pursuant to s 459J(1)(a) of the Corporations Act; and

(d) pursuant to s 467(1)(a) of the Corporations Act, the Court should dismiss the plaintiff’s application as a matter of discretion.

In the substantive judgment the court held that, [5]:

• the defendant failed to rebut the presumption of service of the statutory demand under s 29(1) of the Acts Interpretation Act 1901 (Cth).
• the defendant succeeded in displacing the statutory presumption of insolvency on the basis that it was cash flow positive and balance sheet solvent. The proceeding was dismissed on this basis.
• the defendant’s application under s 459S of the Corporations Act was not granted because the grounds sought to be raised in respect of the plaintiff’s debt were not material to proving solvency however  had the defendant failed to establish solvency the corut would haveultimately have granted it leave
• the defendant could not to pursue its argument that the Court should dismiss the plaintiff’s application in accordance with the Court’s discretion under s 467(1)(a) of the Corporations Act because of a lack of proper notice to the plaintiff Read the rest of this entry »

Associate Justice Heytey has had a busy start to the year with 2 decisions regarding applications under the Corporations Act 2001; Re Slodyczka & Farren Pty Ltd [2022] VSC 19 and Re Amville Constructions Pty Ltd [2022] VSC 65.  Associate Justice Gardiner considered an application to set aside a statutory demand in Re Wynyard Victoria Pty Ltd [2022] VSC 81.

Re Slodyczka & Farren Pty Ltd [2022] VSC 19

The key issue in this application was whether there was proper service of a statutory demand and whether the presumption of insolvency was rebutted. 

FACTS

Slodyczka & Farren Pty Ltd (‘the defendant’) was first registered on 14 December 2015. In response to the COVID-19 pandemic, it commenced a business in March 2020 for the manufacture and sale of face masks.  Between April 2020 and August 2020, Lion & Horn Pty Ltd (‘the plaintiff’) providing it with marketing services to sell of its masks [1].

In early February 2021, the plaintiff purportedly served the defendant with a statutory demand dated 3 February 2021, which claimed the sum of $36,091.77 in relation to an outstanding invoice dated 28 August 2020 for its marketing services . The defendant did not comply with the demand within the 21-day statutory period.

By originating process filed on 11 April 2021, the plaintiff sought to wind up of the defendant pursuant to ss 459A and 459P of the Corporations Act 2001 (Cth) relying upon the statutory presumption of insolvency contained within s 459C(2)(a) of the Corporations Act.

The Court framed the questions for consideration as being, at [9]:

(a) was service of the statutory demand effective?

(b) is the defendant solvent?

(c) should the Court grant the defendant leave pursuant to s 459S(2) of the Corporations Act to oppose the winding up application on one or more grounds that the defendant could have relied upon in seeking to set aside the demand, but did not so rely? Further, is such a ground material to proving the Company is solvent?; and

(d) should the Court dismiss the plaintiff’s application under s 467(1)(a) of the Corporations Act as a matter of discretion?

DECISION

Service

In reviewing the legislation and legal principles the court Read the rest of this entry »

Today the Federal Treasurer announced an extension of the temporary amendments to the continuous disclosures obligations under the Corporations Act 2001 until 21 March 2021.

This announcement does not come as a particular surprise to insolvency practitioners.

The release Read the rest of this entry »