Cyber security decision signals serious change for Australian corporates

For the first time, the Australian Federal Court has ruled on cyber security risk and cyber resilience in connection with Australian Financial Services Licence (AFSL) conditions, with significant implications for corporates, particularly APRA-regulated entities, using technology and handling personal, sensitive, financial and confidential information.

The decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FAC 496 was handed down on 5 May 2022 and highlights the potential need for financial services and corporate sector businesses to be doing more to continually reduce cyber risk and strengthen security posture.

In her Honour's ruling, Rofe J of the Federal Court of Australia specifically held that:

"Cybersecurity risk forms a significant risk connected with the conduct of business and the provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level."

Key facts

While the particular facts of this case are complex and some issues remain untested, the lessons have wider importance and application. The key facts underlying these lessons include:

• RI Advice suffered nine cyber incidents over seven years, between 2014-2020, including a ransomware attack (Cyber Events);
• in 2018, the business also underwent a change of ownership, from being a wholly-owned subsidiary of ANZ to becoming a part of IOOF Holding Limited, now known as Insignia Financial Ltd (Change of Ownership).

The program of work RI Advice had taken during the Cyber Events and Change of Ownership period, was not insignificant and included:

• training sessions, professional development events and information provided in a weekly newsletter for its authorised representatives (ARs);
• an incident reporting process where cyber incidents would be discussed; and
• contractual obligations between RI Advice and ARs relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy.

The decision

Despite the steps taken by RI Advice, the program of work was found to be inadequate for the purposes of satisfying AFSL conditions, particularly given the existence of the following weaknesses:

• anti-virus software on computers systems had not been updated;
• there was no filtering or quarantining of emails;
• there were no backup systems or backup processes were not being performed;
• there were poor password practices including sharing of passwords between employees.

As such, Rofe J held that RI Advice's measures to manage cybersecurity risk in response to the various Cyber Events and the Change of Ownership following IOOF's acquisition, were deficient and in breach of RI Advice's financial services licence conditions and the Corporations Act 2001 (Cth).

Pursuant to s 1101B of the Corporations Act 2001 (Cth), the Court ordered that RI Advice, at its own cost:

• "must engage" a cyber security expert, to "identify what, if any, further documentation and controls in respect of cybersecurity and cyber resilience are necessary for RI Advice to implement to adequately manage risk in respect of cybersecurity and cyber resilience across its AR network";
• if further measures are required, it must agree with the cyber expert the earliest reasonably practical date by which to implement them;
• report to ASIC on the outcome of the implementation, within 20 days of the agreed date for implementation.

Implications for corporate businesses

The decision has changed the course of cybersecurity in the Australian financial services sector and elevated the role of independent cyber security experts. While this may impact compliance costs in the long term, it should be noted that the available and substantial civic penalties were not issued on this occasion (potentially due to legal technicalities around applicable timeframes). However, both ASIC's action and the Federal court's decision make clear that penalties will almost certainly be invoked in future where timeframe technicalities do not exist.

The cost of effective compliance versus the cost of regulator action, penalties, court costs, additional reporting obligations and negative publicity, is an assessment worth undertaking.

For more insights into the decision's relevance to your organisation or for assistance reviewing your current practices, please contact one of our team members.

Photo by Sigmund on Unsplash