Key takeaways from ASIC's first cybersecurity enforcement action
Australian corporates and financial services businesses are encouraged to review their cybersecurity measures following the Federal Court's first-of-its-kind decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496, in which RI Advice was found to be in breach of financial services licence conditions and the Corporations Act 2001 (Cth) due to inadequate cyber risk measures.
The decision is significant because it is ASIC's first test case on cybersecurity, and also ASIC's first successful enforcement action against an Australian Financial Services Licence (AFSL) holder for cybersecurity failures.
For an introduction to the decision, read our previous insight. Below, read on for a deep dive into the implications and key takeaways of this landmark cybersecurity decision for AFSL holders.
1. Financial services provided "efficiently, honestly and fairly" (section 912A(1)(a) of the Corporations Act)
Firstly, an AFSL holder can contravene the statutory obligation to do all things necessary to ensure that the financial services covered by the licence are provided "efficiently, honestly and fairly" even if there was no lack of honesty. ASIC did not assert, and RI Advice did not admit, that any conduct regarding cyber security lacked honesty.
Secondly, the test for the reasonable standard of performance of financial services "efficiently and fairly" under section 912A(1)(a) in a technical area such as cybersecurity risk management is to be assessed by reference to a reasonable person qualified in that area, and the subject of expert evidence before the court, not the expectations of the general public.
2. Adequate risk management systems (section 912A(1)(h) of the Corporations Act)
There does not appear to have been any relevant prior judicial consideration of the obligation under section 912A(1)(h). However, Justice Rofe has provided the following judicial guidance: in the context of cyber risk management, the assessment of adequate risk management systems requires the consideration of the risks faced by a business in relation to its operations and IT environment.
Whilst the standard of "adequacy" is for a court to decide, the assessment of whether a cyber risk management system is adequate will likely be informed by expert evidence.
3. Monitoring and auditing compliance is key
It is notable that RI Advice did not start from a place of zero policies, plans or procedures. Prior to and as at 15 May 2018 (the date from which RI Advice became aware of its December 2017 incident, which was the most significant of its nine cybersecurity incidents, and the date from when the declaration of contravention commenced), RI Advice had taken some steps to put in place documentation, controls and risk management measures in respect of cybersecurity risk for its authorised representatives (ARs). This included:
- training and awareness sessions and information provided at professional development events via RI Advice's weekly newsletter provided to ARs
- an incident reporting process and forum where incidents were discussed
- obligations contained in "Professional Standards" which ARs were contractually required to comply with. They are the Information Security Standard, Electronic Data Storage Standard, Incident Notification Standard, Fraud Standard and Procedures, and the Privacy Standard.
However, the key problem was that there was no auditing and compliance mechanisms in place.
- In the period up to 15 May 2018, compliance with the Professional Standards was not monitored or audited by RI Advice beyond seeking confirmation from ARs that they had read and were aware of the Professional Standards. This is a typical box-ticking exercise wholly reliant on self-assessment by an AR, with no adequate third-party checks for implementation and compliance.
- From 15 May 2018 to 5 August 2021, RI Advice did not have in place adequate auditing and compliance mechanisms to provide assurance to RI Advice that the Professional Standards requirements relating to cybersecurity were actually understood by ARs and were being met, and where they were not met, risks or compliance actions were subsequently raised for RI Advice's management attention. In other words, there was no chain of reporting to ensure that RI Advice, as the AFSL holder, had oversight and supervision of the ARs' compliance with these cybersecurity requirements.
Many AFSL holders and businesses may shy away from implementing auditing and compliance mechanisms, particularly with the assistance of external cybersecurity advisors, due to concerns about costs. However, this decision makes clear that without investment in auditing and compliance mechanisms, a move away from purely self-assessment for compliance, and adequate supervision and oversight of the AR network's cybersecurity practices, an AFSL holder will likely contravene its section 912A obligations.
4. Implementation timeframe should be quicker
This case demonstrates that taking three years to implement cybersecurity and cyber resilience measures across RI Advice's AR network (between 89 and 119 AR practices) was too long.
Although RI Advice sought to assess and develop measures to improve cybersecurity and cyber resilience for the ARs from 15 May 2018 to 5 August 2021, RI Advice admitted that it took too long to implement and ensure such measures were in place across its AR network. RI Advice accepted that it should have had a more robust implementation of its cybersecurity uplift program so that measures were more quickly in place at each AR, such that the majority of the AR network could have been confirmed as operating pursuant to such cybersecurity and cyber resilience measures earlier than 6 August 2021.
Therefore, apart from ensuring that the relevant cybersecurity and cyber resilience risks and measures are identified, the implementation program should also be robust, and the implementation timeframe not unnecessarily delayed.
5. ASIC's expectation: 13 cybersecurity domains
As this decision was a result of a negotiated settlement between ASIC and RI Advice, and the final hearing was vacated, there was no opportunity for ASIC to ventilate, and for the Court to expressly decide, on what ASIC says are the minimum cybersecurity requirements necessary for an AFSL holder to comply with their section 912A obligations.
ASIC had alleged in its extensive 175-page Second Further Amended Statement of Claim that, in order for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience for itself and across its AR network, the cybersecurity documentation and controls it should have had in place to meet the minimum cybersecurity requirements should have adequately addressed each of the following 13 cybersecurity domains:
- Governance and business environment;
- Risk assessments and risk management;
- Asset management;
- Supply chain risk management;
- Access management;
- Personnel security, training and awareness;
- Data security;
- Secure system development life cycle and change management;
- Baseline operational security;
- Security continuous monitoring;
- Vulnerability management;
- Incident response and communications; and
- Continuity and recovery planning.
It can be expected that these 13 cybersecurity domains would form the minimum benchmark standards that ASIC expects of its AFSL holders in respect of cybersecurity and cyber resilience practices. Going forward, it would therefore be prudent for AFSL holders to review their cybersecurity and cyber resilience practices through the lens of these 13 cybersecurity domains.
6. No penalties imposed not a given
Although no pecuniary penalties were imposed on RI Advice (ASIC sought pecuniary penalties in the enforcement proceedings, but this does not appear to have been pursued at settlement), this does not mean that any future contraventions of section 912A will not attract significant penalties.
Penalties sought against companies for a contravention of section 912A are subject to a maximum which is the greater of:
- 50,000 penalty units (currently $11.1 million)
- three times the benefit obtained and detriment avoided; or
- 10% of annual turnover, capped at 2.5 million penalty units (currently $555 million)
The cost of compliance would therefore most likely be outweighed by the cost of potential pecuniary penalties as a result of an enforcement action.
For more insights into the decision's relevance to your organisation or for assistance reviewing your current practices, please contact one of our team members.
Authors: Melissa Tan, Special Counsel and Laura Stirling, Paralegal
Photo by Tianyi Ma on Unsplash
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.