What can Boards do to avoid regulatory action for alleged cyber security failures?

Financial services providers receive and store, electronically, large amounts of confidential and sensitive client information and documents, including in relation to financial matters. They are prime targets of cyber criminals, and the existence of a robust cyber security framework is therefore critical for any Australian Financial Services licence (AFSL) holder and their individual or corporate authorised representatives (ARs).

ASIC has sought to drive this point home by recently taking action against AFSL holder, RI Advice Group Pty Ltd (RI), in the Federal Court of Australia for allegedly breaching RI's AFSL obligations under s 912A of the Corporations Act 2001 (Cth) (CA) as a result of a failure to have adequate cyber security systems. Not only is ASIC seeking declarations of contraventions of various section 912A obligations [1] in the Originating Process filed on 21 August 2020, ASIC is also seeking pecuniary penalty orders [2] and compliance orders [3].

In this article, we take a look at some of the alleged cyber security failures of RI highlighted by ASIC, and what Boards can do to ensure that their companies have an adequate cybersecurity framework and cyber resilience so as to avoid regulatory action.

RI's alleged inadequate cyber security system

The regulatory action against RI comes following several cyber breach incidents at certain ARs of RI between 2016 and 2020. Below is a quick snapshot of the types of cyber breaches affecting RI's ARs during this period.

Late December 2016

• The AR's main reception computer was hacked by ransomware, which encrypted files and made them inaccessible
• RI became aware on about 3 January or 3 March 2017

30 May 2017

• RI was informed that the AR's local network was hacked through a remote access port, impacting about 226 client groups

From about 30 December 2017 until about 15 April 2018

• An unknown malicious agent obtained and retained unauthorised remote access to the file server of RI’s AR through an employee's account
• KPMG concluded the breach was likely the result of a brute force attack using an employee login. The malicious agent spent more than 155 hours logged into the server, which contained sensitive client information including identification documents
• The AR did not detect the breach until 16 April 2018, more than three months after it had commenced. RI was informed of the breach on 15 May 2018
• On 19 September 2019, the AR informed the OAIC, and RI was aware, that the AR's investigation had revealed that there were 8,104 individuals potentially exposed to the breach

23 May 2018

• RI was informed on 29 May 2018 that an unknown party had obtained unauthorised access to an individual AR's email account and used the account to request a bookkeeper to transfer funds to a Turkish bank account (which transfer was not made). The likely cause was a Trojan (a form of malicious software) installed on the AR's laptop computer

23 August 2019

• An unauthorised party had compromised a staff member’s mailbox account

15 April 2020

• A suspected phishing attack. For the second time, this involved an external party’s unauthorised use of an individual AR's email account. The unknown party had monitored the email account for a period of time and had access to thousands of email addresses and contact details, as well as over 10,000 emails. There were a number of significant cybersecurity issues, including the poor level of password security and no utilisation of two factor authentication

Due to the sensitive client and financial information RI's ARs receive and store electronically in the course of providing financial services, ASIC alleges it was and is incumbent on RI in discharging its duties and functions as a licensee to have adequate systems, policies, procedures and controls in place that met and meet the reasonable standard that would be expected by the public in appropriately managing risks in relation to cybersecurity and cyber resilience across its AR network.

However, in light of the number and severity of the breaches as highlighted above, ASIC alleges that RI failed to have implemented (including by its ARs) any such adequate policies, systems and resources, and as a result, RI contravened various section 912A obligations.

We also observe that the following matters are key to ASIC's criticism of RI's cybersecurity risk management systems and resources as being inadequate:

1. Upon becoming aware of each cybersecurity incident, RI failed to:

• properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network including email filtering, multi-factor authentication, and cyber training and awareness; and
• ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

2. RI held minimal and inadequate documentation for the management of cybersecurity and cyber resilience across its AR network, including regarding the roles and responsibilities of RI and its ARs. RI changed parent companies on 1 October 2018. However, many cybersecurity documents were developed by either parent companies which were specific to those organisations and their IT environments, and were not tailored to RI and its ARs' requirements.

3. Several third-party IT providers provided investigative reports which identified a number of significant cybersecurity gaps in the systems of RI's ARs, but the recommendations for improvement (including the Australian Cyber Security Centre’s Essential Eight cybersecurity strategies to mitigate cybersecurity incidents) were not implemented.

4. Although RI engaged Security in Depth, a third-party cybersecurity firm, to perform a cyber assurance risk review (CARR) of five ARs, with three ARs having a "Poor" cybersecurity status and the other two ARs having a "Fair" cybersecurity status, nothing was done to rectify the deficiencies and ensure that CARRs were performed on all ARs. In particular, the CARR reports had noted that the three ARs rated as "Poor" had no discernible cybersecurity policies, processes and procedures in writing, and no structured security governance program driven from the executive down, and that it was highly likely that a cyber incident could occur over the next 12 months with significant impact on the ARs' ability to provide critical services.

5. Although RI planned and undertook a number of discrete cybersecurity initiatives with the stated intention of addressing cybersecurity across its AR network, it did not take these steps as part of an informed risk management framework, and did not adopt and implement adequate and tailored cybersecurity documentation and controls in several cybersecurity domains. [4]

What can Boards do to avoid regulatory action?

Having a robust cybersecurity risk management framework, cyber resilience and structured security governance program driven from the executive down is key in avoiding regulatory action as well as potential third party claims against directors and officers.

ASIC has identified 11 cyber resilience good practices which guide their assessments of the adequacy of an organisation's cyber resilience program, and which ASIC considers will enable organisations to operate highly adaptive and responsive cyber resilience processes. It would be important for Boards to be familiar with these good practices and incorporate them in their organisation.

ASIC has also identified the following eight key questions an organisation's Board of Directors should consider when evaluating cyber resilience within their organisations.

Risk management framework

Question 1: Are cyber risks an integral part of the organisation's risk management framework?

Having a Board that takes ownership of the cyber strategy by making it an integral part of the organisation's risk management framework is critical.

What this means is that exposures should be recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.

Documented cybersecurity strategies, principles, policies, rules and procedures should also be in line with the overall governance framework.

Question 2: How often is the cyber resilience program reviewed at the board level?

The cyber risk landscape is not static and changes more quickly than other areas of risk. Ensuring that the organisation's cyber resilience program is reviewed at the board level periodically is important.

Identifying cyber risk

Question 3: What risk is posed by cyber threats to the organisation’s business?

It is also important for the Board to identify and reflect on the risks posed by cyber threats to the particular business of the organisation, so as to formulate a risk tolerance for the risks and ensure that the identified cyber risks are adequately dealt with by the organisation's risk management framework.

Question 4: Does the board need further expertise to understand the risk?

Having a director with a background in cybersecurity is increasingly necessary and important to ensure that the Board has a strategic understanding of technology and the associated risks.

Otherwise, Boards should also consider whether they may benefit from the use of external cyber experts to review and challenge the information presented by senior management.

Monitoring cyber risk

Question 5: How can cyber risk be monitored and what escalation triggers should be adopted?

As malicious cyber activities often have devastating effects on an organisation's business, having a system in place to monitor and report on cyber risks to senior management and the Board is key.

Organisations at the forefront of good practice are using intelligence-driven solutions to deal with this challenge. There has been an increased use of enterprise-wide continuous monitoring systems and the use of data analytics to integrate sources of threats in real time.

Controls

Question 6: What is the people strategy around cybersecurity?

The key source of cyber breaches is the human factor. Lack of staff awareness of safe cyber practices, social engineering or negligent behaviours remain a major source of cyber issues.

Boards should satisfy themselves that there is sufficient investment in staff awareness training given its prominence as a source of risk. Effective cyber resilience requires a strong "cultural" focus driven by the Board and reflected in organisation-wide programs for staff awareness, education and random testing, including of third parties. A collective effort against cyber threats will better serve an organisation.

Question 7: What is in place to protect critical information assets?

The Board should be satisfied that critical information assets of the organisation are appropriately secure. There should be transparency surrounding the location of all critical assets (including third-party partners and service providers), how they are protected and how protection is being assured.

Effective management of organisational assets is characterised by centralised management systems for critical internal and external assets (e.g. software and data), and configuration management that ensures visibility of critical assets.

Response

Question 8: What needs to occur in the event of a breach?

Boards should ask themselves:

• If and when a problem arises, what processes are in place for communicating effectively, internally and externally, and managing the situation?
• Has there been a sufficient level of scenario planning and testing to ensure that response plans are valid and up to date, including with third-party suppliers and dependants?

Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.

Having an internal cybersecurity breach policy as well as cyber insurance are critical measures that should be in place to assist in a breach response.

Conclusion

ASIC's decision to take regulatory action against RI for the alleged breach of the financial services obligations and potentially seeking hefty pecuniary penalties against the AFSL holder is a clear signal to the financial services market that ASIC takes the robustness of an organisation's cybersecurity framework and cyber resilience very seriously and as being critical to discharging an AFSL's statutory obligations.

To avoid regulatory action and any potential third party claims against directors and officers, this requires the Board to at least be familiar with and incorporate the cyber resilience good practices identified by ASIC and be guided by the eight key questions ASIC has identified as important when evaluating cyber resilience within their organisations.

[1] In particular, sections 912A(1)(a), (b), (c), (d) and (h) and (5A).

[2] An order that RI pay pecuniary penalties (section 1317G of the CA). The maximum pecuniary penalty which can be ordered is the greater of 50,000 penalty units ($10.5 million) or 10% annual turnover of the company (maximum monetary value of 2.5 million penalty units).

[3] Compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience (within three months) and provide a report from a suitably qualified independent expert confirming that such systems have been implemented (within five months).

[4] The cybersecurity domains are: governance and business environment, risk assessment and risk management, asset management, supply chain risk management, access management, personnel security training and awareness, data security, secure system development life cycle and change management, baseline operational security, security continuous monitoring, vulnerability management, incident response and communication, and continuity and recovery planning.