Australia: The dawn of a new AFSL cyber risk management standard – Implications of the RI Advice Group decision

On 5 May 2022, the Federal Court of Australia delivered its judgment in Australian Securities and Investments Commission v RI Advice Group Pty Ltd – the first case dealing with the issue as to whether failure to manage cyber risk is a breach of financial services obligations.

The Court made declarations that RI Advice Group Pty Ltd (RI Advice) had contravened its obligations as the holder of an Australian Financial Services Licence (AFSL) holder under sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act) by failing to have appropriate cyber security controls and cyber resilience in place to manage its own cyber risks, and cyber risks across its network of authorised representatives (ARs).

Importantly, the Court emphasised that while there is a community expectation that reasonable cyber security measures are in place, the adequacy of cyber risk management must be determined by technical experts.

Following delivery of the judgment, the Australian Securities and Investments Commission (ASIC) has published a guidance note outlining the critical measures AFSL holders are now expected to have in place.

Key Takeaways

• Cyber risk management is directly linked to the core obligations of AFSL holders.
• AFSL holders are responsible for putting in place appropriate cyber security risk management practices for themselves and their ARs.
• AFSL holders should be aware of the potential consumer harms that arise from cyber security shortcomings and act quickly in the event of a cyber incident to minimise the risk of ongoing harm.
• All organisations should regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the business and the sensitivity of information they hold.
• Cyber risk management is a highly technical area of expertise. The assessment of any cyber risk management system requires the technical expertise of a relevantly skilled person.
• While there is an element of public expectation in the cyber standard, the relevant standard for the line management of cyber risk and associated controlled measures is not to be determined by reference to public expectation. It must be proportionate to the specific cyber risks facing the AFSL holder and its ARs as determined by technical experts.
• It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce risk through adequate cyber security documentation and controls to an acceptable level.
• Failure to implement necessary measures in a timely manner can constitute a breach of financial services obligations.
• This case is the culmination of ASIC’s focus on cyber security over the past 18-24 months. The emphasis on building cyber resilience is also in line with developments in other regulated sectors and the requirements foreshadowed by the critical infrastructure changes late last year and early this year.

Background

This case was the first case brought by ASIC alleging that a failure to adequately manage cyber security risk is a breach by an AFSL holder of its core financial services obligations. 

Although the matter was set down for trial in April 2022, RI Advice admitted a number of contraventions and the matter settled with the parties agreeing by consent to the declarations and orders to be made by the Court.

Nevertheless, in providing reasons for judgment, Justice Rofe of the Federal Court set out how AFSL holders should manage cyber risk.  

Conduct of RI Advice

RI Advice is the holder of an AFSL under the Corporations Act. In turn, RI Advice also authorises and engages independent owned corporate and individual ARs to provide financial services to retail clients on RI Advice’s behalf under its AFSL.

Between June 2014 and May 2020, various ARs of RI Advice experienced nine cyber security incidents.

Inquiries and reports made on behalf of RI Advice following the AR cyber security incidents revealed that there were a variety of concerns  regarding the ARs’ management of cyber security risks.

Overview of the decision

Although the declarations and orders were made by consent, the Court still looked at RI Advice’s obligations under s 912A(1) of the Corporations Act to:

(a) do all things necessary to ensure that the financial services covered by the Licence are provided efficiently, honestly and fairly; and

(h) have adequate risk management systems.

• RI Advice admitted that, prior to 15 May 2018, it did not have “adequate” cyber risk management systems (including documentation, controls and assurance) to manage cyber security risks across its ARs in the course of providing financial services pursuant to its AFSL.
• Although RI Advice made some significant improvements to its cyber security risk management systems including adopting a Cyber Resilience Initiative, RI Advice also admitted there should have had been a more robust implementation of cyber resilience prior to August 2021.  It admitted that it “took too long to implement and ensure such measures were in place across its AR practices.”

What is cyber security?

In the circumstances of RI Advice’s financial services business, the Court defined cyber security as “the ability of an organisation to protect and defend the use of cyberspace from attacks” and cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources.”

What is adequate cyber risk management?

While the Court did not go so far as to define specifically what AFSL holders must have in place to manage cyber risk (i.e. what is adequate in all cases), the decision does establish that a standard of care is required. The Court rejected the suggestion that the relevant standard for assessment of adequate cyber risk management should be determined by “public expectation”. Although some conduct by AFSL holders may be appropriate to assess through public expectation, risk management relating to cyber security risk should not be assessed in this way.

Instead, the Court took the view that cyber risk management is a highly technical area of expertise and concluded that “the assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.” The Court stated that in this type of technical area:

“The reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public”. As a guide to what is inadequate cyber risk management, this case provides the following examples:

• computer systems which did not have up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including lack of multi-factor authentication, sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

Obligations of AFSL holders

This case specifically relates to the core obligations of AFSL holders. The decision reflects the efforts that ASIC has been taking over the past 18-24 months to uplift cyber risk management across all AFSL holders and their ARs.

Notably, an important finding is that RI Advice was also required to take adequate steps to manage cyber security risks of its ARs.

S912A(1)(a) – Performing services “efficiently, honestly and fairly”?

In considering the application of section 912A(1)(a) in this case, the Court restated various authorities that it is not necessary to prove dishonesty to establish that an AFSL holder has failed to do all things necessary to provide services “efficiently, honestly and fairly”.  In this case, ASIC did not allege that RI Advice failed to act honestly with respect to cyber risks.

This conclusion broadens the potential application of section 912A(1)(a) in circumstances where there has been a failure to adequately provide services but no dishonesty on the part of the AFSL holder or its ARs.

S912A(1)(h) – Adequate risk management systems

In the context of assessing whether an AFSL holder has “adequate risk management systems” under section 912A(1)(h) the Court said that this will require consideration of “the risks faced by a business in respect of its operations and IT environment”.  However, the Court also noted that financial services was an area of heightened cyber security risk generally (i.e. somewhat of target for malicious actors). Once again, the Court emphasised that it will be informed by evidence from relevantly qualified experts in the field.

Implications for AFSL holders

This case is the culmination of ASIC’s recent focus on cyber risk and demonstrates that the impacts associated with a cyber incident for AFSL holders may go well beyond the immediate costs associated with the incident and the potential loss of reputation.

There is also a risk of breach of financial services obligations which could lead to significant penalties, the loss of their AFSL and the right to carry on the business.

The Court made a range of orders including that:

• RI Advice engage (at its own expense) a cyber security expert to identify any further cyber security and cyber resilience documentation and controls necessary for RI Advice to adequately manage risk across its AR network (Further Measures);
• RI report to ASIC on such Further Measures and implement any Further Measures within 90 days; and
• RI Advice pay $750,000 toward ASIC’s costs of the proceeding.

It should be noted that RI Advice admitted to breaches of the Corporations Act. However, in the absence of such admissions, if ASIC had ‘proven its case’, the Court would likely have made additional orders including imposing significant penalties.

ASIC’s expectations of AFSL holders

Since the handing down of the judgment, ASIC has identified critical measures that AFSL holders should have in place. In summary, ASIC expects:

• AFSL holders should be aware of the potential consumer harms that arise from cyber security shortcomings;
• AFSL holders should adopt good cyber security risk management practices to reduce potential harm to consumers, including active management of cyber risks, continuous cyber security improvement, assessment of cyber incident preparedness and review of incident response and business continuity plans;
• AFSL holders should act quickly in the event of a cyber incident to minimise the risk of ongoing harm. They should ensure there is regular re-assessment of cyber risks, and that detection, mitigation and response measures adequately support the size and complexity of the business and the sensitivity of information held;
• AFSL holders are strongly encouraged to report cyber incidents to the Australian Cyber Security Centre (ACSC). Licencees should also consider if they are obligated to report the incident to ASIC. 

Overall, AFSL holders  must have adequate technological systems, policies and procedures in place to minimise the risk of consumer harm.

Managing cyber security risks

AFSL holders must treat management of cyber security risks as seriously as any other legal obligation. At a minimum, it is now clear that AFSL holders must have technical advice that they have adequate cyber security practices in place in order to avoid fines, prosecution from ASIC and/or loss of their AFSL. By having at least third-party expert assured ‘adequate’ measures in place in the first instance, RI Advice could have avoided the significant costs.

It is important to note as well that the controls deployed to address risk will need to change over time as the business and risks develop. Organisations should follow the guidance of the Australian Cyber Security Centre for updates on the current cyber risk landscape and conduct regular risk assessments. Clyde & Co has a dedicated cyber advisory team in the field, which is available to help assess and uplift your cyber systems and risk management as necessary.

Breach reporting under the Corporations Act

In light of the new AFSL breach reporting framework that now applies, AFSL holders will also need to make sure that any failures in cyber security risk frameworks are appropriately reported to ASIC. AFSL holders should develop and adopt internal protocols and frameworks to assist with the quick, efficient and consistent assessment and determination of incidents. 

This case demonstrates that a breach reporting framework is not only needed for mandatory data breach reporting purposes under the Privacy Act but also for those organisations that have breach reporting obligations under Corporations Act as AFSL holders.

Where there are reasonable grounds to believe that a reportable situation has arisen, including a breach of a core obligation, the breach must be reported to ASIC within 30 days. 

We note that those AFSL holders who are separately regulated by APRA (other than RSE licensees) are not obliged to meet the obligation in the Corporations Act to have “adequate risk management systems” in place. Instead, APRA-regulated entities are required to meet prudential obligations in respect of risk management systems as specified by APRA.

Controls organisations should have in place

All organisations need to understand their legal, regulatory and contractual obligations in regard to cyber security and cyber resilience, and as a matter of due care have an appropriate level of controls in place. Although this case did not specify which technical standard ought to be adopted by RI Group, entities can align their practices to international best practice standards for the management of cyber risk such as ISO27001, NIST Cybersecurity Framework, NIST 800-53, or locally to ASD Essential 8. Which standard will be appropriate will depend on the size and profile of the organisation, its overall risk profile, and other considerations such as budget, headcount and technical resources. Organisations should seek specific advice on this.

However, at a basic level, organisations should have controls in place that cover seven core processes:

1. Security Governance
2. Policy Management
3. Awareness & Education
4. Identity & Access Management
5. Vulnerability Management
6. Threat Management
7. Incident Response.

To understand cyber risks and adequate responses to those risks, organisations must engage appropriately skilled and experienced individuals to provide the assessment and define the strategy and roadmap for control remediation. This should be done pre-incident, however after each incident breached entities should consider lessons learnt and remediation steps required. If adequate remediation controls were put in place by RI Group, it is highly likely that several of the events which were the subject of the proceedings, would not have occurred.

Wide-ranging implications for organisations more broadly

The nature of the threat landscape and the rapidly changing digital environment is leading to more frequent and more severe cyber incidents which are resulting in greater financial losses and increased reputational damage and regulatory risk. If organisations are not managing their cyber risk adequately and do not have a resilience strategy in place, they will be open to scrutiny should an incident occur.

It is paramount that all organisations consider their approach to cyber risk management and adequacy.  While this case was focused on the obligations of AFSL holders, we expect that ASIC will also use its oversight powers to identify whether directors of any company that fails to adequately consider cyber risk, are in breach of their obligations. 

Similarly, this decision is likely to inform the enforcement approach that other regulators take to cyber security issues. Those organisations who are required to comply with APRA’s Prudential Standard CPS 234 – Information Security or which are affected by the new critical infrastructure requirements, should take note of this emerging standard for developing to management of cyber risk.

How can we help?

Clyde & Co’s Digital Law, Cyber Incident Response and Cyber Advisory teams have unparalleled technical expertise dealing with cyber risk.

Our team has the largest dedicated and market-leading privacy and cyber incident response practice in Australia and New Zealand. Our team is also highly regarded for their expertise and experience in financial services, assisting a range of clients, from FinTech start-ups to Australia’s biggest banks and insurers. Clyde & Co’s Corporate Regulatory team has highly regarded expertise across the cyber incident, breach reporting and ASIC investigation space in relation to AFSL holders.

Clyde & Co provides an end-to-end risk solution for clients. Covering advice, strategy, transactions, innovation, cyber and privacy pre-incident readiness, technical advisory, incident response and post incident remediation through to regulatory investigations, dispute resolution, litigated proceedings (plaintiff and defendant), recoveries and third-party claims (including class action litigation), the teams assist clients across the full spectrum of legal and technical services.

For more information, please contact John Moran, Avryl Lattin, Alec Christie, Reece Corbett-Wilkins, Richard Berkahn or Chris McLaughlin.