Cloud vs On Premise - Governance

Federal Court judgement provides important lessons in cyber security and risk management

On the 5 May 2022, the Federal Court handed down judgment in proceedings brought by the corporate regulator against a financial services provider for its failure to have adequate cyber security and cyber resilience risk management controls. That judgment offers important lessons for business owners in managing data and privacy legal risks. [Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496].

ASIC v RI Advice Group

In an “Australian first”, the Federal Court found in ASIC v RI Advice Group that the financial services provider had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

The finding arose from a “significant number” of cyber incidents, ASIC noted, occurring between June 2014 and May 2020. There was proper basis for making declarations – in a form agreed by ASIC and RI Advice – that, as a result of that failure to manage cyber security risks and cyber resilience, the provider had breached its obligations under s912(1)(a) and (h) of the Corporations Act.

In a statement, ASIC deputy chair Sarah Court said: “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment,” she added.

The court ordered RI Advice to pay $750,000 towards ASIC’s costs and to engage a cyber expert to “identify and implement what, if any, further measures are necessary to adequately manage cyber security risks across RI Advice’s authorised representative network”.

Moreover, Justice Helen Rofe recorded the court’s disapproval of the conduct, noting that the findings should deter other financial services providers from engaging in similar conduct.

The outcome follows reforms introduced on the back of the Hayne royal commission, which denote that failure to comply with certain Australian Financial Services (AFS) licensing obligations, including obligations relating to how cyber risks are addressed, may give rise to a civil penalty.

In this particular case, those cyber incidents occurred before the reforms were introduced.

Key takeaways for the legal profession

In her judgment, Justice Rofe stressed that cyber security should be front of mind for all licensees.

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” her honour espoused.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

While this case focuses on the particular risks present in the financial services sector, it is reasonable to assert that it is now more important than ever that all organisations take steps to improve their cybersecurity, ensuring that their systems and processes for managing cyber risk can respond to the evolving nature and profile of the risks.

‘Clear message to corporate Australia’

The “landmark” ruling, KordaMentha executive director Noah Jacobson wrote, should sound “major warning bells” about risk management strategies pertaining to cyber.

It sends a “clear message to corporate Australia”, he opined, that cyber security regulators are not actively enforcing minimum security expectations.

“Organisations must take seriously the need to implement cybersecurity programs and keep them up to date. The stark reality is, this landmark case is only the beginning as it is now the ideal springboard for all regulators, not just ASIC, to pursue the many similar cases they have waiting in the wings,” he said.

“The case also plainly demonstrates the significant expense saved by onboarding cybersecurity programs and addressing risks before as well as when they arise. RI Advice could potentially have avoided legal action and major financial consequences had it put adequate cybersecurity programs in place and adopted remediation strategies following the attacks on its servers.”

“Significant reputational damage aside (within hours of the ruling Insignia shares fell 1.03 per cent to $3.36), consider the expense now faced by RI Advice. Meeting the court order’s lengthy list of requirements will potentially run into millions of dollars – money that could have been saved by having appropriate risk management in place and addressing issues as they arose,” Mr Jacobson continued.

Those running or acquiring corporations across Australia, no matter their size or industry, are on notice, he surmised.

“If cybersecurity is continually swept under the carpet, dismissed as being too expensive to implement or merely paid lip service, the consequences are now very real and possibly dire,” he said.

Governance and compliance

Clyde & Co partners Avryl Lattin and Alec Christie reflected that this case is “confirmation” of what has been witnessed in the last year or so in terms of increased regulatory focus on cyber security.

The decision may not have established a proscriptive standard for regulated entities, they said, but it is “nonetheless a watershed moment”.

“While this consent judgment did not define specifically what measures AFSL holders must have in place to manage cyber risk, it establishes that a standard of care is required and what is reasonable in the circumstances,” the pair outlined.

“That is, AFSL holders must have appropriate documentation, controls and risk management systems in place to ‘adequately’ manage risk in respect of cybersecurity and cyber resilience. The adequacy of such arrangements is to be determined by experts (such as qualified and experienced IT security firms) but the arrangements must at least meet general community expectations.”

“Of course, the cyber security risk landscape is not static and will require ongoing assessment. AFSL holders will need to constantly assess what is ‘adequate’ on an ongoing basis,” Ms Lattin and Mr Christie added.

Financial exposure

RI Advice did not receive a penalty in this case, but it was ordered to pay ASIC’s costs and will have to pay for remediation costs for an uplift to its cyber security. These costs are likely to be substantial. These costs are in addition to the defence costs incurred in responding to the litigation.

What businesses should do now:

The message from this case is clear; investment in cyber resilience is more important than ever before.

Cyber risk is not something that should be delegated simply to the IT function. Instead, it must be raised with the broader business risk management decision-makers and be treated as a whole-of-business issue.

Critically, when an incident happens, businesses should focus their investigation not only on identifying the root cause but also ensuring that underlying vulnerabilities and systemic practices are remediated.

Another lesson is that what could start out as a series of IT issues can ultimately escalate to becoming a high-profile ASIC prosecution involving legal compliance and reputational risk management issues.

The case also demonstrates the importance of cross-collaboration between legal and IT teams to adequately manage these issues.

For more information and expert advice, ask to speak to Mark Ferraretto at Ezra Legal on (08) 8231 6100 or email markf@ezralegal.com.au

For information and articles on the range of  IT and data privacy advice and services that we provide, head to:

 

Mark Ferraretto

Solicitor – Information Technology & Data Privacy

Ezra Legal

Categories: Blog, Technology

Leave a Comment

Your email address will not be published.

Scroll to Top