Inadequate cybersecurity contravenes AFSL obligations
By Katherine Jones and Jessica Yazbek
Inadequate cybersecurity risk management systems and cyber resilience constituted a contravention of Australian Financial Services Licence (AFSL) obligations under s 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).
In brief
Inadequate cybersecurity risk management systems and cyber resilience constituted a contravention of Australian Financial Services Licence (AFSL) obligations under s 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).
-
Cybersecurity influences more than just your computer network. Poor cybersecurity and cyber resilience practices may fall foul of your AFSL obligations.
-
Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of cyber risk management systems requires the technical expertise of a relevantly skilled person. Expert advice should always be sought when in doubt.
-
It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk. Implementing adequate cybersecurity documentation and controls to an acceptable level can reduce risk. This includes training sessions, professional development events, setting up an incident reporting process for cyber-attacks, using up-to-date security software, backing up data, implementing a password policy, and implementing document management and security policies.
-
Implementation and timing are crucial. Despite having good practices, being too slow in implementing and ensuring adoption could lead to a breach of your AFSL obligations.
In the landmark decision of Australian Securities and Investments Commissions v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court incorporated agreed terms of settlement prior to a hearing to find that there had been inadequate cybersecurity risk management systems and cyber resilience constituted a contravention of Australian Financial Services Licence (AFSL) obligations under s 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).
Background
RI Advice appointed authorised representatives (ARs) to provide financial services under its AFSL.
The ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients. The personal information included full names, addresses, date of birth, phone numbers, email addresses, copies of documents such as driver's licences, passports and other financial information, and in some instances, health information.
While the collection of such personal information was reasonably necessary to provide financial services (and therefore not in breach of Australian Privacy Principle 3) there were nine cybersecurity incidents between June 2014 and May 2020 of varying concern (which may have been a breach of Australian Privacy Principle 11) (see [16]).
Cyber attacks
The cybersecurity incidents included hacking occurrences to both the AR's computer network and third party computer networks; phishing scams being unknowingly sent from an AR employee email address, two ransomware attacks and a data breach.
In most of these incidents, personal information was either accessed without authorisation or held for ransom. In one instance where an AR’s email account was compromised, five clients received a fraudulent email urging the transfer of funds. One client made transfers totalling $50,000.
RI Advice conducted its own enquiries and determined (see [17])that there were a variety of issues concerning the AR's management of cybersecurity risk, including:
-
out of date antivirus software;
-
a lack of filtering or quarantining suspicious emails;
-
a lack of backup systems, or backups not being performed; and
-
poor password practices including sharing of passwords between employees, use of default passwords and other security details being held in easily accessible places or being known by third parties.
The consequences
Section 912A of the Corporations Act imposes a wide ranging obligation on an AFSL holder to do all things necessary to ensure the authorised financial services are provided "efficiently, honestly and fairly". Section 912A(1)(h) requires the licensee to have "adequate risk management systems".
ASIC brought proceedings seeking declarations that RI had contravened ss 912A(1)(a), (b), (c), (d) (h) and 5A of the Corporations Act "as a result of its failure to have and to have implemented policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and control which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience" (see [5]).
RI Advice and ASIC settled the dispute. No pecuniary penalty was payable. RI Advice agreed (and was ordered) to pay a contribution to ASIC’s costs of the proceeding, along with agreeing to compliance orders that RI engage a cybersecurity expert to audit its systems and make recommendations to be implemented.
Rofe J found that RI Advice contravened ss 912A(1)(a) and (h) by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its Ars in the period 15 May 2018 to 5 August 2021 (see [61]).
RI Advice took "too long to implement and ensure such measures were in place across its AR Practices" (see [64]). Her Honour stated "the fact that RI… has made various improvements and extensions to its existing cybersecurity risk management systems in the period from 15 May 2018 to 5 August 2021, does not remove the need for an external expert to now assess the adequacy of its cybersecurity risk management systems" (see [90]).
It is important to note that:
-
in relation to s 912A(1)(a) there had been no breach of a "social and commercial norm" that would require any particular standard, or any particular system, for cyber risk management.
-
a public expectation test is not the relevant test for s 912A(1)(a) given the technical field of cybersecurity risk management.
-
the statutory standard by an AFSL failing to act "efficiently and fairly" does not mean that the contravention entailed a lack of honesty.
The case illustrates the significance and seriousness of good privacy and cyber hygiene and the willingness of the regulator to adapt existing regulatory and legislative tools to new problems.
With cybersecurity becoming the focus of discussion and concern for many business and individuals we are likely to witness a new trend in the kinds of proceedings brought by ASIC.
Further, an APRA regulated entity must comply with CPS 234, and a breach may lead to APRA initiated regulatory proceedings.