TL;DR
In a landmark judgment, the Federal Court has found that an Australian financial services licence (AFSL) holder contravened its general AFSL obligations under Corporations Act 2001 (Cth) (Act) by failing to have and to implement documentation and controls in respect of cybersecurity and cyber resilience that were adequate to manage risk.
This is the first time that a financial institution has been found to be in breach of the provisions of the Act due to conduct involving cybersecurity, and may be a sign of what is to come as ASIC pivots to a more aggressive enforcement approach, in line with its strategic priorities for the 2021-2025 period.
Our previous alert, which explored the background leading up to the commencement of these proceedings, as well as ASIC’s claims, can be found here.
The Decision
The Federal Court made declarations that RI Advice Group Pty Ltd (RI Advice) had contravened sections 912A(1)(a) and (h) of the Act and made orders in accordance with an agreement by the parties, requiring that RI Advice pay $750,000 towards ASIC’s costs and, at its own expense:
- engage a cybersecurity expert to identify any further measures which are necessary for RI Advice to implement;
- agree, in consultation with the cybersecurity expert, on the earliest date by which RI Advice should implement any further measures (to the extent any further measures are identified); and
- report to ASIC on the outcome of the implementation of any further measures within 30 days of the date of agreed implementation.
In handing down her judgment, Rofe J found that:
- RI Advice had breached its obligation under section 912A(1)(a) of the Act to “do all things necessary to ensure that financial services covered by its licence were provided efficiently, honestly and fairly” – by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its authorised representatives;[1] and
- RI Advice had breached its obligation under section 912A(1)(h) of the Act to “have adequate risk management systems” – by failing to implement adequate cybersecurity and cyber resilience measures and exposing its retail clients to an unacceptable level of risk.[2]
Key Insights
Although the Federal Court’s factual findings are mostly uncontroversial (considering that they were made based on an agreed statement of facts and jointly proposed orders), Rofe J did make several comments which are helpful in discerning the Court’s approach with respect to cybersecurity matters and obligations under the Act moving forward. Notably, her Honour made the following observations:
- Cybersecurity risk is a significant risk to the provision of financial services: Rofe J highlighted the important role that cybersecurity plays in the provision of financial services, particularly in an economy that is becoming increasingly digitised. Given the reliance on digital and computer technology to deliver financial services, cybersecurity risk understandably forms a “significant risk connected with the conduct of the business”.[3] Therefore, providers of financial services should be seeking to reduce this risk to “an acceptable level” through “adequate cybersecurity documentation and controls”.[4]
- Licensees must consider cybersecurity matters: Rofe J remarked that the Court’s declarations of RI Advice’s contraventions “clarify to the licensees that the relevant provisions of the Act also apply to the area of the management of risks with respect to cybersecurity” and “record the Court’s disapproval of the contravening conduct”.[5] This confirms that the content of the general obligations under section 912A for financial services licensees now clearly extend to a consideration of cybersecurity matters, and the Court will have regard to such matters in determining compliance under the Act. Interestingly, her Honour did not go on further to suggest whether cybersecurity matters would play an equally important role in determining compliance with other provisions in the Act, for example, directors’ duties.
- Reasonable standard of performance is assessed by reference to a reasonable person qualified in that area – Whether a licensee has acted ‘efficiently’ will depend on whether or not the performance of the licensee’s functions falls short of the “reasonable standard of performance”. Cyber risk management is a highly technical area of expertise.[6] According to Rofe J, in such a technical area, this necessarily involves an assessment by reference to a “reasonable person qualified in that area”, as opposed to the expectations of the public.[7] The fact that both the evidence adduced during proceedings, and the parties’ proposed orders, involved the opinions of cybersecurity experts, was a testament to this principle.
- There is a distinction between cybersecurity and cyber-resilience – The licensee’s breaches were characterised as both a lack of cybersecurity and cyber resilience risk management. While the distinction is known to practitioners in the area, the Court’s acknowledgment of the issues as discrete failures is important. Adopting the distinction agreed between the parties, Rofe J characterised cybersecurity as the ability of an organisation to protect and defend the use of cyberspace from attacks. Cyber resilience, as a separate obligation, is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber sources. The decision makes plain that both are relevant to AFSL holders.[8]
What does this mean for businesses more broadly?
In a rapidly changing threat environment, the Federal Court’s decision serves as a cautionary reminder for organisations to review their risk management frameworks and ensure that they appropriately address cybersecurity and cyber resilience risks. Rofe J observed, the relevant risks and controls deployed:
… evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.[9]
To that end, organisations should consider the following key resources and guidance to help assess their compliance:
- ASIC's Cyber resilience good practices.
- ASIC's Key questions for an organisation's board of directors.
- Australia's Cyber Security Strategy 2020.
- The Australian Cyber Security Centre's (ACSC) 'Strategies to Mitigate Cyber Security Incidents'. Companion documents are also available on ACSC's website.
In light of recent amendments to the Security of Critical Infrastructure Act 2018 (Cth), the case also raises some questions about the newly introduced risk management program obligations, specifically, whether responsible entities for critical infrastructure assets will be judged against the higher standard of a ‘qualified reasonable person’ in determining whether their risk management programs eliminate or mitigate cybersecurity threats ‘so far as it is reasonably practicable’ to do so. Until the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (which, at the time of publication of this alert, are only in draft form) are passed by the Minister for Home Affairs, this remains to be seen.
Although the case concerned an Australian financial services licensee, it is also highly relevant to other entities who may come under scrutiny by other regulators due to being subject to similar obligations, for example, APRA-regulated ADIs (who are required to comply with CPS 234 (Information Security)) and Australian credit licensees under the National Consumer Credit Protection Act 2009 (Cth).
ASIC’s expansion of its enforcement prerogative into cybersecurity as a further regulator policing the digital ecosystem indicates that data forms a key risk for financial institutions, particularly those subject to AFSL obligations. The approach of many organisations to cybersecurity and privacy matters has traditionally been to ensure alignment with the Australian Privacy Principles, by a privacy policy alone, and a “set and forget” approach to data compliance. The ACCC has also demonstrated a willingness to enforce the consumer law in relation to data management practices and disclosures to consumers, indicating careful attention must be paid to the whole data ecosystem within businesses. We expect to see increasing activity by various regulators to enforce compliance with Australian law in the digital economy—and beyond traditional targets for cyber and privacy enforcement.
References
[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [65].
[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [66].
[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].
[4] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].
[5] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [77].
[6] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [46].
[7] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [49].
[8] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [57].
[9] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].
