26 August 2020

ASIC commences proceedings alleging failure to have adequate cyber systems – a new era of cybersecurity regulatory action?

This article was written by Cheng Lim and Madeline Close.

Landmark proceedings commenced

ASIC commenced proceedings on 21 August 2020 against RI Advice Group Pty Ltd (RI) alleging its failure to have and implement adequate cybersecurity measures contravened its obligations under the Corporations Act 2001 (Cth) (Corporations Act).[1] 

Although cybersecurity has been an increasing focus for ASIC in recent years,[2] this is the first time that litigation has been initiated by ASIC alleging deficient cybersecurity practices.  While ASIC has indicated managing cybersecurity risks falls within the ambit of general directors’ duties,[3] ASIC’s claim against RI alleges contravention of its obligations as an AFSL holder rather than breach of directors’ duties.  This litigation may herald a shift to a greater focus by it on enforcement rather than just education.  It should also serve as a reminder of the critical importance of cybersecurity to business, especially as many organisations have had to undertake fundamental changes in how they work and communicate in order to manage the impacts of COVID-19.

ASIC’s claim 

RI holds an Australian financial services licence (AFSL) and has a large number of authorised representatives which provide financial services on its behalf.  ASIC is seeking a declaration that it contravened its licensee obligations under the Corporations Act.

Between late 2016 and April 2020, a number of RI’s authorised representatives suffered cybersecurity incidents.  Some of the incidents included an authorised representative’s reception computer being hacked by ransomware, unauthorised access to emails, and unauthorised access via remote access port.  In one incident a malicious party gained remote access using an employee’s account and remained undetected for around three months.  KPMG’s report found this incident was likely caused by a ‘brute force’ attack.  One authorised representative suffered two cybersecurity incidents, the first in May 2018 and the second in April 2020.

During the relevant period, RI received a number of reports regarding cybersecurity.  RI received reports from KPMG and another third party software provider regarding the breach which remained undetected for three months.  RI also engaged a cybersecurity firm in late 2018 to conduct a cyber assessment risk review of five authorised representatives, including the authorised representative which would later have a second breach in April 2020.  The report rated the cybersecurity of three of the authorised representatives as ‘Poor’ and the other two ‘Fair’.  The report recommended RI conduct reviews of all of its authorised representatives, which ASIC states RI did not do.  Following the April 2020 incident, RI received a second cyber assessment risk review for that authorised representative in which it was still rated ‘Poor’.  The report identified a number of security issues such as poor password security and the lack of two-factor authentication. 

ASIC alleges RI failed to fulfil its licensee obligations because ‘of its failure to have and to have implemented (including by its authorised representatives) policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience’.[4]  ASIC is seeking an order that RI contravened section 912A(1)(a), (b), (c), (d) and (h) and (5A).  Section 912A(1) provides that licensees must:

  • ‘(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly’;
  • ‘(b) comply with the conditions on the licence’;
  • ‘(c) comply with the financial services laws’;
  • ‘(d) subject to subsection’ (4)--have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements’; and
  • ‘(h) subject to subsection (5)--have adequate risk management systems.’

ASIC is also seeking pecuniary penalties and a compliance order.  ASIC seeks a compliance order requiring RI to implement appropriate cybersecurity measures within 3 months of the date of the orders, and to provide a written report within 5 months from an independent expert confirming RI’s compliance. 

Enforcement by other regulators

If this litigation signals a new regulatory approach to cybersecurity issues in Australia, it is important to consider the powers of other regulators to bring enforcement action in similar circumstances.  APRA could take action against APRA regulated ADIs for a breach of Prudential Standard CPS 234 (Information Security).  The ACCC may be able to bring proceedings under the Australian Consumer Law (ACL) for misleading or deceptive representations if an entity with inadequate cybersecurity represents that customer data is secure and protected (noting that the Federal Trade Commission in the US has commenced many proceedings of this kind[5]). 

It is also important to keep in mind that cybersecurity incidents often result in breaches of the APPs in the Privacy Act 1988 (Cth) and may be notifiable as eligible data breaches.  Cybersecurity incidents could be the subject of action from the Office of the Australian Information Commissioner (OAIC) or the subject of privacy complaints from individuals.

An increasing focus on the Protection of Critical Infrastructure

This regulatory action by ASIC takes place against a backdrop of increasing focus by the Australian Government on the protection and security of critical infrastructure.  A key initiative of Australia’s Cyber Security Strategy 2020[6] has been to reform Australia’s laws to ensure that the Commonwealth has the appropriate safeguards and powers to ensure that essential services that Australians rely on are protected appropriately, and to uplift the security and resilience of critical infrastructure. To this end, the Commonwealth recently released a consultation paper on Protecting Critical Infrastructure and Systems of National Significance[7] - see our alert on it here.

The key infrastructure sectors that the Commonwealth is seeking feedback on in relation to this paper include Banking and Finance, Communications, Data and the Cloud, Defence, Education, Research and Innovation, Energy, Food and Grocery, Health, Space, Transport and Water.

What does this mean for your organisation?

These proceedings make it clear that organisations need to ensure that they have taken all reasonable steps to ensure that the people, processes and technologies that they use to protect the security of the information that they hold, and the continuity of their businesses and the services that they provide, are adequate and appropriate.

What measures will be reasonable, adequate and appropriate will depend on the organisation in question, but some of the key resources, guidance and frameworks that can help in determining this include:

[1]    See ASIC’s media release from 21 August 2020 which provides links to its Concise Statement and Originating Process.

[2]    See for example Greg Medcraft (ASIC Chairman), ‘Building resilience: the challenge of cyber risk’ (Australian Chamber of Commerce and Industry business reception event (Melbourne, Australia), 15 December 2016) <https://download.asic.gov.au/media/4120903/speech-medcraft-acci-dec-2016-1.pdf>; ASIC, Cyber resilience of firms in Australia’s financial markets: 2018–19 (Report 651, December 2019) <https://download.asic.gov.au/media/5416529/rep651-published-18-december-2019.pdf>.

[3]    See for example ASIC, Cyber resilience: Health check (Report 429, March 2015) 13, 43 <https://download.asic.gov.au/media/3062900/rep429-published-19-march-2015-1.pdf>.

[4]    ASIC, Originating Process < https://download.asic.gov.au/media/5760718/20-191mr-originating-process-asic-v-ri-advice.pdf>.

[5] See for example FTC v. Wyndham Worldwide Corp, 799 F.3d 236 (3d Cir. 2015).

[6] https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy.

[7] https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/protecting-critical-infrastructure-systems.

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    On 8 September 2021, the High Court handed down its highly anticipated judgment in the case of Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News...

    14 September 2021

    In a recent case a Federal Court judge found that the presentation of information to customers on a mobile phone screen was misleading in some circumstances.

    10 May 2021

    China’s annual National People’s Congress parliamentary session will take place in March to approve the country’s social and economic development plans for the period 2021-25.

    09 February 2021

    On 11 January 2021 the Australian Information Commissioner and Privacy Commissioner (the Commissioner) made a determination 'WP' and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr...

    03 February 2021

    Legal services for your business

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.