This article was written by Cheng Lim and Madeline Close.
Landmark proceedings commenced
ASIC commenced proceedings on 21 August 2020 against RI Advice Group Pty Ltd (RI) alleging its failure to have and implement adequate cybersecurity measures contravened its obligations under the Corporations Act 2001 (Cth) (Corporations Act).
Although cybersecurity has been an increasing focus for ASIC in recent years, this is the first time that litigation has been initiated by ASIC alleging deficient cybersecurity practices. While ASIC has indicated managing cybersecurity risks falls within the ambit of general directors’ duties, ASIC’s claim against RI alleges contravention of its obligations as an AFSL holder rather than breach of directors’ duties. This litigation may herald a shift to a greater focus by it on enforcement rather than just education. It should also serve as a reminder of the critical importance of cybersecurity to business, especially as many organisations have had to undertake fundamental changes in how they work and communicate in order to manage the impacts of COVID-19.
RI holds an Australian financial services licence (AFSL) and has a large number of authorised representatives which provide financial services on its behalf. ASIC is seeking a declaration that it contravened its licensee obligations under the Corporations Act.
Between late 2016 and April 2020, a number of RI’s authorised representatives suffered cybersecurity incidents. Some of the incidents included an authorised representative’s reception computer being hacked by ransomware, unauthorised access to emails, and unauthorised access via remote access port. In one incident a malicious party gained remote access using an employee’s account and remained undetected for around three months. KPMG’s report found this incident was likely caused by a ‘brute force’ attack. One authorised representative suffered two cybersecurity incidents, the first in May 2018 and the second in April 2020.
During the relevant period, RI received a number of reports regarding cybersecurity. RI received reports from KPMG and another third party software provider regarding the breach which remained undetected for three months. RI also engaged a cybersecurity firm in late 2018 to conduct a cyber assessment risk review of five authorised representatives, including the authorised representative which would later have a second breach in April 2020. The report rated the cybersecurity of three of the authorised representatives as ‘Poor’ and the other two ‘Fair’. The report recommended RI conduct reviews of all of its authorised representatives, which ASIC states RI did not do. Following the April 2020 incident, RI received a second cyber assessment risk review for that authorised representative in which it was still rated ‘Poor’. The report identified a number of security issues such as poor password security and the lack of two-factor authentication.
ASIC alleges RI failed to fulfil its licensee obligations because ‘of its failure to have and to have implemented (including by its authorised representatives) policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience’. ASIC is seeking an order that RI contravened section 912A(1)(a), (b), (c), (d) and (h) and (5A). Section 912A(1) provides that licensees must:
- ‘(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly’;
- ‘(b) comply with the conditions on the licence’;
- ‘(c) comply with the financial services laws’;
- ‘(d) subject to subsection’ (4)--have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements’; and
- ‘(h) subject to subsection (5)--have adequate risk management systems.’
ASIC is also seeking pecuniary penalties and a compliance order. ASIC seeks a compliance order requiring RI to implement appropriate cybersecurity measures within 3 months of the date of the orders, and to provide a written report within 5 months from an independent expert confirming RI’s compliance.
Enforcement by other regulators
If this litigation signals a new regulatory approach to cybersecurity issues in Australia, it is important to consider the powers of other regulators to bring enforcement action in similar circumstances. APRA could take action against APRA regulated ADIs for a breach of Prudential Standard CPS 234 (Information Security). The ACCC may be able to bring proceedings under the Australian Consumer Law (ACL) for misleading or deceptive representations if an entity with inadequate cybersecurity represents that customer data is secure and protected (noting that the Federal Trade Commission in the US has commenced many proceedings of this kind).
It is also important to keep in mind that cybersecurity incidents often result in breaches of the APPs in the Privacy Act 1988 (Cth) and may be notifiable as eligible data breaches. Cybersecurity incidents could be the subject of action from the Office of the Australian Information Commissioner (OAIC) or the subject of privacy complaints from individuals.
An increasing focus on the Protection of Critical Infrastructure
This regulatory action by ASIC takes place against a backdrop of increasing focus by the Australian Government on the protection and security of critical infrastructure. A key initiative of Australia’s Cyber Security Strategy 2020 has been to reform Australia’s laws to ensure that the Commonwealth has the appropriate safeguards and powers to ensure that essential services that Australians rely on are protected appropriately, and to uplift the security and resilience of critical infrastructure. To this end, the Commonwealth recently released a consultation paper on Protecting Critical Infrastructure and Systems of National Significance - see our alert on it here.
The key infrastructure sectors that the Commonwealth is seeking feedback on in relation to this paper include Banking and Finance, Communications, Data and the Cloud, Defence, Education, Research and Innovation, Energy, Food and Grocery, Health, Space, Transport and Water.
What does this mean for your organisation?
These proceedings make it clear that organisations need to ensure that they have taken all reasonable steps to ensure that the people, processes and technologies that they use to protect the security of the information that they hold, and the continuity of their businesses and the services that they provide, are adequate and appropriate.
What measures will be reasonable, adequate and appropriate will depend on the organisation in question, but some of the key resources, guidance and frameworks that can help in determining this include:
 See ASIC’s media release from 21 August 2020 which provides links to its Concise Statement and Originating Process.
 See for example Greg Medcraft (ASIC Chairman), ‘Building resilience: the challenge of cyber risk’ (Australian Chamber of Commerce and Industry business reception event (Melbourne, Australia), 15 December 2016) <https://download.asic.gov.au/media/4120903/speech-medcraft-acci-dec-2016-1.pdf>; ASIC, Cyber resilience of firms in Australia’s financial markets: 2018–19 (Report 651, December 2019) <https://download.asic.gov.au/media/5416529/rep651-published-18-december-2019.pdf>.
 See for example ASIC, Cyber resilience: Health check (Report 429, March 2015) 13, 43 <https://download.asic.gov.au/media/3062900/rep429-published-19-march-2015-1.pdf>.
 ASIC, Originating Process < https://download.asic.gov.au/media/5760718/20-191mr-originating-process-asic-v-ri-advice.pdf>.
 See for example FTC v. Wyndham Worldwide Corp, 799 F.3d 236 (3d Cir. 2015).