On 5 May 2022, the Federal Court handed down its judgment in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. This is the first time ASIC has ever exercised its enforcement powers for failure to have adequate cybersecurity and cyber resilience systems.
Settlement
This matter was settled between ASIC and RI prior to the commencement of the final Federal Court hearing. Justice Rofe received proposed declarations and orders to be made by consent and an agreed statement of facts, in which RI admits to having breached sections 912A(1)(a) and (h) of the Corporations Act.
Judgment
Pursuant to the settlement, Justice Rofe made the following declarations and orders:
- Declaration of contravention: that as a result of its failures to have documentation and controls in place to adequately manage cyber risk across its authorised representative (AR) network, RI breached sections 912A(1)(a) (failure to do all things necessary to ensure the financial services covered by its licence were provided efficiently and fairly1) and 912A(1)(h) (failure to have adequate risk management systems) of the Corporations Act.
- Order (cybersecurity expert): that RI must engage a cybersecurity expert to identify and implement any further measures necessary to adequately manage cybersecurity risks across RI’s AR network.
- Order (costs): that RI pay $750,000 towards ASIC’s costs.
Interestingly, although ASIC had initially sought that RI pay a pecuniary penalty, neither the settlement nor the judgment imposes one against RI.
Takeaways
- The general obligations of an AFSL-holder under section 912A of the Corporations Act apply to management of cyber risks.
“As a public regulator, it is in the interests of ASIC to seek the declarations concerning the application of s 912A(1), particularly in circumstances such as the present case, where the declarations may clarify to licensees that the relevant provisions of the Act also apply to the area of the management of risks in respect of cybersecurity.”
- A failure to adequately manage cyber risks constitutes a breach of AFSL obligations. Justice Rofe emphasised the importance of cybersecurity for AFSL holders:
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”2
- Whether there are “adequate” risk management systems in place in the context of cyber risk management is ultimately a question for the court, considering the risks faced by a business in respect of its operations and IT environment and informed by technical expert evidence.
Final thoughts
- Assuming ASIC considers this a “win”, will this outcome encourage ASIC to undertake a program of similar litigation? Time will tell, but it seems quite likely. Given ASIC ‘strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience’3, it also seems likely that ASIC’s focus will expand to non-AFSL holders.
- We’re still left wondering whether ASIC will also focus on enforcement action against individual directors for breaching their directors’ duties in relation to cyber risks. We think this is likely, particularly with ASIC’s Chair Joe Longo recently confirming that “Boards play a key role in recognising and managing risk, including cyber risk. They should consider where they have an obligation to report breaches to ASIC, and where it may be appropriate to make disclosure to the market as either continuous disclosure or in financial reports.”4
What should you do?
Regardless of whether you are an AFSL holder or not, you should ensure your organisation:
- has policies, procedures, frameworks, systems, resources and controls in place which are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience;
- regularly undertakes cybersecurity and cyber resilience risk assessments given ‘risks relating to cybersecurity and the controls that can be deployed to address such risks evolve over time’5; and
- if a cybersecurity incident occurs, is able to quickly, appropriately and adequately respond to the incident.
1 Although the statutory general obligations under section 912A(1)(a) cover providing financial services “efficiently, honestly and fairly”, it was never contested and ASIC never alleged that RI failed to act “honestly” with respect to cyber risk and security and resilience measures for its AR practices.
2 Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58]
3 https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/
4 https://asic.gov.au/about-asic/news-centre/speeches/asic-s-corporate-governance-priorities-and-the-year-ahead/
5 Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58]