“Getting away with it” not enough as ASIC’s first cybersecurity lawsuit focuses on systems, not outcomes.

Since at least 2015, ASIC has been warning Australian directors they are responsible for building and maintaining cyber resilience. ASIC has made it clear the goal is preparation, not perfection.

In 2020, 5 years after the release of the watershed ASIC Report 429, ASIC finally commenced its first ever proceedings for failure to have adequate cybersecurity systems. The action is against a subsidiary of ASX-listed IOOF Holdings Limited, RI Advice Group Pty Ltd (RI) (an Australian Financial Services Licence (AFSL) holder). The matter was recently listed for trial commencing 4 April 2022.

ASIC v RI Advice Group Pty Ltd

Facts

A number of RI’s authorized representatives (ARs) experienced cybersecurity incidents between December 2016 and April 2020 including:

  • a ransomware attack encrypting company files and making them inaccessible;
  • a brute force attack through a remote access port impacting 226 client groups;
  • a malicious agent gaining unauthorised remote access through an employee’s account to a file server containing sensitive client information including identification documents and spending more than 155 hours on the server;
  • unauthorised access to an AR’s email account via a Trojan (a form of malicious software) installed on the computer and using it to request a bookkeeper to transfer funds to a Turkish bank account;
  • an unauthorised party compromising an AR staff member’s mailbox account; and
  • a phishing attack resulting in unauthorised use of an AR’s email account, accessing over 10,000 emails.

RI also failed to follow up on several reports on its cybersecurity systems which identified significant gaps and recommended RI review all of its ARs’ cybersecurity systems.

ASIC’s claim

ASIC alleges RI failed to have and implement (including by its ARs) policies, systems and resources to adequately manage its risks in relation to cybersecurity and cyber resilience. ASIC further alleges those failures amounted to breaches of RI’s obligations as an AFSL holder under the Corporations Act, which include:

  • doing all things necessary to ensure the financial services covered by its licence are provided efficiently, honestly and fairly;
  • establishing and maintaining compliance measures that ensure it complies with financial services law;
  • complying with financial services law;
  • having adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
  • having adequate risk management systems.

ASIC is seeking:

  • declarations that RI is in breach of the Corporations Act (specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A));
  • pecuniary penalties; and
  • compliance orders to ensure RI implements appropriate measures in relation to cybersecurity and cyber resilience.

IOOF’s response

In response to this, IOOF released an ASX announcement stating ‘the allegations by ASIC are very general’, ‘appear to relate to a small number of cyberattacks of a nature not uncommonly faced by Australian businesses’ and ‘in most instances, no client data would appear to have been compromised’.

It appears IOOF may be missing the point. ASIC seems less concerned with the outcomes of the cyber incidents and more concerned with the defendant’s level of preparedness.

What about directors’ duties?

It’s not surprising ASIC has chosen an AFSL holder as its first target – theoretically it should be easier to win a case against an AFSL holder, given they are subject to stricter regulatory obligations than non-AFSL holders. For that reason, it probably didn’t feel the need to take action against the directors for breaching their directors’ duties. However, it will be interesting to see whether directors’ duties are given any attention in the case, given their more general application across the economy.

What does this mean for you?

This case finally shows ASIC putting its money where its mouth is and taking enforcement action in relation to cybersecurity compliance. It will be interesting to see what comes of the case, but it is likely to clarify the expectation for AFSL holders (and possibly businesses more broadly, including non-AFSL holders) to:

  • develop a cybersecurity framework comprising of mandated rules and processes to help their organisations reduce cybersecurity risk to an acceptable level;
  • undertake business-wide cybersecurity and cyber resilience risk assessments to test the effectiveness of their cybersecurity frameworks; and
  • develop and implement cybersecurity remediation plans to review and remediate any gaps or deficiencies in their cybersecurity frameworks.

Possible consequences include fines, penalties, compliance orders and licence suspensions and cancellations.

Final thought

With the rush to remote working due to COVID-19, has your organisation updated its cybersecurity processes? Remote working creates huge security risks as people come up with all kinds of workarounds to make life easier at home. This is a timely reminder that cyber resilience is an ongoing journey, not a set and forget.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.