Signal management

Cyber ​​risk management: now an essential obligation of the AFSL – Security

To print this article, all you need to do is be registered or log in to Mondaq.com.

The decision in ASIC vs. RI Advice Group has broad implications for AFSL holders and should prompt many to review their cybersecurity arrangements as soon as possible. The AB Cyber ​​team explains in more detail below.

What does this decision mean for AFS licensees?

Not everyone needs the details, so let’s start with what’s important.

Two key takeaways from the case as we see them:

  1. Every licensee should review their cybersecurity measures – in their original statement, ASIC listed 72 scary granular cyber requirements that now appear to be approved (a guidance note from ASIC will no doubt follow). At the very least, every licensee needs a documented approach to cybersecurity.

  2. ASIC and the courts will not hesitate to use the general license provisions (ss 912A(a) and (h)), to impose very specific obligations under the terms of the license. Licensees should take this into account when thinking about their risk management and other processes at all levels.

ASIC versus RI Advisory Group

In a landmark decision, the Federal Court found that financial services company RI Advice breached its licensing obligations by failing to implement adequate risk management systems to manage its cybersecurity risks.

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is the first time ASIC has exercised its enforcement powers regarding the adequacy of cybersecurity risk management controls.

Background

RI Consulting Group Pty Ltd (IR tips) holds an Australian Financial Services License (AFSL) (the
Licence) which allows it to authorize independent corporate officers (AR) to provide financial services to retail clients on its behalf in accordance with the license. These RAs electronically received, stored and accessed confidential and sensitive personal information and documents relating to their retail customers.

Between June 2014 and May 2020, nine cybersecurity incidents occurred at RI RA offices. Notably, in May 2017, an incident occurred where an AR’s server was brute force hacked through a remote access port. This resulted in files containing personal information of approximately 220 customers being held for ransom and ultimately rendered unrecoverable.

Obligations under the Companies Act 2001

Under Section 912A, the law does not impose any specific cybersecurity or privacy AFSL obligations – ASIC therefore sought to rely on two general obligations – in particular obligations to:

  1. do whatever is necessary to ensure that the financial services covered by the license are provided efficiently, honestly and fairly: s 912A(1)(a); and

  2. have adequate risk management systems: s 912A(1)(h).

(emphasis added)

912A(1)(a) Efficiency Requirement

In this case, Rofe J indicates to [46] that cyber risk management is a “highly technical area of ​​expertise” and accordingly, the “assessing the suitability of a particular set of cyber risk management systems requires the technical expertise of a qualified person“.

His Honor clarifies that this should not be judged by the expectations of the general public (at [47]). It is specified at
[48] that the audience is “entitled to expect a reasonable level of performance from a financial licensee“. This expectation must be differentiated from the knowledge of the “contents” cybersecurity risk management (at
[49]).

Suitability requirement under section 912A(1)(h)

To [54], Rofe J comments that ‘adequacy’ focuses on risk management systems. In the case of RI Advice, His Honor notes that this would emphasize the risks to RAs and the “need for RI Advice to have “adequate” systems to manage these risks“.

The assessment of this adequacy requirement, in the context of cyber risk management, “requires consideration of the risks a business faces in relation to its operations and IT environment” (at [55]). Similar to the aforementioned efficacy requirement, the adequacy requirement would also likely be informed by evidence from qualified experts in the field.

The result

The Court found that RI breached:

  1. Section 912A(1)(a) by failing to:

    1. do whatever is necessary to ensure that the financial services covered by its license have been provided efficiently and fairlyby

    2. failing to ensure that adequate cybersecurity measures are in place and/or adequately implemented across all of its RAs.

  1. Section 912A(1)(h) by failing to:

    1. have adequate risk management systems, by

    2. failing to implement adequate cybersecurity and cyber-resilience measures and exposing its RA customers to an unacceptable level of risk.

RI Advice was ordered to pay $750,000 for ASIC costs and to hire a cybersecurity expert.

Importance of cybersecurity risk management

Cybersecurity risks are a significant risk associated with the conduct of businesses and the provision of financial services. Its importance is reinforced by the growing use and reliance on technology in financial services.

Importantly, Rofe J comments to [58] that while “it is not possible to reduce cybersecurity risk to zero…it is possible to significantly reduce cybersecurity risk with proper cybersecurity documentation and controls at an acceptable level.

Sarah Court, Vice President of ASIC, further stresses the importance of having adequate cybersecurity systems in place to protect against unauthorized access and encourages following the advice of the Australian Cyber ​​Security Centre.

To advance…

Rofe J’s judgment was reasonably limited in this decision because ASIC and RI Advice had settled beforehand, meaning some of ASIC’s claims remain untested.

However, ASIC’s original pleadings, particularly its second amended statement, provide insight into ASIC’s important expectations of how financial services entities should manage cyber risks. In summary, this includes a comprehensive and prescriptive list of steps to take following a cybersecurity incident, as well as ensuring an appropriate incident response and remediation plan.

Notably, we can see an increased use of the s 912A, which was previously used more as secondary pleading. This landmark decision may signal a new emphasis on Section 912A as the main argument for enforcement action.

Get in touch

AB has deep expertise in cybersecurity and privacy, and provides a suite of services in this area, including online health checks.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.