Federal Court raises the bar in cybersecurity accountability

The Federal Court’s recent landmark decision in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 raises the bar for companies and directors on the importance of adequate cybersecurity protection after it imposed costly remedial orders on a financial services provider for failing to maintain adequate cybersecurity risk management systems.

Background

After nine cybersecurity incidents that occurred between June 2014 and May 2020 — including hacking, ransomware, phishing emails and the prolonged unauthorised remote server access — the Australian Securities and Investments Commission (ASIC) issued regulatory proceedings against RI Advice Group Pty Ltd (RI Advice) for failing to maintain adequate cybersecurity risk management systems.

Under Chapter 7 of the Corporations Act 2001 (Cth) (Act), RI Advice as the holder of an Australian Financial Services Licence (AFSL) has an obligation to ensure that its authorised representatives have in place proper IT security and risk management systems.

While it was not RI Advice’s own IT systems that led to ASIC issuing regulatory proceedings against it, it was however the IT systems of its authorised representatives, who operated their own independent financial services businesses under the umbrella of RI Advice’s AFSL.

The matter settled after lengthy proceedings in the Federal Court, with RI Advice eventually accepting that it had in fact breached its obligations. Rofe J accepted the parties’ agreed position and ordered that RI Advice:

• engage an IT cybersecurity expert to consult and implement a better system of controls and risk management (which is likely to cost in the millions of dollars); and
• pay ASIC’s legal fees, fixed at $750,000 (as well as RI Advice having to pay its own legal costs).

Importantly, the principles guiding the Court’s decision likely extend to all professional services firms who collect, use and store sensitive client information, not just holders of AFSLs.

The cybersecurity incidents

The specific incidents giving rise to the proceedings included the following:

• an authorised representative’s email account was hacked, with five clients receiving a fraudulent email urging the transfer of funds and one client making transfers totalling some $50,000;
• a third-party website provider engaged by an authorised representative was hacked, resulting in a fake home page being placed on their website;
• a client received an email requesting money from a fraudster posing as an employee of an authorised representative;
• an authorised representative’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
• an authorised representative’s server was hacked and resulted in files containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
• an unknown malicious agent gained unauthorised access to an authorised representative’s server that housed the personal information of several thousand clients;
• an unknown person sent a fraudulent email to an authorised representative’s bookkeeper requesting a bank transfer; and
• an authorised representative’s employee’s email address was hacked and sent phishing emails to over 150 clients.

Admitted breaches

RI Advice admitted that its authorised representatives’ cybersecurity risk management systems were insufficient and deficient in the following respects:

• computer systems which did not have up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices, including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

Key take-aways

1. Adequate risk management: Businesses are on notice that costly legal penalties can apply failing to maintain proper cybersecurity risk management systems. Although this decision was specific to the conduct of an AFSL holder, it illustrates the standard of risk management to which professional services firms will be held to in protecting the highly commercially sensitive information of their clients.
2. Responsiveness to cybersecurity risks: An aggravating feature of RI Advice’s conduct as found by the Court was its delay in implementing proper cybersecurity protective measures after identifying security breaches. Once a cybersecurity breach is identified, remedial action must be adopted at the earliest opportunity, otherwise businesses may face harsher legal penalties.
3. Liability for third parties: It was not considered a mitigating factor that the cybersecurity incidents arose as a result of conduct by RI Advice’s authorised representatives, rather than RI Advice’s own conduct. Businesses therefore should diligently ensure that their agents and representatives have in place and observe any appropriate cybersecurity measures and policies.

Conclusion

The Court’s decision, as well as ASIC’s decision to pursue RI Advice, shines a light on the importance of adequate cybersecurity protection, which is especially so for businesses that deal with confidential client or financial information regularly or have some other form of professional obligations.

Comments are closed.