Managing cybersecurity risk – precedent ASIC enforcement action provides key learnings
A recent Federal Court decision has confirmed that a failure by AFS licensees to have in place controls or measures to manage cybersecurity risk across its network of financial advisers can amount to breaches of certain general obligations contained in section 912A of the Corporations Act 2001 (Cth) by the AFS licensee, with lessons in managing cybersecurity risks for all organisations generally, particularly those that utilise third parties or intermediaries.
In an Australian first, the Federal Court declared that an AFS licensee, by failing to implement adequate cybersecurity systems across its independently operated network of financial advisers, breached its general obligations under sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth). Those obligations provide that an AFS licensee must do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly and also maintain adequate risk management systems.
The proceeding related to nine cybersecurity incidents which occurred at the premises of independently owned authorised representatives of RI Advice between June 2014 and May 2020. In these incidents, cyber criminals accessed confidential and sensitive information on clients, and hacked RI Advice’s authorised representatives’ email accounts to send out fraudulent emails to clients requesting them to transfer funds.
ASIC had initially alleged that the AFS licensee failed to comply with its general obligations in sections 912A(1)(a), (b), (c), (d) and (h). However, as part of a settlement reached with ASIC, RI Advice admitted to breaches of sections 912A(1)(a) and (h) only. As part of the settlement, RI Advice agreed to engage a cybersecurity firm to advise the company on how it can better manage cybersecurity risks, implement their recommendations within 90 days and provide ASIC with reports on the recommendations made to it and their progress in implementing those recommendations. No pecuniary penalty was ordered in this instance.
Key learnings for managing cybersecurity risks
The case – the first time that ASIC has taken enforcement action in respect of cybersecurity breaches – provides a number of learnings for organisations in managing their own cybersecurity risks.
1. Sound risk management today includes adequate management of cyber risks: The Court's reasons highlight the importance of AFS licensees (and equally, all organisations) materially reducing cybersecurity risks through adequate documentation and controls, and clarifies that the general obligations on AFS licensees under the Corporations Act also apply to the management of cybersecurity risks.
2. Extension of responsibility for advice licensees: The Court's findings of contraventions were in circumstances where the cybersecurity incidents occurred at the premises of independent financial advisers. This means that the advice licensees will need to carefully consider what policies, controls and systems should be applied to and imposed on financial advisers and financial planning businesses in their network as part of their supervision and monitoring to ensure compliance with the general obligations in section 912A with respect to cybersecurity risks. For instance, there would be expectation that financial advisers are provided with training, required under their arrangements to comply with particular standards for the management of electronic information and also required to notify of particular cybersecurity incidents. In addition, advice licensees need to consider whether adequate steps are being taken to monitor and audit compliance with the requirements imposed on financial advisers.
3. What does an adequate cyber risk management system look like? The Court's reasons recognise that it is not possible to reduce cybersecurity risk to zero, but that it is possible to reduce materially cybersecurity risk through adequate documentation and controls. Section 912A(1)(h) in particular requires AFS licensees to have "adequate risk management systems", which in the context of cybersecurity requires consideration of the risks faced by a business in respect of its operations and IT environment. Further, the adequacy of any cybersecurity risk management system should be informed by the views of a qualified expert. Examples of practices that would fall short of the requirement to have adequate cybersecurity risk management systems include:
- using computer systems without up-to-date antivirus software installed or operating;
- not filtering or quarantining emails;
- not maintaining a backup system or performing backups; and
- maintaining poor password practices including sharing passwords between employees, using default passwords and storing passwords in easily accessible places or places known the third parties.
4. ASIC's expectations: ASIC has made it clear that they will take enforcement action when an AFS licensee does not meet their obligations to adequately manage cybersecurity risk. While ASIC's Chair has made clear that ASIC will not prescribe technical standards or provide expert guidance on operational aspects of cybersecurity, in March 2021 it published guidance on good practices it had observed in organisations as to cybersecurity strategy. More recently, ASIC has stated that all ASIC-regulated entities should adopt an enhanced cybersecurity posture, which includes ensuring that there a measures in place to detect, mitigate and respond to cyber incidents.
ASIC's statement of claim in its case against RI Advice also provides some guidance on its expectations, including that AFS licensees should (among other things):
- following a cybersecurity incident, identify the root cause and review and assess the relevant cybersecurity controls to identify any gaps and develop a remediation plan in a timely manner; and
- undertake a comprehensive risk assessment to understand the cyber risks facing their business, identify gaps or deficiencies in current processes and seek technical assurance of those cybersecurity risks existing within the organisation (this is in line with the Court's finding that what is adequate in the cyber context will depend on an expert's view of adequacy).
Following the recent Federal Court's decision in RI Advice, ASIC has also published a statement making its expectations for AFS licensees clear.
Key learnings from ASIC's enforcement approach
As mentioned above, this is the first time that ASIC has taken enforcement action in respect of cybersecurity breaches. The case draws out some key aspects about ASIC's enforcement approach.
1. Section 912A as the primary cause of action: Causes of action under section 912A have in the past been utilised by ASIC as either a secondary or accompanying cause of action. ASIC's case against RI Advice is one of the few cases that relies solely on a cause of action under section 912A, perhaps signalling ASIC's willingness to pursue contraventions of the broad standards prescribed in section 912A moving forward. Civil penalties are applicable to contraventions of section 912A for all conduct on or after 13 March 2019.
2. Importing community expectations into the efficiently, honestly and fairly obligation: The broad standard set by the "efficiently, honestly and fairly" obligation continues to raise the question of whether, and to what extent, notions of community expectations (eg. "social and commercial norms" or "public expectations") form part of the test for meeting that standard. The Court made clear that the standard against which conduct will be assessed under section 912A is the reasonable standard of performance that the public is entitled to expect of an AFS licensee. For example, in a technical area such as cybersecurity risk management, conduct is to be assessed by reference to the standard of a reasonable person qualified in that area (ie an expert in cybersecurity risk) – that is what the public is entitled to expect.
3. Use of compliance orders: Although a pecuniary penalty was not ordered in this instance (the settlement with ASIC only required RI Advice to pay ASIC's costs), the Court did exercise its broad discretionary power under s1101B(1)(a) to order the appointment of an external cybersecurity expert to identify any further documentation and controls necessary for adequate management of risk, implement those recommendations and report to ASIC.
What should you do to ensure sound management of cyber risks
Organisations could face reputational, financial and regulatory consequences for failing to have in place an adequate cyber risk management system, including one that takes into account the arrangements in place for authorised representatives. It is incumbent on organisations to:
- be aware of the potential consumer harms that arise from poor cybersecurity;
- regularly conduct professional audits of their existing detection, mitigation and response practices and protocols to ensure they adequately support the size and complexity of their business, and sensitivity of the information they hold;
- consider how those practices and protocols will apply to third parties or intermediaries engaged by the organisation and how those third parties or intermediaries will be monitored or audited to ensure compliance;
- develop and implement a plan to improve cybersecurity, starting by adopting ASIC’s Cyber Resilience Good Practices and recommendations from the Australian Cyber Security Centre; and
- have a documented plan to quickly respond to a cybersecurity incident that includes protocols for notifying relevant authorities, in particular the Australian Cyber Security Centre, and a quick response.