Cybersecurity obligations for AFSL holders

In brief - In the landmark decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court has found that inadequate cybersecurity risk management systems and cyber resilience constituted a contravention of Australian Financial Services Licence (AFSL) obligations under sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).

• Cybersecurity has more influence than just on your computer network. Poor cybersecurity and cyber resilience practices may fall foul of your AFSL obligations. 

• Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person. Expert advice should always be sought when in doubt. 

• It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk. Implementing adequate cybersecurity documentation and controls to an acceptable level can reduce risk. This includes training sessions, professional development events, setting up an incident reporting process for cyber attacks, using up-to-date security software, backing up data, implementing a password policy, implementing document management and security policies. 

• Implementation and timing is crucial. Despite having good practices, being too slow in implementing and ensuring adoption could lead to a breach of your AFSL obligations. 

RI Advice appointed an authorised representative (AR) to provide financial services on RI Advice's behalf under its AFSL. 

The AR electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients. The kinds of personal information included full names, addresses, date of birth, phone numbers, email addresses, copies of documents such as driver's licences, passports and other financial information, and in some instances health information. 

While the collection of such personal information was reasonably necessary to provide financial services (and therefore not in breach of Australian Privacy Principle 3), there were nine cybersecurity incidents between June 2014 and May 2020 of varying concern (which may have been a breach of Australian Privacy Principle 11). 

Cyber attacks on authorised representative included hacking, phishing scams, ransomware attacks and a data breach

The cybersecurity incidents included hacking occurrences to both the AR's computer network and third party computer networks; phishing scams being unknowingly sent from an AR employee email address, two ransomware attacks and a data breach. 

In each of these incidents, personal information was either accessed without authorisation or held ransom. In some instances where business email compromise was concerned, there was also a loss of funds with some fraudulent transfers totalling $50,000. 

RI Advice conducted its own enquiries and determined that there were a variety of issues concerning the AR's management of cybersecurity risk, including: 

• out of date antivirus software; 

• a lack of filtering or quarantining suspicious emails; 

• a lack of backup systems, or backups not being performed; and 

• poor password practices, including sharing of passwords between employees, use of default passwords and other security details being held in easily accessible places or being known by third parties. 

Consequences for AFSL holder

Section 912A of the Corporations Act imposes a wide-ranging obligation on an AFSL holder to do all things necessary to ensure the authorised financial services are provided "efficiently, honestly and fairly". Section 912A(1)(h) requires the licensee to have "adequate risk management systems". 

An AFSL holder is responsible for the conduct of an AR under sections 917B and 917C of the Corporations Act.

ASIC brought proceedings seeking declarations that RI Advice had contravened sections 912A(1)(a) and (h) of the Corporations Act "as a result of its failure to have and to have implemented policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and control which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience." 

A pecuniary penalty was ordered, along with compliance orders that RI Advice engage a cybersecurity expert to audit its systems and make recommendations to be implemented. 

RI Advice "took too long to implement and ensure such measures were in place across its AR Practices." His Honour stated (at [90]) "the fact that RI Advice has made various improvements and extensions to its existing cybersecurity risk management systems in the period from 15 May 2018 to 5 August 2021, does not remove the need for an external expert to now assess the adequacy of its cybersecurity risk management systems."

It was, however, agreed that:

• in relation to section 912A(1)(a) there had been no breach of a "social and commercial norm" that would require any particular standard, or any particular system, for cyber risk management;

• a public examination test is not the relevant test for section 912A(1)(a) given the technical field of cybersecurity risk management; and 

• the statutory standard by an AFSL failing to act "efficiently and fairly" does not mean that the contravention entailed a lack of honesty. 

The case illustrates the significance and seriousness of good privacy and cyber hygiene, and the willingness of the regulator to adapt existing regulatory and legislative tools to new problems.

With cybersecurity becoming the focus of discussion and concern for many business and individuals at pro-active stages, it is not impossible that we may witness a new trend in the kinds of proceedings brought by ASIC. 

Further, an APRA regulated entity must comply with Prudential Standard CPS 234 Information Security, a breach of which may lead to APRA initiated regulatory proceedings.