Federal Court finds cyber risk management is a critical obligation for financial services firms

This is the first time ASIC has exercised its powers in relation to cybersecurity risk management 6 min read

The Federal Court handed down its judgment in proceedings brought by the Australian Securities and Investments Commission (ASIC) against RI Advice Group Pty Ltd (RI Advice) on 5 May 2022¹, finding that there was a proper basis for making declarations (in a form agreed by ASIC and RI Advice) that, as a result of its failure to manage cybersecurity risks and cyber resilience, RI Advice breached its obligations under section 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act). These obligations require RI Advice to do all things necessary to ensure that the financial services covered by the licence were provided efficiently and fairly, and to have adequate risk management systems in place. The court ordered that certain remedial steps be taken by RI Advice, supervised by ASIC.

This is the first time that ASIC has exercised its enforcement powers for a company's failure to have adequate cybersecurity and cyber resilience risk management controls and the first time the Federal Court has specifically considered these issues in the context of section 912A of the Corporations Act. While it had all the hallmarks of a test case to establish expectations in relation to cyber risk management, Rofe J's findings and the orders (which were made by consent) are limited in detail, largely accepting facts agreed between the parties.

'It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level'²

Nonetheless, ASIC is following a path well-trodden by its overseas counterparts and we don't expect this to be a one-off (specifically in relation to cyber resilience risk management but also risk management more generally). ASIC's (superseded) Concise Statement and Second Amended Statement of Claim provide further insight into the approach that ASIC is likely to take in pursuing enforcement action in relation to perceived cybersecurity and risk management deficiencies.

Although the specific cause of action (under s912A of the Corporations Act) applies only to Australian Financial Services Licence (AFSL) holders (and in the case of s912A(1)(h), those AFSL holders that are not also regulated by APRA), we expect that other regulators, including APRA and the OAIC, will have regard to the emphasis on the importance of cybersecurity controls on an entity's governance and risk framework in their ongoing quest to apply growing pressure to organisations (and boards and senior management) to uplift their information security practices.

For more about how boards and senior management should be approaching cybersecurity risk, download our guide for boards and senior management Don’t panic! (Almost) everything you need to know about cyber risks, resilience and responsibilities and the questions boards should be asking about cyber risks, readiness and resilience.

Key takeaways

Key takeaways from the judgment

• Cybersecurity risk is a significant risk to the conduct of the business and provision of financial services.³ The Federal Court's finding reinforces the expectation that organisations will have in place appropriate frameworks, policies, resources and controls to identify and adequately manage evolving cybersecurity and cyber resilience risks. While this case focuses on the particular risks present in the financial services sector, it is now more important than ever that all organisations take steps to improve their cybersecurity posture.

'Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area…'⁵

• Cyber risk assessments should be conducted regularly. The appropriate management of cyber risks will necessarily require organisations to undertake risk assessments to understand the risks faced by the organisation and, where applicable, to third parties acting on its behalf. The judgment emphasises that the risks that arise, and the steps taken to mitigate against those risks, necessarily evolve over time. Given this, cyber risk assessments ought to be conducted on a regular basis to ensure the adequacy of the controls that are in place.
• Appropriate response to cyber incidents is key. The precise facts that RI admitted were a contravention related to taking too long to implement a planned program of improvement to cyber security controls following a cyber security incident in 2018. The pleadings make clear that identifying root causes and improving processes following incidents will be an area of focus.
• The court will look to experts to assess the adequacy of cyber risk management controls. 'Cyber risk management is a "highly technical area of expertise". While the standard of 'adequacy' is ultimately one for the court to decide, the court's assessment of the adequacy of any particular set of cyber risk management systems will likely by informed by evidence from relevantly qualified experts in the field.'⁴ Organisations should similarly ensure that the adequacy of their operational and technical cyber risk management controls are informed by advice from cyber experts.

Key takeaways from ASIC's approach

Rofe J's judgment was reasonably limited as the case was settled between the parties on the basis of an agreed statement of facts (SAFA) and admissions, which meant some of ASIC's claims were untested. However, ASIC's original pleadings, including its Second Amended Statement of Claim still provide some insight into the regulator's expectations as to how organisations manage cyber risks.

• ASIC's cybersecurity expectations extend to all areas of cyber risk management. When it comes to systems and processes in a cybersecurity context, we have seen ASIC scrutinise processes and mechanisms for: undertaking risk assessments; ensuring baseline security protections are in place; identifying and escalating issues internally; auditing and enforcing compliance with systems and processes; developing and implementing appropriate incident response plans and undertaking remediation following incidents; and ensuring cultural awareness as to the fundamental importance of cybersecurity.
• Incident response. In its Second Amended Statement of Claim, ASIC described a prescriptive list of steps which it considers entities ought to undertake following a cybersecurity incident and what should have been done in response to accumulating incidents. In the absence of further guidance, this is demonstrative of ASIC's cybersecurity compliance views – at least in respect of financial services licensees if not more broadly.
• Risk assessment and remediation. ASIC expects that organisations will conduct cyber risk assessments and prepare and implement a remediation plan that is tailored to the risks facing the organisation.
• Whole of organisation frameworks. Large companies should ensure their affiliates have each implemented, and operationalised, cybersecurity controls appropriate for that affiliate. Reliance on generic, group-wide policies may not be sufficient.
• s912A cause of action. The claims are notable in that they only relate to alleged breaches of s912A of the Corporations Act. We are more used to seeing 912A as a secondary pleading. This may see the increased prominence of section 912A in enforcement activities, reflecting the new role of 912A as a pathway to civil penalties in its own right (whereas previously consequences for breach of 912A were limited to license conditions, suspension or revocation).

Where to from here?

'The assessment of "adequate risk management systems", in the context of cyber risk management, requires consideration of the risks faced by a business in respect of its operations and IT environment.'⁶ 

• Although ASIC has already published a number of reports emphasising the importance of cyber resilience (see REP 651, REP 555, REP 429), it seems likely that it will produce additional guidance in relation to the adequate management of cybersecurity risks and the steps entities should take to ensure cyber resilience.
• ASIC has emphasised the importance of having systems in place to manage cybersecurity risks, urging all organisations (not just those within the financial services sector) to follow the guidance of the Australian Cyber Security Centre in light of the evolving threat landscape.

• The proceedings also highlight that seemingly benign incidents can have regulatory consequences if they are not thoroughly addressed.The proceedings highlight that a significant cybersecurity incident for a financial services industry participant could lead to investigations by ASIC (section 912A and potentially director and officer duties), APRA (compliance with CPS234, risk management declarations and BEAR), the OAIC and also foreign regulators. There is also the risk of class actions by shareholders or customers. The common thread across all of these regimes is that organisations need to have adequate and appropriate systems and processes in place to manage cyber risk. Senior level (if not board level) accountability is an essential part of this. These principles should also guide organisations' approach to risk management more generally.

The proceedings

The facts

RI Advice holds an AFSL and has authorised a number of individuals and independently owned companies (authorised representatives or ARs) to provide financial services on its behalf. 

The incidents

According to the SAFA⁷, between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice's Authorised Representatives compromising confidential and sensitive client information. These included:

• ransomware attacks, which resulted in the encryption of certain files, rendering them inaccessible;
• prolonged (in excess of 3 months) unauthorised remote server access, which resulted in clients' personal information being compromised; and
• unauthorised access to, and use of, email accounts, which similarly resulted in clients' personal information being compromised and clients transferring funds to fraudulent accounts.

Pre-15 May 2018

Prior to 15 May 2018 (a period not the subject of the claims made by ASIC), RI Advice had undertaken a number of discrete cybersecurity initiatives across its network of ARs, including training sessions, incident reporting and imposing information security, incident notification and privacy requirements in its contracts between ARs and RI Advice. However, ARs continued to suffer cybersecurity incidents, similar to those previously suffered and RI Advice admits in the SAFA that these steps were inadequate to manage risk in respect of cybersecurity across its AR network.⁸

From 15 May 2018

On and from 15 May 2018 (the date RI Advice became aware of a significant cybersecurity incident and the period the subject of the claims made by ASIC), RI Advice took a number of actions to improve its cybersecurity posture, including:

• engaging a cybersecurity consultant to conduct a forensic investigation into, and report on, specific incidents;
• engaging independent experts to conduct a review of AR practices. The reports highlighted deficiencies in the cybersecurity controls across the ARs (including, for example, poor password practices and limited or non-existent monitoring tools);
• working with the independent experts to identify and implement measures to address key risks for ARs. RI Advice admitted in the SAFA that it took too long to implement these measures;
• reviewing and updating cybersecurity policies for the ARs; and
• requiring new ARs have a cyber insurance policy in place.

RI Advice admits that it took too long to implement the measures across its AR practices during this period and that it should have had a more robust implementation of its program in place to ensure the measures were put in place more quickly.⁹

Declaration and orders

These proceedings were settled prior to the final hearing. The court received proposed declarations and orders to be made by consent and a SAFA, in which RI Advice admitted to having contravened sections 912A(1)(a) and (h) of the Corporations Act 'as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience'.

The court ordered that RI Advice:

• pay $750,000 towards ASIC's costs of the proceeding;
• engage (at its own cost) an independent cybersecurity expert to identify what, if any, additional measures RI Advice needs to put in place to adequately manage cybersecurity and cyber resilience risks; and
• provide written reports to ASIC identifying:
  • any additional measures that are required to be implemented, as well as the agreed timeframe for implementation; and
  • the outcome of the implementation of those measures within 30 days after the completion of the agreed timeframe.

Although ASIC had originally sought that RI Advice pay a pecuniary penalty, this was abandoned as part of the settlement. This may be because s912A(1)(a) was not a civil penalty provision until 13 March 2019 and from that date a civil penalty could only be sought for conduct which occurred wholly on or after 13 March 2019 (and in this case the agreed contraventions occurred, in part, before that date).

The order requiring RI Advice to engage an independent cyber security expert was made notwithstanding it had already engaged that same expert between 2018 and 2021 to assist with the uplift of its practices. This was on the basis that the risks in this space are evolving and there is an ongoing need to assess the systems and processes in place to manage cyber security risks and cyber resilience.

The court did not prescribe any particular steps RI Advice ought to take in order to ensure its documents and controls were adequate. Instead, it was made clear that this was a matter for external, independent experts to determine. This reinforces the need for organisations to obtain expert advice.

ASIC's claims

The final orders proposed by the parties and adopted by the court were far more limited than ASIC's initial statement of claim.

In its originating process, ASIC sought declarations that RI Advice had contravened its obligations under ss 912A(1)(a),¹⁰ (b)¹¹, (c)¹², (d)¹³ and (h)¹⁴ of the Corporations Act due to its failure to have, and to have implemented, policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience.

ASIC also sought a pecuniary penalty under s1317G(1)(a) and compliance orders under s1101B(1)(a). In the SAFA, RI Advice admitted to have contravened its obligation to:

• do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (912A(1)(a)); and
• have adequate risk management systems (912A(1)(h)).

While a number of the incidents described in the pleadings occurred from early 2017, the claims relate only to the period from May 2018. From that time, ASIC alleged that RI Advice should have responded to the known incidents and issues.

ASIC's approach

This is the first time ASIC has commenced proceedings for a failure to have adequate cybersecurity systems in place and the Federal Court's decision is likely to establish expectations in relation to cyber preparedness and response – particularly in respect of AFSL holders.

In particular, it is clear from the Second Amended Statement of Claim, that ASIC considers that organisations should:

• following a cybersecurity incident, review relevant cybersecurity controls (including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls) and remediate them in a timely manner;
• undertake a thorough risk assessment to understand the cyber risks facing their business, identify gaps or deficiencies in current processes and seek technical assurance of those cybersecurity risks existing within the organisation. This reinforces the expectation that in order to properly manage cyber risks, organisations must obtain expert advice;
• following any risk assessment, develop a remediation plan in order to address any gaps identified as part of the risk assessment. For large organisations, any remediation plan should consider what specific steps need to be taken in relation to particular businesses; and
• tailor their cybersecurity frameworks for individual businesses. This is a warning that having a polished group-wide framework isn't enough. Specific consideration should be given to the particular requirements of group entities with respect to cybersecurity controls – and these specific controls must be implemented.