In an Australian first, the Federal Court has held that Financial Services Licensees must effectively manage cybersecurity risks to satisfy the Corporations Act.
Australian Financial Services Licensees, and their authorised representatives, are now on notice by ASIC to maintain adequate controls around cybersecurity in order to comply with their obligations under the Corporations Act 2001 (Cth).
Section 912A sets out licensees’ general obligations
In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the licensee agreed that it had breached s 912A(1)(a) and (h) which require that licensees must ensure that the financial services covered by the licence are provided efficiently, honestly and fairly, and have adequate risk management systems.
The judgment of Rofe J in the Federal Court of Australia is a timely reminder that licensees must have systems, policies and measures to enforce and bolster their cybersecurity risk management to protect clients’ information and funds.
Between 2014 and 2020, RI Advice Group’s risk management practices permitted some of its authorised representatives to have taken inadequate cybersecurity measures including failing to have up-to-date antivirus software, system backups, email quarantine and password practices.
Several of its clients were affected by cybersecurity incidents. One incident enabled a hacker to access an authorised representative’s server for several months to collect private information about thousands of clients. Not all the funds fraudulently transferred were recovered.
Rofe J ordered that RI Advice take remedial steps including (with ASIC’s supervision) engaging a cybersecurity expert to identify and implement further measures to manage cybersecurity risks, and to pay $750,000 of ASIC’s costs. The orders serve as a deterrent to other licensees from falling short on their cybersecurity obligations.
This is a landmark judgment. It marks the first time that ASIC has used its enforcement powers around cybersecurity risk controls and the Federal Court’s first consideration of the topic through the lens of s912A.
ASIC has since instituted proceedings against Lanterne Fund Services Pty Ltd for breaching its general obligations under the Corporations Act by allegedly failing to have adequate risk management systems to oversee its representatives operating under its licence.
Risk management and cybersecurity
The implications of the RI Advice judgment apply to all organisations, not just those in the financial services sector. The principles of cybersecurity and risk management apply to all organisations, including companies, not-for-profits and public sector agencies. Organisations must embed risk management procedures and policies within their structures, not simply adopt them as add-ons. Any such solutions must be tailored for the type of the organisation’s business, its size and its operating environment.
This is not only to protect the data, intellectual property and operations of the organisation itself but to guard the information of its clients, representatives and suppliers.
Large companies are also prone to cybersecurity threats. It’s a salutary lesson to remember that RI Advice was a wholly owned subsidiary of the Australia and New Zealand Banking Group Ltd until 2018, when it was sold to IOOF Holdings Ltd (now known as Insignia Financial).
RI Advice admitted that it was required to identify and manage risks, including cybersecurity and resilience, and have controls in place to manage them. This means ensuring that its representatives also had cybersecurity measures in place and maintained them regularly. RI was aware of the risks but took too long to implement improvements and demand updates from representatives.
The incidents that led to the case took place between 2014 and 2020. Cybersecurity threats have grown even more in the time since. Everyone is aware of the exponential growth in attempted scams that have been transmitted via phone calls, texts and emails since the start of the pandemic. But threats are also evolving and becoming more sophisticated.
Organisations and their governing bodies must ensure their cybersecurity risk management structures are effective. This means not only having a skilled and well-resourced team in place, but also to ensure that cybersecurity risk management systems are embedded at board level and across the organisation.
The Thomson Reuters July 2022 update of Robson’s Annotated Corporations Legislation in the Corporations Law Practice Area features revisions by Grant Holley of Holley Nethercote Lawyers to Parts 7.6 (including s 912A) and 7.8 of the Corporations Act.
