Follow us


For the first time in Australia, the Federal Court has found that a failure to adequately manage cybersecurity risks constitutes a breach of general Australian financial service license (AFSL) obligations.

See Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the ASIC media release and our earlier article on the claims here.

Key takeaways

The decision demonstrates (and proves) ASIC’s relevance in the cyber regulatory landscape, within an increasingly complex cyber ecosystem. It also confirms that the broad statutory obligation on financial services licensees to act efficiently, honestly and fairly in the provision of financial services applies to the management of cybersecurity risks.

However, the resolution of the case has provided limited guidance on what constitutes best practice, and what is needed to meet the regulatory requirements imposed on financial services licensees. This is in circumstances where there was no contested hearing and the facts agreed by RI Advice Group Pty Ltd (RI Advice) and ASIC did not canvass this in detail.

Overview of decision

The Court made declarations that RI Advice failed to have adequate cybersecurity documentation, controls and cyber resilience in place across its authorised representative network. That amounted to a breach of its obligations under:

  • s912A(1)(a) of the Corporations Act 2001 (Cth) (Corporations Act) to act efficiently and fairly in the provision of financial services in circumstances where those obligations applied to the area of management of cybersecurity risks.
  • s912A(1)(h) of the Corporations Act to have adequate risk management systems.

These issues were ultimately not contested between the parties. The Court’s findings were made on the basis of an agreed statement of facts and admissions. As such, there was limited guidance on what constitutes good practice beyond the finding that RI Advice was operating below that threshold.

However, a number of the comments made by the Court emphasise the importance of entities reviewing the evolving threat landscape and responding in a robust and timely way with appropriate changes to cybersecurity measures. In particular:

  • cybersecurity is an increasing and significant risk, particularly as the provision of financial services continues to become digitised.
  • in assessing potential breaches under s912A(1)(a) and (1)(h), the Court will examine the risks faced by the business, in light of its operations and IT environment. This question will be informed by technical expert evidence given the technical nature of the issue. Rofe J noted that “it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

RI Advice has also been ordered to engage a cybersecurity expert to implement any further required measures and pay $750,000 towards ASIC’s costs.

Key contacts

Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Tania Gray photo

Tania Gray

Partner, Sydney

Tania Gray
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

Merryn Quayle
Julian Lincoln photo

Julian Lincoln

Partner, Head of TMT & Digital Australia, Melbourne

Julian Lincoln

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Melbourne Brisbane Sydney Perth Cyber Risk Advisory Financial Services Regulatory Commercial Litigation Financial Institutions Asset and Wealth Management Insurance Peter Jones Christine Wong Cameron Whittfield Tania Gray Merryn Quayle Julian Lincoln