AUSTRALIAN REGULATOR WINS CASE AGAINST FINANCIAL SERVICES LICENSEE FOR INADEQUATE MANAGEMENT OF CYBER RISKS

For the first time in Australia, the Federal Court has found that a failure to adequately manage cybersecurity risks constitutes a breach of general Australian financial service license (AFSL) obligations.

See Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the ASIC media release and our earlier article on the claims here.

Key takeaways

The decision demonstrates (and proves) ASIC’s relevance in the cyber regulatory landscape, within an increasingly complex cyber ecosystem. It also confirms that the broad statutory obligation on financial services licensees to act efficiently, honestly and fairly in the provision of financial services applies to the management of cybersecurity risks.

However, the resolution of the case has provided limited guidance on what constitutes best practice, and what is needed to meet the regulatory requirements imposed on financial services licensees. This is in circumstances where there was no contested hearing and the facts agreed by RI Advice Group Pty Ltd (RI Advice) and ASIC did not canvass this in detail.

Overview of decision

The Court made declarations that RI Advice failed to have adequate cybersecurity documentation, controls and cyber resilience in place across its authorised representative network. That amounted to a breach of its obligations under:

• s912A(1)(a) of the Corporations Act 2001 (Cth) (Corporations Act) to act efficiently and fairly in the provision of financial services in circumstances where those obligations applied to the area of management of cybersecurity risks.
• s912A(1)(h) of the Corporations Act to have adequate risk management systems.

These issues were ultimately not contested between the parties. The Court’s findings were made on the basis of an agreed statement of facts and admissions. As such, there was limited guidance on what constitutes good practice beyond the finding that RI Advice was operating below that threshold.

However, a number of the comments made by the Court emphasise the importance of entities reviewing the evolving threat landscape and responding in a robust and timely way with appropriate changes to cybersecurity measures. In particular:

• cybersecurity is an increasing and significant risk, particularly as the provision of financial services continues to become digitised.
• in assessing potential breaches under s912A(1)(a) and (1)(h), the Court will examine the risks faced by the business, in light of its operations and IT environment. This question will be informed by technical expert evidence given the technical nature of the issue. Rofe J noted that “it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

RI Advice has also been ordered to engage a cybersecurity expert to implement any further required measures and pay $750,000 towards ASIC’s costs.