Lawthentic Loop

Stay updated, stay in the loop

Lawthentic Loop

Stay updated, stay in the loop

It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.

Cyber security risk management essential – Landmark decision in ASIC v RI Advice

Author: Katie Akpinar, Principal Lawyer

18 May 2022

It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.

In an Australian first, the Australian Securities and Investments Commission (ASIC) brought proceedings against RI Advice Group Pty Ltd (RI Advice) alleging that the Australian Financial Services licensee failed to implement adequate measures to manage risk in respect of cyber security and cyber resilience.

The Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v RI Advice) on 5 May 2022, confirming that management of cyber security risk and cyber resilience is essential.

RI Advice contravened the Corporations Act by failing to have adequate cyber security risk management in place

By failing to do all things necessary to ensure that the financial services covered by the Australian Financial Services Licence were provided efficiently and fairly, and by failing to have adequate risk management systems, the Court found that RI Advice breached its obligations under sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).

The Court’s decision comes after nine cyber incidents occurred between June 2014 and May 2020 at the practices of RI Advice’s network of authorised representatives (AR Network). These cyber security incidents ranged from emails sent fraudulently, to hacking attacks, phishing incidents, ransomware attacks, as well as unauthorised server access over several months by an unknown malicious agent which compromised confidential and sensitive personal information of several thousand clients.

ASIC urges all entities follow advice of the Australian Cyber Security Centre

In the ASIC Media Release on 5 May 2022, ASIC Deputy Chair, Sarah Court said:

These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

The proceedings are an indication ASIC is taking cyber breaches seriously. Ms Court further stated:

ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.

Cyber security risk management systems and measures are critical

The Court’s decision in ASIC v RI Advice highlights that in today’s digital landscape, putting the right systems and measures in place for cyber security risk management is more critical than ever before. Justice Rofe made it clear in her decision that cyber security should be at the forefront, stating:

Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

What did the court order in ASIC v RI Advice?

Ultimately, the Court made the following orders by consent:

  • Although RI Advice undertook numerous cyber security initiatives across its AR Network to address cyber security risk, these were insufficient and took too long to implement. The Court ordered RI Advice, at its own cost, engage a cyber security expert to identify what, if any, further measures RI Advice needs to implement to adequately manage cyber security and cyber resilience risks and if required to implement these further measures.
  • Additionally, the Court ordered RI Advice provide ASIC with written reports in respect of further measures and their implementation.
  • The Court also ordered RI Advice pay $750,000 towards ASIC’s costs of the proceedings.

Cyber security has implications for Australian company directors

It is also a timely reminder that ASIC considers cyber security to be within the ambit of directors’ duties. ASIC confirmed this in 2015 and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review: Report 429 Cyber Resilience: Health Check 2015. You can read more about duties of Australian company directors in respect of digital security, privacy and data protection in our article Cyber security, privacy and data protection – implications for directors’ duties you need to know.

The key takeaway

It is essential that all Australian corporates, not just financial services organisations, review their cyber security measures regularly and follow the ACSC’s advice in putting the right measures in place to manage cyber security risk and cyber resilience.

For more information or if you have any questions, get in touch with the Lawthentic team.

About Lawthentic | Commercial Lawyers

Based in Sydney, Lawthentic provides high-level, specialist, commercial and corporate legal advice to business Australia-wide and across APAC. We deliver progressive end-to-end commercial law services that address the full spectrum of legal issues a business may encounter, driving “Real Progress for Enterprise”. Our legal services cover all areas of Commercial law, Corporate law, Intellectual Property law, Data and Technology law, Regulatory Compliance, and Dispute Resolution. We work with medium to large corporate businesses looking for friendlier and more cost-efficient legal services without compromising on expertise. We provide in-house, face-to-face, or remote support from our offices in Sydney.

About the Author

Katie Akpinar, Principal Lawyer

Katie is a Principal Lawyer and Founder at Lawthentic. She is an accomplished commercial and corporate lawyer with considerable experience working with organisations in Australia and across the Asia Pacific region. Katie has a simple philosophy, to consistently apply a commercial approach in delivering practical, considered, and specialist legal guidance. Combining her top-tier law firm experience with corporate acumen and a wealth of industry insight, she provides strategic solutions, whilst playing a meaningful role in her clients’ mission and purpose, helping business to do business. Read more about Katie >

Get in touch

    Archive

    Archive