Case note: Order for AFS licensee to engage cybersecurity expert to review its network

In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 the Federal Court of Australia ordered Australian Financial Services Licensee RI Advice Group Pty Ltd to engage a cybersecurity expert to identify what, if any, further documentation and controls in respect of cybersecurity and cyber resilience are necessary for RI Advice to implement to adequately manage risk in respect of cybersecurity and cyber resilience across its Authorised Representative network.

RI Advice was also ordered to pay a contribution to ASIC’s costs of the proceeding fixed in the amount of $750,000. Background.

UPDATE: ASIC’s cybersecurity expectations of AFS Licensees.

The orders followed the Court’s declaration that RI Advice contravened its obligations as a financial services licensee in sections 912A(1)(a) and (h) of the Corporations Act from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR network, and as a result of this conduct, it:

(a) failed to do all things necessary to ensure the financial services covered by the Licence were provided efficiently and fairly, in contravention of s 912A(1)(a) of the Corporations Act; and
(b) failed to have adequate risk management systems, in contravention of s 912A(1)(h) of the Corporations Act.

In the course of providing financial services pursuant to RI Advice’s Licence, the Authorised Representatives electronically received, stored and accessed confidential and sensitive personal information and documents in relation to their retail clients.

Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives.

The incidents resulted in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Until 30 September 2018, RI Advice was a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). From 1 October 2018 RI Advice became part of the IOOF Holdings Limited (IOOF) group of companies.

Most of the historic issues were addressed by the significant improvements made by RI Advice to its existing cybersecurity risk management systems (after its acquisition by IOOF in October 2018).

RI Advice admitted, that whilst the measures it assessed and developed across the period of 15 May 2018 to 5 August 2021 in order to improve cybersecurity and cyber resilience for the ARs were designed to meet RI Advice’s understanding of its obligations, it took too long to implement and ensure such measures were in place across its AR Practices.

Justice Rofe observed:

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.