The importance, and now the legal expectation that businesses will maintain cyber security standards that reasonably protect end clients, has been shown by a new Federal Court case, Australian Securities and Investments Commission v RI Advice Group Pty Ltd (5 May 2022).
ASIC took regulatory enforcement action against a financial planning business, which had a series of incidents over a number of years among its network of independently owned financial planner authorised representatives.
ASIC took action in respect of 9 identified cyber security incidents, which included things such as email accounts being hacked resulting in the authorised representatives sending out fraudulent emails and phishing emails to clients, malicious agents gaining access to computers with clients’ personal information, and ransomware attacks.
The breaches arose because of:
- Computers without up-to-date antivirus software installed or operating
- No backup systems in place, or backups not being performed
- No filtering or quarantining of emails
- Poor password practices, including sharing of passwords, use of default passwords, or passwords being known
RI Advice Group admitted that it did not have documentation, controls and risk management systems that were adequate to manage cybersecurity risks. With the conduct admitted, and a cyber resilience plan in place to address the problems going forward, the judgment was about the standard of cyber security measures required in the context of determining the appropriate penalty and court orders.
Specifically, the case is about the holder of an Australian Financial Services Licence (AFSL) failing to comply with two particular provisions of the Corporations Act, which require an AFSL holder to:
- ensure that services are provided “efficiently, honestly and fairly”; and
- have adequate risk management systems.
Notably, these provisions do not expressly mention cyber risk. The conduct has instead been caught by provisions of a general nature that require services to be provided in accordance with a generally competent standard.
For cyber security and building cyber resilience, the Court determined that the relevant standard of cyber security that an AFSL holder must employ is to be informed, not by general public expectation, but by people with technical expertise in the area. This effectively increases the role of cyber security advisers in assisting businesses to comply with their obligations.
It is on that basis that this case has broader application. In that regard, this case shows the basic standard of cyber-security that is going to be (or perhaps already is) applicable to other professions and businesses. If there are any other professions which have a duty, for example on a statutory basis, to provide “efficient, honest and fair” service (or some similarly worded obligation of general competence towards their clients), then the same cyber expectations are likely to be imposed on them.
The case was not a negligence case, but it also seems likely that the cybersecurity failures in this case might also have been found to breach the standard of care owed to the clients whose data and personal information was exposed or compromised, on the basis that it was foreseeable that a failure to maintain cyber-security hygiene could result in a breach and client data being exposed.
The cyber incidents in this case affected end clients’ personal information and confidentiality, but cyber-security and vigilance are also vital to protect a business’ intellectual property. All businesses need to take heed of this judgment, and revisit their cyber security protections and procedures.