Application of s 912A(1) Corporations Act and cybersecurity obligations after ASIC v RI Advice

On 5 May 2022, Rofe J delivered judgment in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (‘RI Advice’). This was the first Australian proceeding to consider whether failure to manage cybersecurity risk and resilience may breach the general obligations of an Australian Financial Services Licence (‘AFSL’) holder under s 912A of the Corporations Act 2001 (Cth) (‘Corporations Act’).

Rofe J described cybersecurity as ‘the ability of an organisation to protect and defend the use of cyberspace from attacks’ and cyber resilience as ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources’ (at [57]). Despite a growing focus on cybersecurity and cyber resilience, Australia currently lacks prescriptive legislative cybersecurity standards. The RI Advice judgment is significant because it provides guidance on how cybersecurity and cyber resilience obligations may arise under general normative, legislative requirements, as well as the construction and application of s 912A(1) more generally.

The proceedings

RI Advice Group Pty Ltd, an AFSL holder, provides financial advice through a network of authorised representatives (‘ARs’). In the course of providing financial advice, the ARs electronically received, stored and accessed confidential and sensitive personal information and documents belonging to clients.

Between 2014 and May 2020, nine cybersecurity incidents occurred across RI Advice’s AR network. During one incident, an unknown actor gained unauthorised access to an AR’s server for a period of several months, including access to the personal information of several thousand clients.

ASIC alleged RI Advice failed to manage cybersecurity risk across its ARs and failed to respond appropriately to the cybersecurity incidents. ASIC also alleged that RI Advice contravened s 912A(1)(a), (b), (c), (d), (h) and (5A) of the Corporations Act as a result of its failure to have and implement (including by its ARs), amongst other things, policies, systems, and controls which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience.

Shortly before the trial, the parties agreed to proposed declarations, orders for a compliance program, an order for RI Advice to contribute to ASIC’s costs, and an agreed statement of facts and admissions. RI Advice admitted it contravened ss 912A(1)(a) and (h). Rofe J found that RI Advice had contravened ss 912A(1)(a) and (h) and made the proposed declarations and orders.