Avoiding a regulatory w-hack in the face of a cyber hack – what AFSL holders need to know

Holders of Australian Financial Services Licences (‘AFSL’) have keenly awaited edification on the ‘minimum’ standards when it comes to cybersecurity risk management systems. This was expected to be pronounced in ASIC’s first ‘test’ case in enforcement proceedings brought against RI Advice Group Pty Ltd, a wholly owned subsidiary of ANZ Banking Group, for alleged cybersecurity failures – the contentions were detailed in over 250 pages of ASIC’s pleadings (Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496).

But on the eve of the trial, the parties negotiated a settlement that resulted in declarations and orders being made by consent. Nonetheless, the orders – and the decision to take enforcement action itself – provide important insight relating to AFSLs’ cybersecurity obligations and the regulatory impact of breaching such obligations.

Background

ASIC brought proceedings against RI Advice, the holder of an AFSL, alleging that it had inadequate cybersecurity risk management for itself and for each of its independently owned authorised representatives (‘Authorised Representatives’). ASIC’s cause of action involved section 912A of the Corporations Act 2001 (Cth) (‘the Corporations Act’) which is a civil penalty provision. It sets out the ‘general obligations’ of a financial services licensee, including doing ‘all things necessary’ to ensure that its services are provided ‘efficiently, honestly and fairly’ (s 912A(1)(a)) and having ‘adequate risk management systems’ (s 912A(1)(h)).

Cyber-attacks and cyber security

Cyber-attacks are attacks directed at computers and computer systems.

Cybersecurity is the ability of an organisation to protect and defend the use of cyberspace from attacks. Relatedly, cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber sources.

Risks relating to cybersecurity and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and the provision of financial services.

Facts

Client information

In the course of providing financial services, the Authorised Representatives received and stored electronic records containing confidential and sensitive personal information and documents in relation to its retail clients. Since May 2018, services had been provided to at least 60,000 retail clients by the Authorised Representatives.

Cyber attacks

Between June 2014 and May 2020, nine significant cyber security incidents occurred in the businesses of the Authorised Representatives. The incidents involved hacking of email accounts, servers and websites relating to the business of the Authorised Representatives. The cyber-attacks resulted in unauthorised access to clients’ personal information.

Reports

Following the cybersecurity incidents, inquiries and reports made on behalf of RI Advice revealed deficiencies in the cyber risk management framework of some of the Authorised Representatives. These included, for example, outdated antivirus software, inadequate email quarantining, inadequate backups and poor password practices.

Remediation efforts

Following notification of the cyber-attacks, RI Advice took remedial action to enhance its cybersecurity measures. This included engaging cybersecurity experts to investigate the incidents, providing training and development, and implementing measures and policies for enhanced cybersecurity.

Despite taking remedial efforts in response to the cyber-attacks, RI Advice admitted that it had taken too long to implement some of the remedial measures and ensure robust implementation. RI Advice also admitted that prior to May 2018, it did not have adequate systems to manage the risk of cyber-attacks.