For financial services businesses in particular, there are obligations under the Corporations Act 2001 (Cth) (the Act) that require holders of a Financial Services Licence to implement measures to mitigate such risks to an acceptable level for consumers of financial services and products.

In the recent Federal Court case of ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Court discussed these obligations and aptly described the distinction between cyber-security and cyber-resilience:

• Cybersecurity is the ability of an organisation to protect and defend the use of its cyberspace from attacks; and
• Cyber-resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources.

Case Background

RI Advice carried on a financial services business and was a holder of an Australian Financial Services Licence that permitted Authorised Representatives (AR) to provide financial services on RI Advice’s behalf pursuant to RI Advice’s licence. In the course of providing financial services the AR’s electronically received, stored and accessed confidential and sensitive personal information and documents relating to approximately 60,000 retail clients. The information included:

• personal information - full names, addresses, dates of birth and health information;
• contact information - phone numbers and email addresses; and
• copies of documents such as driver’s licences, passports and other financial information.

Between June 2014 and May 2020, cyber security incidents occurred at multiple AR practices (the Breaches). The Breaches involved:

• Clients receiving fraudulent emails posing as the AR urging clients to transfer of funds;
• Fake home pages being placed on AR’s website;
• AR computers being subject to ransomware making files inaccessible;
• AR servers being hacked through remote access and personal information being held ransom and ultimately not being recoverable;
• Unauthorised access to servers compromising personal information of several thousand clients
• Fraudulent emails sent to a bookkeeper requesting a bank transfer; and
• Phishing emails sent to clients and AR contacts.

Investigations revealed that the main cause of the Breaches resulted from:

• out-dated antivirus software installed and operating on computer systems;
• not filtering or quarantining emails;
• not backing up systems; and
• poor password practices including sharing of passwords

The Court Proceedings against RI Advice

ASIC alleged that RI Advice had breached section 912A of the Act, which provides general obligations that financial services licensees must adhere to. Among other things, they must do all things necessary to ensure that the financial services covered by the licence are provided efficiently, fairly and that adequate risk management systems are in place to mitigate potential threats.

[1] Corporations Act 2001 (Cth) s 912A(1)(a).

[2] Corporations Act 2001 (Cth) s 912A(1)(h).

‍

Prior to the final hearing before the Court, RI Advice admitted that:

• it was required to identify the cyber risks that the ARs faced in the course of providing financial services pursuant to its Licence;
• it was required to have documentation, controls and risk management systems in place that were adequate to manage cyber risks across its AR network;
• whilst it had some documentation, controls and risk management measures in place those measures were not adequate to manage risk in respect of cybersecurity across its AR network; and
• it should have implemented a more robust program to ensure that measures were more quickly in place at each AR Practice.

The Federal Court declared that RI Advice contravened the Act as it:

• failed to do all things necessary to ensure that the financial services covered by the Licence were provided efficiently and fairly by reason of RI Advice’s failures to ensure that adequate cyber security measures were in place and/or adequately implemented in respect of cyber security and cyber resilience across its AR network to manage cyber risks; and
• failed to have adequate risk management systems in place in respect of cyber security and cyber resilience exposing AR’s clients to an unacceptable level of risk.

Declarations sought by regulators serve as a deterrent by warning others of the risk of engaging in similar conduct where the Court records its disapproval of the contravening conduct. This case highlights that the protection of personal information belonging to consumers of financial services is a matter of public interest, and such breaches by financial services licensees or ARs are likely to attract liability for breaches pursuant to the Act.

The Federal Court also ordered RI Advice to:

• engage a cybersecurity expert to identify any further documentation and controls to adequately manage such cyber risks across its AR network at its own cost;
• implement those measures at its own cost;
• provide ASIC with written reports about the implementation; and
• pay $750,000.00 towards ASIC’s legal costs.

This case highlights that a holder of a Financial Services Licence, and their ARs that provide services to consumers of financial services and products, must not only understand their general obligations under the Act but must also implement such measures within a reasonable time-frame.

How can Sharrock Pitman Legal help?

Our lawyers have many years’ experience advising business owners and managers on procedures and protections to safeguard IP, and financial, supply chain, and customer data. Our Litigation team also provides advice and advocacy to businesses which have breached data protection laws or have been impacted by cybersecurity incidents.

Please contact our litigation team by calling 1300 205 506 or email by litigation@sharrockpitman.com.au.

The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.‍