Legal development

ASIC hints at benchmark standards for cyber security

Insight Hero Image

    What you need to know

    • Financial services and credit licensees may face regulatory action if they fail to have adequate cyber security systems and procedures in place.

    • ASIC's test case against RI Advice Group Pty Ltd provides some insight into what the regulator considers to be minimum benchmarks for cyber security for financial services licensees.

    What you need to do

    • Ensure cyber security systems are tested against minimum requirements and prevailing industry best practice standards.
    • Continuously maintain and regularly monitor cyber security systems in case a reportable situation arises under the new breach reporting regime. 

     

    There is an overwhelming consensus that cyber security risks are, and will continue to be, one of the most dynamic and difficult issues facing companies today. The Australian Cyber Security Centre's 2020-21 Annual Threat Report recorded a 13% increase in cybercrime reports from the previous financial year. 

    As companies scramble to protect their operations from cyber-attack, the Australian Securities and Investments Commission (ASIC) has confirmed that cyber security is one of its key regulatory priorities for 2021-2022.

    In a recent address, ASIC's Deputy Chair posed the question: "How well are you prepared for the real and growing threats posed by operational risks – particularly cyber?"2

    ASIC's pleadings in its action against RI Advice Group Pty Limited (RI) provides some insight into what the regulator considers to be the minimum benchmark in respect of cyber security to comply with the obligations in sections 912A of the Corporations Act and the corresponding obligations under section 47 of the National Consumer Credit Protection Act 2009 (Cth) for credit licensees. 

    ASIC promises that this 'decisive, deterrence-based enforcement action' against RI, will not be its last. The regulator has vowed to 'ensure regulatory incentives for cyber resilience remain in open play'. 

    Financial services and credit licensees are likely to be at the centre of ASIC's focus on minimum cyber security requirements as they hold large volumes of confidential and sensitive client information and such information is increasingly becoming digitalised and thereby vulnerable to cyber-attack. 

    ASIC's test case against RI Advice Group 

    In August 2020, ASIC commenced proceedings against RI for failing to have adequate cyber security systems and processes to appropriately manage cyber security risk. RI sought to have parts of ASIC's case struck out but the Federal Court, handing down its judgment in October this year, dismissed RI's application. The case will go to trial in April 2022.

    ASIC's claim 

    Between 2014 and 2020, certain authorised representatives of RI were subject to multiple cyber security incidents, including ransomware and hacking attacks. Cyber criminals obtained access to sensitive client information as a result of these attacks. 

    ASIC claims that RI failed to:

    a)    implement plans, procedures, guidelines, frameworks, systems, resources and controls to adequately manage cyber security risk; 

    b)    properly review and monitor the effectiveness of cyber security controls relevant to these incidents;

    c)    adopt and implement adequate and tailored cyber security documentation and controls; and

    d)    identify the cause of each of the alleged cyber security incidents and use that information to mitigate future risk of cyber-attacks.

    As a result, ASIC pleads that RI contravened sections 912A(1)(a), (b), (c), (d) and (h) of the Corporations Act. ASIC claims that RI:

    • failed to do all things necessary to ensure that the financial services were provided 'efficiently, honestly and fairly' because RI's cyber resilience was inadequate and exposed consumers to an unacceptable level of risk, and did not meet the reasonable standard of performance that the public is entitled to expect; 
    • failed to comply with licence conditions requiring it to establish and maintain measures to ensure compliance with the financial services laws, in respect of cyber security and cyber resilience;
    • failed to have available adequate resources (including financial, technological and human resources) to provide the financial services and to carry out supervisory arrangements in relation to cyber security; and
    • had inadequate cyber security risk management systems, documentation and controls, to prevent exposing consumers to an unacceptable level of risk.

    Minimum benchmark standards 

    Although ASIC's case against RI is yet to be decided by the court, it provides a guide to what ASIC expects are minimum benchmark standards in respect of cyber security and cyber resilience. These include:

    1. Financial services and credit licensees should have strategies, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in respect of cyber security and cyber resilience (Cybersecurity Documentation and Controls) in place.
    2. The Cybersecurity Documentation and Controls should be adequate to manage the risk in respect of cyber security and cyber resilience for the licensee itself and across its network of authorised representatives (Minimum Cybersecurity Requirements).
    3. The Cybersecurity Documentation and Controls in place should also address ASIC's '13 Cybersecurity Domains' (see ASIC's Statement of Claim), which relate to various target areas for cybersecurity attention including governance and business environment, data security and vulnerability management.

    Ultimately, the question of whether there is a mandated industry benchmark or baseline for financial services and credit licensees in relation to cyber security and cyber resilience will be determined by the court. However, the Minimum Cybersecurity Requirements embodied in the 68 documents identified by ASIC's expert provide licensees with a working framework of minimum standards that reflects ASIC's current expectations. 

    Maintaining cyber security capability in light of breach reporting obligations  

    In light of the recent changes to breach reporting (see How to comply with the new breach reporting regime), financial services and credit licensees should continuously monitor and maintain cyber security systems to mitigate the risk of non-compliance with the core obligations in section 912A(1) or section 47(1) and to: 

    • ascertain more readily and efficiently relevant facts and information so that they can "first know" if there are reasonable grounds to believe that a reportable situation has arisen;
    • minimise the need for further internal breach reporting processes beyond the determination of 'reasonable grounds to believe' that a reportable situation has arisen to avoid exceeding the 30-day breach reporting timeframe; and
    • otherwise avoid unreasonable and unnecessary delays in complying with their breach reporting obligations.

     

    Authors: Rob Hanley, Partner (Ashurst Strategic Governance Services – Legal Governance Advisory); Edmond Park, Counsel (Ashurst); Maxine Viertmann, Lawyer (Ashurst Strategic Governance Services – Legal Governance Advisory).

     

     1. ASIC Corporate Plan 2021-25, pages 4-5, 8, 15-16, 21.
     2. Australian Institutional Investor Roundtable, a speech by Deputy Chair Karen Chester, to the Australian Institutional Investor Roundtable hosted by Standards Board for Alternative Investments, Thursday 22 April 2021: https://asic.gov.au/about-asic/news-centre/speeches/australian-institutional-investor-roundtable/

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.