Legal development

Prevention is better than cure Directors cyber security obligations

Insight Hero Image

    Further to our alert published on 4 November 2021, on 5 May 2022, Justice Rofe handed down her reasoning for making the declarations and orders in the form agreed by ASIC and RI Advice Group Pty Limited (RI Advice).  

    What you need to know

    • Cyber resilience and cyber security are two separate (though interconnected concepts) and directors need to understand both these concepts properly.

      "Cybersecurity is the ability of an organisation to protect and defend the use of cyberspace from attacks. Cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources". 1
    • When directors are considering a company's cyber security arrangements and cyber resilience, directors should take expert advice from appropriately qualified persons and ensure that the relevant advice is promptly and properly implemented and then regularly audited.  This can take the form of reliance on management who sources that expert advice and report up to the Board.  However, there may be times when the expert should present to the Board directly. 
    • AFSL holders have responsibility for the cyber security and cyber resilience of their authorised representatives (AR).  AFSL holders must have controls in place that are adequate to manage risk in respect of cyber security across its ARs.
    • When considering compliance with section 912A(1)(a) of the Corporations Act (being the obligation of an AFSL holder to do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly) in the context of cyber security and cyber resilience:
      • an AFSL holder is required to identify the risks that the ARs face in the course of providing financial services pursuant to the licence, including in relation to cyber security and cyber resilience;2
      • an AFSL holder must have documentation, controls and risk management systems in place that are adequate to manage risk in respect of cyber security and cyber resilience across the AR network;3 and
      • the relevant test is what the reasonable person qualified in the area of cyber security and cyber resilience would expect, not the expectations of the general public.4

    What you need to do

    • Directors need to ensure that they are receiving regular reporting from management regarding the implementation and effectiveness of any cyber security systems – consider making this a standing item on the risk and compliance reporting that is provided to the Board.
    • Directors should understand their company's profile both in relation to cyber resilience and cyber security and ensure appropriate experts are retained to assist the company.
    • Directors should ensure that the company is able to and in fact does move quickly to implement fixes to cyber security systems as required.
    • AFSL holders should ensure that there are adequate systems in place to monitor ARs.

    Background

    • Between 2014 and 2020, certain authorised representatives of RI Advice were subject to multiple cyber security incidents, including ransomware and hacking attacks.  Cyber criminals obtained access to sensitive client information as a result of these attacks. 
    • ASIC claimed that RI Advice contravened sections 912A(1)(a), (b), (c), (d) and (h) of the Corporations Act by failing to undertake certain actions such as implement plans, procedures, guidelines, frameworks, systems, resources and controls to adequately manage cyber security risk and properly review and monitor the effectiveness of cyber security controls relevant to these incidents.

    Key issues and findings

    Trigger for ASIC proceedings

    These proceedings were based on nine incidents which occurred over a fairly long time period (June 2014 to May 2020).  These incidents were of varying severity, ranging from phishing incidents to hacking incidents where requests were made for funds transfers.  In some cases, no loss was suffered by clients as a result of the relevant incident.  However, ASIC did not appear to draw any distinction between these incidents - the mere fact of the relevant incidents was enough for ASIC to investigate.

    What controls were in place and what were the issues in relation to those controls?

    Prior to and as at 15 May 2018, there were a number of controls put in place by RI Advice in respect of cyber security risk for its ARs including:

    • training and awareness sessions and information provided at professional development events and via RI Advice’s weekly newsletter provided to ARs;
    • an incident reporting process and forums in which incidents, including cyber incidents, were reviewed and discussed; and
    • obligations contained in “Professional Standards”, which apply to ARs pursuant to their contractual arrangements with RI Advice and which are available to ARs on the RI Advice intranet. 

    In the period from 15 May 2018 to 5 August 2021, RI Advice also engaged various experts such as KPMG and two external cybersecurity organisations to conduct reviews of AR practices and identify measures which could be implemented as a priority to improve cyber security and cyber resilience for the ARs.  

    ASIC's view was that RI Advice had taken too long to implement those actions and this was the crux of the issue – not what was implemented but when it was implemented.  ASIC contended and RI Advice has accepted that 

    "it should have had a more robust implementation of its program so that the measures were more quickly in place at each AR Practices and the majority of the AR network was confirmed as operating pursuant to such cybersecurity and resilience measures earlier than 6 August 2021".5 

    "Efficiently, honestly and fairly"

    Her Honour found that the requirement for an AFSL holder to act "efficiently, honestly and fairly" includes within it a requirement that an AFSL holder:

    • identify the risks that the ARs face in the course of providing financial services pursuant to the licence, including in relation to cyber security and cyber resilience; and 
    • have documentation, controls and risk management systems in place that are adequate to manage risk in respect of cyber security and cyber resilience across the AR network.6 

    In this regard, the Court noted that an adequate system in the context of cyber risk management 

    "requires consideration of the risks faced by a business in respect of its operations  and IT environment".7  

    ASIC did not allege that RI Advice did not act honestly – rather, it alleged that it did not act efficiently and fairly.  The Court confirmed that the phrase "efficiently, honestly and fairly" is a compound phrase and that each element does not need to be breached for there to be a breach of section 912A(1)(a).8 

    Public expectations

    ASIC submitted that:

    "If the performance of a licensee’s functions falls short of the  “reasonable standard of performance that the public is entitled to expect”, then the efficiency requirement will not have been met. Accordingly, it is apparent that the obligation on a licensee under s 912A(1)(a) to ensure that the financial services provided on its behalf are provided “efficiently” imports a standard of reasonableness into the obligation. An example of a failure to act efficiently or fairly can be having  inadequate procedures and training."9 

    Her Honour rejected this submission noting that cyber risk management is a highly technical area of expertise.  The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person. 

    "Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area."10

    Her Honour noted that some conduct may be appropriate to assess through a public expectation lens: for example, fees charged for no service or providing personal financial advice without consideration of the client’s best interests.11

    Rofe J went on to say:

    "While it may be said that the public would expect the holder of an AFSL to have adequate cybersecurity measures, this says nothing of the content. In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public".12 

    Orders

    The Court made a number of orders including that RI Advice engage a cyber security expert to identify what, if any, further documentation and controls in respect of cyber security and cyber resilience are necessary for RI Advice to implement to adequately manage risk across its AR network.  Implementation must commence within 90 days of the expert being engaged.13 

    The requirement to retain and work with an expert (and ASIC) and to commence implementation within 90 days has the potential to cause additional strain on the business and the resources available to the business as well as causing disruption within the workforce.  This will need to be carefully managed to ensure that other obligations continue to be complied with.

    Authors:  Miriam Kleiner (Partner, Legal Governance Advisory) and Rob Hanley (Partner, Head of Legal Governance Advisory) 

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, all part of the Ashurst Group. 

    Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities.  

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. 

    For more information about the Ashurst Group and the services offered, please visit www.ashurst.com

    Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).


    1. Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 per Rofe J at [57]
    2. See footnote 1 at [28]
    3. See footnote 2
    4. See footnote 2 at [49]
    5. See footnote 2 at [64]
    6. See footnotes 1 and 2
    7. See footnote 2 at [55]
    8. See footnote 2 at [30]
    9. See footnote 2 at [30(g)]
    10. See footnote 2 at [47]
    11. See footnote 2 at [49]
    12. See footnote 11
    13. See footnote 2 at [3-4]

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.