Prevention is better than cure Directors cyber security obligations
06 May 2022
06 May 2022
Further to our alert published on 4 November 2021, on 5 May 2022, Justice Rofe handed down her reasoning for making the declarations and orders in the form agreed by ASIC and RI Advice Group Pty Limited (RI Advice).
These proceedings were based on nine incidents which occurred over a fairly long time period (June 2014 to May 2020). These incidents were of varying severity, ranging from phishing incidents to hacking incidents where requests were made for funds transfers. In some cases, no loss was suffered by clients as a result of the relevant incident. However, ASIC did not appear to draw any distinction between these incidents - the mere fact of the relevant incidents was enough for ASIC to investigate.
Prior to and as at 15 May 2018, there were a number of controls put in place by RI Advice in respect of cyber security risk for its ARs including:
In the period from 15 May 2018 to 5 August 2021, RI Advice also engaged various experts such as KPMG and two external cybersecurity organisations to conduct reviews of AR practices and identify measures which could be implemented as a priority to improve cyber security and cyber resilience for the ARs.
ASIC's view was that RI Advice had taken too long to implement those actions and this was the crux of the issue – not what was implemented but when it was implemented. ASIC contended and RI Advice has accepted that
"it should have had a more robust implementation of its program so that the measures were more quickly in place at each AR Practices and the majority of the AR network was confirmed as operating pursuant to such cybersecurity and resilience measures earlier than 6 August 2021".5
Her Honour found that the requirement for an AFSL holder to act "efficiently, honestly and fairly" includes within it a requirement that an AFSL holder:
In this regard, the Court noted that an adequate system in the context of cyber risk management
"requires consideration of the risks faced by a business in respect of its operations and IT environment".7
ASIC did not allege that RI Advice did not act honestly – rather, it alleged that it did not act efficiently and fairly. The Court confirmed that the phrase "efficiently, honestly and fairly" is a compound phrase and that each element does not need to be breached for there to be a breach of section 912A(1)(a).8
ASIC submitted that:
"If the performance of a licensee’s functions falls short of the “reasonable standard of performance that the public is entitled to expect”, then the efficiency requirement will not have been met. Accordingly, it is apparent that the obligation on a licensee under s 912A(1)(a) to ensure that the financial services provided on its behalf are provided “efficiently” imports a standard of reasonableness into the obligation. An example of a failure to act efficiently or fairly can be having inadequate procedures and training."9
Her Honour rejected this submission noting that cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.
"Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area."10
Her Honour noted that some conduct may be appropriate to assess through a public expectation lens: for example, fees charged for no service or providing personal financial advice without consideration of the client’s best interests.11
Rofe J went on to say:
"While it may be said that the public would expect the holder of an AFSL to have adequate cybersecurity measures, this says nothing of the content. In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public".12
The Court made a number of orders including that RI Advice engage a cyber security expert to identify what, if any, further documentation and controls in respect of cyber security and cyber resilience are necessary for RI Advice to implement to adequately manage risk across its AR network. Implementation must commence within 90 days of the expert being engaged.13
The requirement to retain and work with an expert (and ASIC) and to commence implementation within 90 days has the potential to cause additional strain on the business and the resources available to the business as well as causing disruption within the workforce. This will need to be carefully managed to ensure that other obligations continue to be complied with.
Authors: Miriam Kleiner (Partner, Legal Governance Advisory) and Rob Hanley (Partner, Head of Legal Governance Advisory)
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, all part of the Ashurst Group.
Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.
Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).
1. Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 per Rofe J at [57]
2. See footnote 1 at [28]
3. See footnote 2
4. See footnote 2 at [49]
5. See footnote 2 at [64]
6. See footnotes 1 and 2
7. See footnote 2 at [55]
8. See footnote 2 at [30]
9. See footnote 2 at [30(g)]
10. See footnote 2 at [47]
11. See footnote 2 at [49]
12. See footnote 11
13. See footnote 2 at [3-4]
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.