Beyond Cyber Key lessons in ASIC v RI Advice Group
16 May 2022
RI Advice Group had an authorised representative network of between 89 to 119 practices. Over a six year period (between June 2014 and May 2020), 9 cyber security incidents occurred at those AR practices (ranging from fraudulently sent emails to phishing incidents and hacking attacks).
Importantly, RI Advice Group had taken a number of steps to manage cyber security risk for its network of authorised representatives, and among other things, had in place contractual 'Professional Standards' and an incident reporting process. They sought confirmation that all authorised representatives had read and were aware of these compliance measures. RI Advice Group admitted that these measures were inadequate to manage the cyber security risk.
RI Advice Group made significant improvements to these compliance measures after becoming aware of the cyber incidents, including taking steps to monitor and audit compliance with the 'Professional Standards' and introducing a Cyber Resilience Initiative to assist their authorised representatives to identify and adopt good practices. Despite these improvements, RI Advice group admitted it took too long to implement them across their network, and it ought to have had a more robust program to ensure the measures were more quickly in place at each authorised representative practice.
Given these circumstances, the Court found that RI Advice Group had breached its section 912A(1)(a) obligation to do all things necessary to ensure its financial services were provided 'efficiently, honestly and fairly'.
As indicated above, the Court determined that 9 failures of RI Advice Group's compliance system, over 6 years, and across an authorised representative network of between 89-119 practices amounted to an identifiable issue with the compliance system. This aggregation of incidents illustrates the necessity of viewing incidents holistically and assessing what patterns, collectively, they indicate.
A necessary characteristic of a good compliance system is monitoring and improvement where any deficiencies are identified. Identifying emerging trends within the data of incidents would allow an AFSL holder to quickly, and more effectively respond to any systemic deficiencies.
Recent enhancement of the breach reporting requirements (see How to comply with the new breach reporting regime), give ASIC a greater capability to join the dots between reported breaches and identify broader system failures that may constitute a breach of the 'efficiently, honestly and fairly' obligation. AFSL holders should be put on notice and ensure that they are also proactively undertaking this analysis.
RI Advice Group became aware of the deficiency in their compliance system by 15 May 2018. However, the improved measures they developed with the help of specialist experts were only implemented across the majority of authorised representatives by 6 August 2021 (some three years later). The Court determined that this delay was inconsistent with the standard required.
A reasonable standard of performance would have included a prompt and robust rectification of the identified deficiencies across the authorised representative network. As such, when patterns emerge AFSL holders should respond without delay to address identified deficiencies in their compliance systems.
As mentioned above, RI Advice group did have a number of commonly used compliance measures in place to govern the conduct of their authorised representatives. However, compliance was not audited beyond simply seeking confirmation from authorised representatives that they had read and were aware of the 'Professional Standards'. This was found to have breached the 'efficiently, honestly and fairly' obligation.
Consequently, AFSL holders must ensure that they have adequate auditing (or other monitoring) to confirm that the requirements of the compliance measures are actually understood by any authorised representatives, and are being met. The implementation of compliance measures should be a constantly evolving and iterative process to ensure that AFSL holders are adequately responding to new risks.
Authors: Narelle Smythe, Partner; Lucinda Hill, Partner; Stephanie Cameron, Senior Associate and Nandini Kaushik, Graduate
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.