Landmark decision: Federal Court declares importance of cyber security for AFSLs
In an Australian first, the Federal Court has ruled (by consent of the parties) that Financial Services Licensees who fail to implement effective cyber security risk management systems will be in breach of their statutory obligations under the Corporations Act 2001 (Cth) to have adequate risk management systems in place.
This decision is the first clear indicator from Australia’s judiciary that cyber security is an obligation that Financial Services Licensees can no longer ignore and paves the way for ASIC to bring further proceedings against Licensees for similar failings in the future.
The case brought by ASIC against RI Advice Group Pty Ltd (RI Advice) alleged RI Advice failed to fulfill its obligations following nine reported incidents of cyber breaches between June 2014 and May 2020 pertaining to RIs group of authorised representatives (AR Practices).
- Email account hacking.
- The misappropriation of 220 client files and client contact information.
- Social engineering fraud causing financial loss.
- The prevention of access to files due to the ransomware attack; and
- Successful phishing attempts.
- Computer systems did not have up-to-date antivirus software installed and operating.
- No filtering or quarantining of emails.
- Limited or poor use of multi-factor authentication.
- Limited or non-existent monitoring tools and services to detect if a malicious individual has gained access or still has access to internal systems.
- No backup systems in place, or backups not being performed; and
- Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
Over the course of the cyber security incidents, RI Advice investigated and reported various issues regarding its own cyber security risk management procedures, such as out-of-date antivirus software and no backup systems in place.
RI Advice ultimately admitted it failed to implement cyber risk management systems which were effective at mitigating the risk of cyber intrusion.
Decision
The Court found that RI Advice contravened ss912(1)(a) and (b) of the Act as a result of its failure to have documentation and controls in respect of cyber security and cyber resilience in place that were adequate to manage risk in respect of cyber security and cyber resilience across its AR network.
The court ordered that RI Advice pay a $750,000 contribution to ASIC’s proceedings costs. Her Honour Justice Rofe stated, with relation to the importance of cyber risk management in the provision of financial services – “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
Notably, the Court also ordered RI Advice to engage a cyber security expert to identify any further cyber security issues and implement measures to manage those risks as soon as practicable.
Her Honour did not order the payment of any penalty.
The team at Bellrock are here to assist you with advice and risk management solutions relating to cyber security. Our approach involves the use of third party experts who assist our clients in developing their cyber maturity. This process is initiated with a Cyber Risk Assessment which identifies the cyber risks facing your business and is required to obtain insurance. Our guide to Cyber Liability Insurance can be found here. For further information or to obtain a quote, please contact us via the form below.