Australia: Cybersecurity failures result in breach of financial services licensee obligations

In brief

On 5 May 2022, in a landmark Australian decision, the Federal Court found that RI Advice had breached its obligations as an Australian financial services (AFS) licensee to act efficiently, honestly and fairly, as a result of its failure to have in place adequate risk management systems to manage cybersecurity risks.

In handing down her judgment, Justice Rofe warned that "cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services". Her Honour noted that the declarations ordered in the matter should deter other AFS licensees from engaging in similar conduct.

AFS licensees should consider their risk management systems anew in light of the decision, and take stock of the particular cybersecurity risks that may arise in their businesses.


Contents

Key takeaways

For the most part, the Australian Securities and Investment Commission (ASIC) and RI Advice agreed as to the accepted principles regarding the assessment of an AFS licensee's compliance with section 912A(1)(a) of the Corporations Act 2001 (Cth) (Act) (the requirement that an AFS licensee provide financial services efficiently, honestly and fairly). Justice Rofe reiterated those principles as set out in cases including ASIC v Westpac Securities Administration Ltd (2019) 272 FCR 170 and ASIC v Westpac Banking Corporation (No 2) [2018] FCA 751. Justice Rofe did, however, resolve one disagreement between the parties, finding that the requirement for an AFS licensee to provide financial services "efficiently" cannot, in a highly technical area like cyber risk management, be assessed by reference to public expectation. The reasonable standard of performance is instead to be assessed by reference to the reasonable person qualified in the area.

Justice Rofe also clarified the application of section 912A(1)(h) of the Act (the requirement that an AFS licensee have "adequate risk management systems"). Her Honour concluded that the notion of "adequacy" imports a normative standard of conduct. The particular focus of the provision is on "risk management systems", and for that reason the provision requires identification of the specific risks that arise in the context of a particular business. For RI Advice, this meant identifying risks to authorised representatives, rather than [just to] RI Advice itself. Further, in the context of cyber risk management, the provision requires consideration of the risks faced in relation to a business' operations and IT environment. The applicable standard of "adequacy" to be applied in a given situation is ultimately one for the Court to decide, however the Court's assessment will likely be informed by evidence from qualified experts in the field.

In depth

The final hearing in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 had been fixed to commence on 4 April 2022, however the matter was settled before the hearing began. As part of the settlement process, the parties proposed directions and orders to be made by consent, and Justice Rofe found there to be a proper basis for making such orders.

The case concerned the conduct of RI Advice, a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited. RI Advice carries on a financial services business of authorising independently-owned corporate authorised representatives and individual authorised representatives to provide financial services to retail clients on its behalf and pursuant to its AFS licence. The authorised representatives, pursuant to RI Advice's AFS licence, collected certain confidential and sensitive personal information and documents in relation to their retail clients. Between June 2014 and May 2020, nine cybersecurity incidents occurred involving the authorised representatives.

These incidents were found to be the result of a variety of issues with the authorised representatives' management of cybersecurity risk, including:

  • using computer systems which did not have up-to-date antivirus software installed and operating;
  • not implementing filtering or quarantining of emails;
  • not having backup systems in place, or backups not being performed; and
  • poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

RI Advice, after becoming aware of the most serious of these incidents in May 2018, took steps and put in place certain documentation, controls and risk management measures for its authorised representatives, including:

  • training sessions, professional development events, and information being provided through RI Advice’s weekly newsletter for authorised representatives;
  • an incident reporting process where cyber incidents could be discussed; and
  • obligations in the “Professional Standards” contractual terms between authorised representatives and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy.

However, RI Advice admitted that it took too long to ensure that such measures were in place across all of its authorised representatives. Justice Rofe accepted that RI Advice should have had a more robust implementation of its program, and so found that RI Advice continued to contravene section 912A(1)(h) of the Act until 5 August 2021. On that basis, Her Honour ordered RI Advice to undertake a compliance program, including engaging an external expert to assess the adequacy of its cybersecurity risk management systems. Her Honour also ordered RI Advice to pay ASIC's costs in the proceedings of $750,000.

To discuss how our experience can assist you, or if you have any questions on any of the matters above, please do not hesitate to liaise with your usual contact at Baker McKenzie or the lawyers listed in this Alert.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.