Federal Court finds RI Advice failed to adequately manage cybersecurity risks

In the landmark decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (RI Advice) [2022] FCA 496, the Federal Court found that Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

Background

RI Advice was a wholly owned subsidiary of Australia and New Zealand Banking Group Limited that became part of the IOOF Holdings Limited group of companies from 1 October 2018 and carries on a financial services business within the meaning of s 761A of the Act under a third-party business owner model. RI Advice authorises independently owned corporate authorised representatives and individual authorised representatives (ARs) to provide financial services to retail clients.

The ARs electronically received, stored, and accessed confidential and sensitive personal information and documents in relation to their retail clients. The personal information included: (a) personal details, including full names, addresses and dates of birth and in some instances health information; (b) contact information, including contact phone numbers and email addresses; and (c) copies of documents such as driver’s licences, passports, and other financial information.

Between June 2014 and May 2020, ARs were impacted by nine cybersecurity incidents, including phishing and ransomware attacks. The most significant incident occurred when an unknown actor gained unauthorised access to an AR’s server for a period of several months between December 2017 and April 2018 (December 2017 Incident). This event compromised the personal information of several thousand clients, a number of which reported unauthorised use of the personal information.

Prior to, and as at, 15 May 2018 (the date on which RI Advice became aware of the December 2017 Incident), RI Advice had taken certain steps and had in place some documentation, controls and risk management measures in respect of cybersecurity risk for its ARs, including: (a) training sessions, professional development events, and information provided through RI Advice’s weekly newsletter for ARs; (b) an incident reporting process where cyber incidents could be discussed; and (c) obligations in the ‘Professional Standards’ contractual terms between ARs and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy.

Judgment

RI Advice admitted, that prior to and as at 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network.

Most of the historic issues were addressed by significant improvements made by RI Advice to its existing cybersecurity risk management systems after its acquisition by IOOF in October 2018. The improvements included engaging multiple external advisory firms to investigate past failures and review cybersecurity practices.

RI Advice; however, admitted it took too long to implement and ensure measures to improve cybersecurity and cyber resilience for the ARs, and accepted it should have had a more robust implementation of its program.

The Court declared that RI Advice contravened s 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) (Corporations Act) from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR network, and as a result of this conduct, it: (a) failed to do all things necessary to ensure the financial services covered by the Licence were provided efficiently and fairly, in contravention of s 912A(1)(a) of the Corporations Act; and (b) failed to have adequate risk management systems, in contravention of s 912A(1)(h) of the Corporations Act.

RI Advice was ordered to pay ASIC’s costs fixed in the amount of $750,000 and to implement additional security measures at the earliest reasonably practicable date identified through third-party security audit at its cost.

Practical takeaways

The case is significant because of the clarification it gives to the meaning of ‘efficiently, honestly and fairly’ under s 912A of the Corporations Act, in particular in the context of risk management of cybersecurity. It is also a forerunner of things to come, under the Financial Accountability Regime which places individual liability on executives for failure to take reasonable steps to prevent occurrences such as cyber breaches.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by: 

Liam Hennessey, Partner
Robert Feldman, Director