What are adequate cyber security measures?

The adequacy of cybersecurity measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group).  One of the issues raised was whether the respondent had adequate cybersecurity and cyber resilience in place across its network of financial advisors.  Ri Advice Group Pty Ltd ACN 001 774 125 (Ri Advice Group) is a financial services licensee within the meaning of section 761(A) of the Corporations Act 2001 (Cth)(Corps Act).  As the holder of AFSL licence number 000238429 it authorised various independently owned representatives (AR’s) to provide financial services on its behalf.

It was agreed that Ri Advice Group had contravened section 912A(1)(a) and (h) of the Corporations Act 2001 (Cth)(Corps Act) by failing to have adequate ‘cybersecurity and cyber resilience’ management in place.  The ultimate question for the Court was not whether RI Group has adequate risk management systems in place, but whether the declarations proposed by the parties were appropriate in the circumstances.

Section 912A(1) and 912A(1)(a) of the Corps Act

The relevant sections are as follows:

  • financial services licensee must:
  • do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and

(h)   subject to subsection (5)–have adequate risk management systems; and

Understanding Cybersecurity terminology

The actions (or non-actions) of Ri Advice Group referred to in the judgement leave no doubt in the mind of the reader that they had taken “reasonable steps”.    Perhaps the most useful part of the judgement by Rofe J is that it provides various definitions for “Cyber” related terms which we have extrapolated below:

What are Cyber-attacks?

Cyber-attacks mean attacks directed at computers, computer systems or other information communication technologies via digital or computer technology networks.[1]

 What is Adequate Cybersecurity Documentation?

Adequate Cybersecurity Documentation means recording standards that companies must implement to effectively manage and materially reduces Cybersecurity Risk.[2]

What is Cyber Resilience?

Cyber Resilience means the ability of an organisation to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by Cyber Sources.[3]

What is Cybersecurity?

Cybersecurity is defined as the ability of an organisation to protect and defend the use of cyberspace from attacks.[4]

What is a Cybersecurity Incident?

Cybersecurity Incident means refers to a singular or a series of undesirable cybersecurity event(s) that has or is likely to compromise business operations.

What is Phishing?

Whilst not defined in the judgement, the term Phishing means the fraudulent sending of electronic messages from an agent posing as a respectable company or organisation attempting to induce the recipients to reveal personal information.

Summary of the Cybersecurity incidents that occurred

The FCA established nine (9) Cybersecurity Incidents occurring between June 2014 and May 2020 at the Practices of Ri Advice Group.  These are summarised below:

  • June 2014: An email account of an AR was hacked, resulting in five of the Respondent’s clients receiving fraudulent emails insisting the transfer of funds. One client transferred a total of $50,000;
  • June 2015: A third-party website provider employed by an AR Practice was hacked, resulting in the Practice’s website having a counterfeit home page inserted;
  • September 2016: A client of an AR Practice received a fraudulent email from a person posing as an AR employee requesting the transfer of funds. The incident uncovered that the AR Practice engaged with an email service where data was stored in the Cloud. There was a single password used by everyone to access data and there was no anti-virus software in place;
  • January 2017: The primary reception computer of an AR Practice was emailed ransomware, a type of software that encrypted the Practice’s files unless funds were transferred;
  • May 2017: The server of an AR Practice was hacked through a remote access port, resulting in the personal information of 220 clients being made inaccessible unless funds were transferred. The files were never recovered;
  • December 2017: The server of an AR Practice was subject to unauthorised access by an unknown agent between December 2017 and April 2018. The personal information of thousands of clients was compromised, with several reports of unauthorised use of this information;
  • May 2018: The email address of an AR was accessed by an unknown agent, resulting in the fraudulent delivery of an email to the AR Practice’s bookkeeper that requested a bank transfer;
  • August 2019: An unauthorised person used the email address of an employee of an AR Practice to send more than 150 clients phishing emails; and
  • April 2020: The same employee’s email address from the August 2019 incident was used by an unauthorised person to send Phishing Emails to the contacts of the AR Practice.

Ri Advice Group’s management of Cybersecurity Risk

Following each incident, reports and inquiries executed on behalf of Ri Advice Group uncovered several issues regarding the AR management of Cybersecurity Risk.  These were:

  • computer systems did not have updated anti-virus software operating or installed;
  • emails were not being filtered or quarantined;
  • there was no backup systems operating, or backups were not being completed; and
  • there was poor password practices, including employee password sharing, default password use, security and passwords being known to third-parties or held in easily accessible locations.

On 15 May 2018 Ri Advice Group became aware of the December 2017 incident.  Prior to and on this date, it was accepted that it had adopted some controls, risk management measures and documentation to manage Cybersecurity Risk for the AR.  These included:

  • AR training and personal development sessions, as well as information contained in a weekly newsletter;
  • the discussion of Cyber Incidents through an incident reporting process; and
  • obligations relating to electronic storage, fraud procedures, incident notification, privacy and information security which were within the contractual terms of the professional ptandards binding Ri Advice Group to its AR.

Despite this, Ri Advice Group admitted that prior to 15 May 2018, the company did not have controls, risk management measures and documentation procedures that were sufficient to manage Cybersecurity Risk for its AR.

Ri Advice Group’s long-winded approach

October 2018: The older incidents were addressed through Ri Advice Group’s improvements to the existing Cybersecurity Risk system.  These adjustments included:

  • monitoring and auditing compliance with the Professional Standards containing cybersecurity requirements; and
  • employing external advisory firms to review Cybersecurity processes and investigate past incidents.

Late 2019: Ri Advice Group released a Cyber Security Support Guide to its AR, containing the best practices for Cybersecurity management.

January 2020: Ri Advice Group launched a program to its AR called the Cyber Resilience Initiative.  The program was designed to:

  • increase Cybersecurity awareness for AR; and
  • assist AR to identify and adopt Cyber Resilience processes.

August 2021: Most AR Practices had successfully implemented the practices contained in the 2019 Cyber Security Support Guide.  The implementation was approved as being at a good standard

Determination made by the Court

Despite the measures developed and implemented by Ri Advice Group from 15 May 2018 to August 2021, they weren’t implemented fast enough across all the ARs.

Rofe J found that Ri Advice Group had contravened sections 912A(1)(a) and (h) of the Corporations Act for failing to have documentation and controls regarding Cybersecurity and Cyber Resilience in place, which were adequate to manage the associated risks.

Takeaways on Cybersecurity and Cyber Resilience

Whilst the steps taken by RI Advice Group were assessed in the context of it being a financial services licensee and the context of the personal information that it collected and stored on its customers, the principles apply to all businesses.   In the current environment business need to ensure that they remain hyperviglient regarding Cybersecurity and Cyber Resilience.

Links and further references

Legislation

Corporations Act 2001 (Cth) sections 912A(1)(a) and (h)

Cases

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496

Further information on the adequacy of Cybersecurity and Cyber Resilience practices

If you are a business and need advice about the legal adequacy of your Cybersecurity and Cyber Resilience practices contact us for a confidential and obligation free and discussion:

Malcolm Burrows Lawyer

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 (Preferred)
Mobile: 0419 726 535
e: mburrows@dundaslawyers.com.au

 

 

 

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances

Footnotes

[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 58.

[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

[4] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

Send this to a friend