What are adequate cyber security measures?

The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group).  One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors.  Ri Advice Group Pty Ltd ACN 001 774 125 (Ri Advice Group) is a financial services licensee within the meaning of section 761(A) of the Corporations Act 2001 (Cth) (Corps Act).  As the holder of Australian Financial Licence (AFSL) number 000238429, it authorised various independently owned representatives (ARs) to provide financial services on its behalf.

It was agreed that Ri Advice Group had contravened section 912A(1) (a) and (h) of the Corps Act by failing to have adequate ‘cybersecurity and cyber resilience’ management in place.  The ultimate question for the Court was not whether RI Advice Group has adequate risk management systems in place, but whether the declarations proposed by the parties were appropriate in the circumstances.

Sections 912A(1)(a) and 912A(1)(h) of the Corps Act

The relevant sections are as follows:

“(1) A financial services licensee must:

(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and

(h) subject to subsection (5)–have adequate risk management systems.”

Understanding cyber security terminology

The actions (or non-actions) of Ri Advice Group, as referred to in the judgement, leave no doubt in the mind of the reader that they failed to take “reasonable steps”.   Perhaps the most useful part of the judgement by Rofe J is that it provides various definitions for “cyber”-related terms, which we have extrapolated below:

Cyber-attacks

Attacks directed at computers, computer systems or other information communication technologies via digital or computer technology networks.^[1]

Adequate cyber security documentation

Recording standards that companies must implement to effectively manage and materially reduce cyber security risks.^[2]

Cyber resilience

The ability of an organisation to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber sources.^[3]

Cyber security

The ability of an organisation to protect and defend the use of cyberspace from attacks.^[4]

Cyber security incident

A singular or a series of undesirable cyber security event(s) that has or is likely to compromise business operations.

Phishing

Whilst not defined in the judgement, the term “phishing” means the fraudulent sending of electronic messages from an agent posing as a respectable company or organisation in an attempt to induce recipients to reveal personal information.

Summary of the cyber security incidents that occurred

The Federal Court of Australia (FCA) established nine (9) cyber security incidents occurring between June 2014 and May 2020 within Ri Advice Group’s Practices.  These are summarised below:

• June 2014: An email account of an AR was hacked, leading to five of the Respondent’s clients receiving fraudulent emails insisting the transfer of funds.  One client transferred a total of $50,000.
• June 2015: A third-party website provider employed by an AR Practice was hacked, resulting in a counterfeit homepage being inserted on the Practice’s website.
• September 2016: A client of an AR Practice received a fraudulent email from someone posing as an AR employee, requesting fund transfer.  The incident uncovered that the AR Practice engaged with an email service where data was stored in the Cloud.  There was a single password used by everyone to access data and there was no antivirus software in place.
• January 2017: The primary reception computer of an AR Practice was targeted by ransomware, a type of software that encrypted the Practice’s files unless a ransom was paid.
• May 2017: A server of an AR Practice was hacked via a remote access port, resulting in the personal information of 220 clients being made inaccessible unless funds were transferred.  The files were never recovered.
• December 2017: A server of an AR Practice was subject to unauthorised access by an unknown agent between December 2017 and April 2018.  The personal information of thousands of clients was compromised, with several reports of unauthorised use of this information.
• May 2018: The email address of an AR was accessed by an unknown agent, resulting in the fraudulent delivery of an email to the AR Practice’s bookkeeper that requested a bank transfer.
• August 2019: An unauthorised person used an employee’s email address at an AR Practice to send phishing emails to more than 150 clients.
• April 2020: The same employee’s email address used in the August 2019 phishing incident was comprised again and used to send phishing emails to the AR Practice’s contacts.

Ri Advice Group’s management of cyber security risk

Following each incident, reports and inquiries conducted on behalf of Ri Advice Group uncovered several issues regarding the ARs’ management of cyber security risk, including:

• computer systems did not have updated anti-virus software operating or installed;
• emails were not being filtered or quarantined;
• there were no backup systems operating, or backups were not being completed; and
• there were poor password practices, including employee password sharing, default password use, security and passwords being known to third-parties or held in easily accessible locations.

On 15 May 2018, Ri Advice Group became aware of the December 2017 incident.  Prior to and on this date, it was acknowledged that some controls, risk management measures, and documentation to manage cyber security risk for the ARs had been adopted, including:

• ARs training and personal development sessions, along with information provided in a weekly newsletter;
• the discussion of cyber incidents through an incident reporting process; and
• obligations relating to electronic storage, fraud procedures, incident notification, privacy and information security which were within the contractual terms of the professional standards binding Ri Advice Group to its ARs.

Despite this, Ri Advice Group admitted that prior to 15 May 2018, the company did not have controls, risk management measures, and documentation procedures that were sufficient to manage cyber security risk for its ARs.

Ri Advice Group’s long-winded approach

October 2018: The older incidents were addressed through Ri Advice Group’s improvements to the existing cyber security risk system.  These adjustments included:

• monitoring and auditing compliance with the professional standards containing cyber security requirements; and
• employing external advisory firms to review cyber security processes and investigate past incidents.

Late 2019: Ri Advice Group released a Cyber Security Support Guide to its ARs, outlining best practices for cyber security management.

January 2020: Ri Advice Group launched a program to its ARs called the Cyber Resilience Initiative.  The program was designed to:

• increase cyber security awareness for ARs; and
• assist ARs to identify and adopt cyber resilience processes.

August 2021: Most AR Practices had successfully implemented the practices contained in the 2019 Cyber Security Support Guide.  The implementation was approved as being at a good standard.

Determination made by the Court

Despite the measures developed and implemented by Ri Advice Group between15 May 2018 to August 2021, they were not implemented fast enough across all the ARs.

Rofe J found that Ri Advice Group had contravened sections 912A(1) (a) and (h) of the Corps Act by failing to have adequate documentation and controls in place to manage cyber security and cyber resilience risks.

Takeaways on cyber security and cyber resilience

While the steps taken by RI Advice Group were evaluated in the context of its role as a financial services licensee and its handling of personal information that is collected and stored on its customers, the principles apply to all businesses. In today’s environment, businesses must remain hyper-vigilant regarding cyber security and cyber resilience.

Links and further references

Legislation

Corporations Act 2001 (Cth) sections 912A(1) (a) and (h)

Cases

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496

Further information about cybersecurity

If you are a business and need advice about the legal adequacy of your cyber security and cyber resilience practices, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 58.

[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

[4] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) at para 57.

---

Related insights into cybersecurity