The recent ASIC case against RI Advice, who were ordered to pay $750,000 to cover legal costs for failing to adequately manage cybersecurity risks, has set a major precedent for financial services organisations needing to implement proper cybersecurity controls to avoid serious charges from the industry regulator. But let’s take a closer look to understand what actually happened and what the implications are for other Australian Financial Services Licence (AFSL) holders and companies at large.
- AFSL holders need to understand that proper cybersecurity measures are an obligation in the provision of financial services
- Further regulatory guidance by ASIC and cybersecurity-related enforcement proceedings are expected
- Organisations should take a close look at ASICs guidance on the issue (REP 429, REP 555, REP 651) and seek legal advice to confirm their obligations
- Companies need to actively engage with a trusted cybersecurity partner such as Red Piranha to develop and implement a proper cybersecurity program.
A lot of media coverage has purported to expose RI Advice as having done the wrong thing and deserved the imposed fine. It certainly didn’t help that they were also fined $6M earlier this year in a separate matter for failing to take reasonable steps to ensure that its authorised representatives were providing appropriate financial advice.
Indeed, the company experienced multiple cybersecurity breaches including a $50,000 fraudulent invoice being paid via a compromised email account and thousands of clients’ data being compromised. Although quite damning, these breaches did occur over a period of seven years. The 2021 State of Enterprise Breaches report by Forrester, showed that 63 percent of businesses had experienced a security breach in the prior 12 months and explained that organisations were breached an average of three times in that year. So, although RI did not perform well by any measure, it’s not out of the realms of what many businesses experience in today’s troubling threat landscape.
ASIC alleged that RI Advice contravened its duties under section 912A of the Corporations Act due to:
- its failure to implement appropriate cybersecurity controls and documents
- failing to identify the cause of cybersecurity incidents
- its failure to use information it had obtained about cyberattacks within its network of Authorised Representatives to mitigate the risk of future attacks.
ASIC Deputy Chair Sarah Court said, “ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
When judgment was handed down, Her Honour Justice Rofe made it clear that cybersecurity should be front of mind for all AFSL holders, saying, “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
In their defence, RI Advice did make some improvements to their compliance measures after becoming aware of the security breaches, such as taking steps to monitor and audit compliance with the Professional Standards as well as introducing a Cyber Resilience Initiative to help their authorised representatives implement good security practices. Despite these improvements, however, RI Advice did admit to not moving quickly enough to implement the changes across their network and said it should have been more diligent in ensuring they were promptly and correctly rolled out at each authorised representative practice.
The Australian Cyber Security Council SMB Report from 2020 shows that almost half of SMB's rated their cyber security understanding as average or below average and acknowledged they had poor cyber security practices within their businesses, so RI Advice doesn’t seem to be a major outlier here.
It did take six months for RI Advice to appoint KPMG to conduct a forensic investigation into the incident. This does seem like a long time in hindsight, and despite it being a high priority, organisations typically need to wait for additional budget for new projects which could take until the following financial year or budget period. Plus, the process of engaging multiple potential security providers and possibly needing to run a selection process such as an RFP before choosing the right security partner, it’s not out of the ordinary for a cyber project to take 6 months or more to get underway.
Ironically, the main function of an AFSL holder is to advise their clients to take necessary steps to reduce the likelihood and impact of financial loss, by providing recommendations such as avoiding high risk investments, diversifying their investment portfolio or having proper insurance policies in place. Financial Services organisations themselves now need to heed prudent advice to invest in cybersecurity measures to reduce their own financial risk, not only from a cyber incident itself, but now also from significant penalties relating to such an incident.
One of the surprising points to come out of the case was a different perspective on the definition of reasonableness. As EJ Wise, Cybersecurity lawyer and Principal of Wise Law stated, “reasonableness, generally at law, is about what a reasonable person in the community might think of a certain set of facts, but what’s unusual about this case is the federal court said, actually 'reasonable', when it comes to cybersecurity, is what an average cybersecurity specialist thinks.” That raises the bar considerably in terms of an organisation proving that they were taking reasonable steps to avoid a cyber incident.
Also interestingly, this case was all based around provisions within the Corporations Act (not a specific financial services legislation like CPS 234), so these outcomes have far-reaching consequences for Australian companies across all industries. We should expect ASIC to be taking action against organisations, both inside and outside the financial services sector, who are not following the prevailing wisdom on cybersecurity matters.
Did RI Advice fail meet its obligations? Yes, it clearly did. The Federal Court found that they failed to maintain adequate cybersecurity controls and contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), and they had to pay ASIC’s legal fees as a result. But the Court didn’t actually impose a specific fine for the matter – something that was expected to happen – instead only charging the legal fees, which amounts to a much lesser sentence, especially in contrast to the $6M fine they received previously for not managing their advisors properly – which was primarily focused around one rogue advisor.
Did RI Advice do a bad job of implementing security measures? Yes it clearly did. They encountered nine breaches over 7 years and were slow to take decisive action. But they did make an attempt to implement a number of security measures. It seems the main issue that the Court had was that they were too slow in properly implementing those measures across their whole organisation, including their representative network.
Truth be told, there are many organisations, including other AFSL holders, who are in similar shape to RI Advice when it comes to cybersecurity maturity and are only a breach away from ending up in the press with similar fines and brand damage on top of the costs of the incident itself. It’s likely that ASIC won’t be so nice with the next case, once a pattern starts emerging around poor security and they need to be seen to be taking a hard stand on companies not taking ‘reasonable’ steps (now judged in the eyes of a cybersecurity specialist!) to implement a proper security program across their entire business.
It's no longer a question of whether Organisations need to be doing the right thing with their cybersecurity efforts – it’s now a given. However, it can be hard to know where to start or what is the best next step. Appointing a senior person to take charge of the security program such as a Security Manager or Chief Information Security Officer (CISO) is an important piece of the puzzle. However, companies can’t always afford senior security professional who are expensive and often hard to find. Services such as a Virtual CISO (vCISO) and an Electronic CISO (eCISO) are available which can deliver a lot of the value for a fraction of the time and cost of engaging a full-time senior security owner.
- by Damien Cantelo
The information provided is not intended to be a comprehensive review of all developments in the law. Readers should seek legal advice before applying it to their circumstances.