The end to ASIC v RI Advice: Cyber security take-aways for Australian organisations
In early May 2022, the Australian Federal Court released its judgement in the long-running ASIC v RI Advice litigation. The court decided that failures in RI Advice’s cyber security risk management were a breach of its licence obligations as a provider of financial services.
ASIC’s media release announcing the win is available here.
This is definitely of interest to all licensed financial service providers and indicates increased action by ASIC in the area of cyber security. But what else can we learn from the Federal Court decision?
Background to ASIC v RI Advice
ASIC first filed against the company in 2020, in response to security failings that resulted in at least 10 cyber incidents occurring at authorised representatives of RI Advice over an extended period of time – between June 2014 and May 2020.
In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
A forensic analysis by KPMG also found attackers setting up VPNs, peer-to-peer file sharing, and crypto-miners, along with a variety of hacking tools.
In its action ASIC alleged that by not having adequate cybersecurity documents and controls in place, and not identifying the cause of each of the cybersecurity incidents and using that information to mitigate future risk of cyber-attack, RI Advice had breached its obligation to act ‘efficiently, honestly and fairly’ as the holder of an Australian financial services licence.
The decision – Cyber security failure
The Federal Court found that RI Advice, breached its Australian Financial Service license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.
In addition to the declaration of contravention, the Court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice’s authorised representative network. RI Advice also agreed to pay $750,000 towards ASIC’s costs. Both of these outcomes were part of the agreed consent order.
It’s not entirely clear what remedies the court might have determined were appropriate if the case had run its course rather than being the subject of a consent order, made after ASIC and RI Advice agreed to resolve the proceedings.
Cyber security take-aways
Don’t ignore cyber security risks
The Federal Court made it very clear that cyber security risk should be front of mind for all financial service licenses. In her judgment, Federal Court Justice Helen Rofe stated: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. t is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
ASIC deputy chair Sarah Court added: “These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. “It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.”
The decision is a key signal that ASIC is willing to take on cyber security breaches.
You must have a cyber security incident response plan
Part of ASIC’s claim was that RI Advice firstly did not have adequate cybersecurity documents and controls in place, but they also noted that it was the failure to identify the cause of the cybersecurity incidents and use that information to mitigate future risk that gave rise to RI Advice’s contravention of certain provisions of the Corporations Act.
Review of the root causes of incidents and development and implement of corrective actions to prevent their recurrence should be mandatory step in any incident response plan.
RI Advice’s failure to take appropriate action, knowing of existing identified vulnerabilities that had led to data breaches, is just as important as the failure to implement appropriate cyber security protections in the first instance.
Australian businesses should have information security incident response policies and processes in place to ensure that, if a cybersecurity incident does occur, steps will be taken not just to contain the damage caused by the breach, but also to improve cybersecurity in the aftermath.
It is important for all organisations to have developed, implemented and tested a robust incident response capability. You should consider developing and implementing these plans, if you haven’t already.
Minimum cyber security requirements
One of the matters in contention was what should be used to determine minimum security standards – a matter which has much exercised information security experts for many years.
In putting together its claim, and setting out what it believed were Minimum Security Requirements. ASIC stated that it relied on ‘six standards from around the globe, five of which were said to be publicly available.’ These included:
- The ASD Essential Eight;
- ASIC Report 429 Cyber Resilience: Health Check (2015);
- ISO 27001 ISMS Requirements;
- NIST Framework for Improving Critical infrastructure Cybersecurity (2018); and
- NIST Incident Handling Guide
Further evidence in support of the failure to meet minimum cyber security standards, and the relevance of the standards referred to above, was also tendered by way of affidavit from cyber security experts.
In response, RI Advice submitted that the ‘Minimum Cybersecurity Requirements’ referred to by ASIC in its claim were expressed in ‘vague, imprecise, jargonistic and convoluted terms’ which render the standards ‘practically incomprehensible’. RI Advice also had a number of further subsidiary complaints related to the Minimum Cybersecurity Requirements and the first complaint. These included:
- There is no identification of the ‘risks’ that the Minimum Cybersecurity Requirements are required to manage;
- It is not clear whether the risks and the Minimum Cybersecurity Requirements are the same for RI Advice and each of its ARs (which vary in size and composition);
- The reference to ‘mandated rules and processes’ is unclear given that it is not alleged that there are any legally mandated rules and processes in place in Australia;
- The statement of claim does not identify what constitutes an acceptable level of cybersecurity risk for RI Advice.
RI Advice argued that there is no single mandated industry benchmark or baseline for an AFS Licensee in relation to cybersecurity risk and resilience. ASIC confirmed at the hearing that it did not allege that the Minimum Cybersecurity Requirements were mandated by any particular laws, regulations or industry standards.
Ultimately it was agreed that the relevance of the standards was their inclusion in the expert opinion rather than any contention that they form a mandated level of minimum cyber security controls.
Although the case did not determine what would be regarded as minimum cybersecurity requirements, it is clear that ASIC will look to both Australia standards and those used globally (such as ISO and NIST standards) in determining what acceptable cybersecurity looks like in Australian companies.
It’s also clear from the interlocutory proceedings that if RI Advice had retained cyber security experts some of the confusion and alleged vagueness and lack of clarity in the ASIC claim documents might have been clarified.
Pay attention to ACSC cyber security recommendations
ASIC strongly supports the Australian Cyber Security Centre advice. In its media release on the case, ASIC specifically calls out that agency as one that Australian organisations should pay attention to:
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment.”
One of the standards used by ASIC’s expert to establish minimum security standards was the ASD Essential Eight, which is supported by the ACSC.
ASIC is clearly concerned that organistions take cyber risk seriously. ASIC has published a series of resources to support cybersecurity and cyber resilience, including the following:
Civil penalties more likely in the future
It is also worth noting that reforms introduced in 2019 as a result of the Financial Services Royal Commission mean that a failure to comply with certain AFS licensing obligations, including obligations relating to how cyber risks are addressed, may give rise to a civil penalty. The majority of the cyber incidents in the RI Advice occurred before the reforms were introduced. This means that in the future, it will be easier for ASIC to levy civil penalties for cyber security failures.
Following this win in the RI Advice case, it will be interesting to see if ASIC continues to pursue breaches in an area that is clearly of concern.
Some of the take-aways from the decision:
- ASIC is prepared to take action on cyber security failures;
- Standards (like ASD Essential 8, ISO 27001 and NIST) will be used to set expectations for cyber security controls but there’s still no legally recognised generally applicable minimum cyber security standard for Australian organisations;
- Make sure you retain cyber security experts if you’re involved in any cyber security related legal action. Most lawyers don’t get this stuff and that can make the process a whole lot harder;
- Don’t forget about root cause analysis and taking corrective action as part of your incident response plan;
- Be prepared to agree a negotiated outcome. The consent order in this case is a great outcome for ASIC and RI Advice.