22 May Cybersecurity risks and resilience and the Australian Securities and Investments Commission
Author: Helaine Leggat, ICTLC Australia Managin Partner
In the judgement on 5 May 2022 of the Australian Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496, Rofe J found that a licensed financial services organisation had failed to adequately manage cybersecurity risks and resilience.
Declarations and Orders
In summary, the Court declared that RI Advice had contravened ss 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk across its network, and as a result of this conduct, it had failed to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly, in contravention of s 912A(1)(a), and (b) failed to have adequate risk management systems, in contravention of s 912A(1)(h).
The Court ordered RI Advice to engage cybersecurity experts to identify documentation and controls to adequately manage risk in respect of cybersecurity, to commence implementing these within set timeframes, and to provide ASIC written reports. And further, that RI Advice pay a contribution to ASIC’s costs in the amount of $750,000.
This is an Australian first in relation to the Australian Securities and Investments Commission (ASIC), and it is worth considering the judgement more broadly than in relation to financial services. ASIC is Australia’s integrated corporate, markets, financial services and consumer credit regulator with facilitative, regulatory and enforcement powers, which include power to make rules and to investigate suspected breaches of the law.
In July 2019, the Australian Prudential Regulatory Authority (APRA) Standard CPS 234 on Information Security came into effect, establishing the board of an APRA-regulated entity as ultimately responsible for information security.
The differences in approach to cyber security between ASIC and APRA are pronounced and demonstrate Australia’s complex regulatory environment and sector specific approach. Nevertheless, a point of commonality is that of board responsibility under the Corporations Act. As this is the first Australian legal action in relation to cyber security, I would have liked to see consideration of director duties in addition to consideration of the meaning of “efficiently, honestly and fairly”. I would also have liked to see the consideration of standards other than “social and commercial norms”. Standards, per definition establish a benchmark for reasonable behaviour, and liability ensues where behaviour falls short in the circumstances under consideration.
Admittedly information security standards, such as CPS 234 and ISO/IEC 27000, are not absolute. The former requires a security capability “commensurate with the size and extent of threats” to the information assets, and the latter depends upon the Statement of Applicability (SOA).
With respect, I do not agree with Rofe J that the issues are that complex. In my view, the lack of security had little to do the “highly technical” expertise required to undertake a risk assessment. The facts provide evidence that there was little if any cyber security in place. RI Advice did not require a complex risk assessment. It required basic cyber hygiene and common sense.
Five of the nine incidents that occurred between 15 May 2018 and 5 August 2021 listed email as the source or involved in the attack. It is common knowledge that compromised email accounts and credentials lead to phishing and ransomware. It is common knowledge that personal information is the fuel for cyber-attacks. Compromised websites and even brute force attacks are rendered relatively easy in circumstance where there are poor password practices, and no Multi-Factor Authentication (MFA) is in place. Furthermore, in its focus on technical issues, Rofe J neglected social engineering. The risk of ‘people’ in the people, process and technology cannot be neglected.
Given that RI Advice was a wholly-owned subsidiary of two mature financial institutions from 30 September and October 2018 respectively, it is reasonable to think that the cyber security practices of these organisations were incorporated into those of RI Advice through the contractual arrangements between the parties. Cyber security risk and liabilities should be specifically catered for in any business agreement, and so too down the ‘supply chain’ to the individuals and entities providing services to RI Advice.
Even if RI Advice did not acquire reasonable cyber security practices, it had merely to implement the most basic cyber security practices to avoid most of the nine incidents. It could have relied on the Australian Cyber Security Centre (ACSA) Essential 8, where a Maturity Level 1 indicates that the organisation’s cybersecurity posture should be able to defeat the most common attacks and be generally able to defeat low effort attacks.
After nine cybersecurity incidents between June 2014 and May 2020, on 21 August 2020, ASIC commenced proceeding against the RI Advice by originating process and concise statement. In its originating process, ASIC sought declarations that RI Advice had contravened ss 912A(1)(a), (b), (c), (d), (h) and (5A) of the Corporations Act as a result of its failure to have and to have implemented “policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls” which were reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience. The concise statement was later replaced with a statement of claim. The final hearing of the proceeding was settled before the date fixed for commencement on 4 April 2022.
On 7 April 2022, Jofe J received proposed declarations and orders to be made by consent, and an agreed statement of facts (SAFA). Both parties filed submissions in support of the proposed declarations and orders on only 2 of the contraventions cited initially. In these documents, despite qualifying contentions, RI Advice admits to having contravened ss 912A(1)(a) and (h), namely:
“(1) A financial services licensee must:
(h) subject to … have adequate risk management systems;”
Up to and including 30 September 2018, RI Advice was a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ), and one of three ANZ financial licensees which became part of the IOOF Holdings Limited (IOOF) group of companies (as it was then known) from 1 October 2018.
To provide financial services on its behalf RI Advice contracted the services of independently owned authorised representatives (individuals and legal entities) (ARs). The service relationships naturally involved the use of electronic communications and transactions in which retail clients’ confidential and sensitive personal information and documents were received, stored, and accessed. The personal information included: (a) personal details, including full names, addresses and dates of birth and in some instances health information; (b) contact information, including contact phone numbers and email addresses; and (c) copies of documents such as driver’s licences, passports and other financial information.
The ARs have provided financial services to at least 60,000 retail clients – that is a lot of personal information and a large pool of individuals to exploit. It is also high risk given that existing penalties under the Privacy Act 1988 (Cth) are set to increase from $2.1 to $10m. Technical expertise is not necessary to assess all cyber risk.
9 Cyber security Incidents
Between June 2014 and May 2020 nine cyber security incidents occurred at the practices of the ARs. The background and summary of the relevant facts below are taken from the SAFA.
- June 2014 – AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds. One client made transfers totalling some $50,000.
- June 2015 – a third-party website provider engaged by an AR practice was hacked, resulting in a fake home page being placed on the AR practice’s website.
- September 2016 – one client received an email requesting money, apparently from an employee of an AR practice. The email was not sent by the employee and had been sent fraudulently. It came to light that the AR Practice used an email platform where information was stored “in the Cloud” … there was no “anti-virus software” and there was only one password which everyone used to access information.
- January 2017 – the main reception computer at an AR practice was subject to ransomware delivered by email, making certain files inaccessible.
- May 2017 – a server was “hacked” at an AR practice by brute force … resulting in a file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable.
- December 2017 and April 2018 (December 2017 Incident) – an unknown malicious agent gained unauthorised access to an AR practice server for a period of several months. This event compromised the personal information of several thousand clients.
- May 2018 – an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer.
- August 2019 – an unauthorised person used the email address of an AR practice employee to send phishing emails to over 150 clients.
- April 2020 – an unauthorised person used the same email address (above) to send further phishing emails to the AR practice contact.
Relevant Principles – Consent orders in regulatory proceedings
It is worth noting the points made under the heading of “Relevant Principles Consent orders in regulatory proceedings” in relation to cyber security and risk, specifically:
46 “… The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.”
47 “…, the adequacy of risk management must be informed by people with technical expertise in the area.”
49 “… In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, …, not the expectations of the general public.”
55 “… cyber risk management is a highly technical area of expertise. While the standard of “adequacy” is ultimately one for the Court to decide, the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field.
While all of this is to some extent true, the bar was so low in the case of RI Investments, one would hardly think that a “relevantly qualified expert” was necessary to conclude that sharing passwords introduces risk.
With the ACSC’s ongoing push for cyber awareness and training, the day will come when common sense prevails and omissions to implement basic cyber practices will be seen as negligence.
Here to help
ICTLC has a unique ability to provide the ‘best of breed’ in law, cyber security and data protection through ICT Legal Consulting and ICT Cyber Consulting. We are here to help you navigate your way through the risk and compliance journey.
 This maturity level not suitable for Australian organisations that have significant data security or financial protection requirements.
 ASIC also sought that RI Advice pay a pecuniary penalty under s 1317G(1)(a); and compliance orders under s 1101B(1)(a).
 Three requirements should be satisfied: (1) The question must be a real and not a hypothetical or theoretical one; (2) The applicant must have a real interest in raising it; and Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496 7 (3) There must be a proper contradictor:
 Set out in Annexure 1 of these reasons for judgment.