book a virtual meeting Search Search
brisbane

level 16, 324 queen st,
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

level 21, 20 bond st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Cyber security: Is your business managing its risk

30 May 2022
lachlan gibbs kelly dickson
Read Time 4 mins reading time

During the 2020–21 financial year, the Australian Cyber Security Centre received over 67,500 cybercrime reports, with incidents targeting large scale companies with increasing frequency. The rise in risk has forced many businesses to address cyber security issues, but it wasn’t until recently that companies faced regulatory consequences for breaching their obligations.

On 5 May 2022, the Federal Court finalised its judgment in the matter of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. In an Australian first, it was held that RI Advice Group Pty Ltd (RI) had breached its obligations as an Australian Financial Services Licensee (Licensee) by failing to have adequate risk management systems in place to manage its cyber security risks.

The decision is an important lesson for all regulated entities, as it flags ASIC’s increased regulatory focus on business’ cyber security processes. However, the lesson remains the same for all businesses – big or small. All companies should ensure they have the appropriate measures in place to address cyber security breaches or risk receiving significant civil penalties.

how did RI breach cyber security obligations?

RI provides financial services under a third-party business owner model, with authorised representatives providing financial services to clients. Between 2014-2020, RI experienced nine cyber-related incidents. ASIC argued that RI failed to proactively react to these incidents and put into place appropriate measures. ASIC alleged that RI’s failure to have proper cyber security risk management in place breached the general obligations of Licensees under section 912A of the Corporations Act 2001 (Cth) (the Act).

minimum standards for cyber security

During the case, ASIC detailed a set of 68 security documentation and control standards which, in its view, would constitute the minimum standards for a Licensee, however, there are currently no published standards for Licensees. At this early stage, the controls put forward by ASIC during the RI matter can be used as a guideline but, given the ambiguity, it is recommended that businesses seek bespoke legal and IT advice when implementing cyber security measures.

RI failed to implement control processes

Although not at the level considered suitable by ASIC, RI did still have control processes in place to manage its cyber security risks. This included professional standards, incident reporting processes, and seeking confirmation from its authorised representatives that they had understood these standards and processes. Their processes improved significantly during 2020/2021. This was not, however, enough to satisfy ASIC as the Regulator still brought proceedings against RI.

outcome

The parties agreed on settlement terms which were accepted by the Court. In her judgment, the Hon. Justice Rofe recognised that it is “not possible to reduce cyber security risk to zero”, but that such risk could still be reduced to an acceptable level.

The Court ordered RI to pay part of ASIC’s legal costs ($750,000) and to engage a cyber security expert to identify and implement further measures, if necessary, to manage their cyber security risks.

Interestingly, ASIC looked to use this as a test case to establish cyber security standards, however, this was not considered in the judgment, with the standards required for licensees to meet their general obligations no clearer.

takeaways

This case highlights the need for Licensees, and all businesses, to review their cyber security processes and ensure they have appropriate measures in place. Given there are no clear standards or obligations, a legal team(whether in-house or external) should be used in collaboration with IT in establishing the appropriate processes required.

Having compliance measures in place will not necessarily mean your business meets its general obligations. Businesses must remain vigilant, have adequate auditing procedures in place, and commit to continue to build upon existing procedures. Technology is constantly evolving, so it is important that businesses’ cyber security risk management strategies and procedures continue to evolve too.

If you would like to speak to our team about mitigating cyber risks, contact Managing Principal Lawyer Kelly Dickson out of our Dandenong office.

stay up to date with our news & insights

Cyber security: Is your business managing its risk

30 May 2022
lachlan gibbs kelly dickson

During the 2020–21 financial year, the Australian Cyber Security Centre received over 67,500 cybercrime reports, with incidents targeting large scale companies with increasing frequency. The rise in risk has forced many businesses to address cyber security issues, but it wasn’t until recently that companies faced regulatory consequences for breaching their obligations.

On 5 May 2022, the Federal Court finalised its judgment in the matter of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. In an Australian first, it was held that RI Advice Group Pty Ltd (RI) had breached its obligations as an Australian Financial Services Licensee (Licensee) by failing to have adequate risk management systems in place to manage its cyber security risks.

The decision is an important lesson for all regulated entities, as it flags ASIC’s increased regulatory focus on business’ cyber security processes. However, the lesson remains the same for all businesses – big or small. All companies should ensure they have the appropriate measures in place to address cyber security breaches or risk receiving significant civil penalties.

how did RI breach cyber security obligations?

RI provides financial services under a third-party business owner model, with authorised representatives providing financial services to clients. Between 2014-2020, RI experienced nine cyber-related incidents. ASIC argued that RI failed to proactively react to these incidents and put into place appropriate measures. ASIC alleged that RI’s failure to have proper cyber security risk management in place breached the general obligations of Licensees under section 912A of the Corporations Act 2001 (Cth) (the Act).

minimum standards for cyber security

During the case, ASIC detailed a set of 68 security documentation and control standards which, in its view, would constitute the minimum standards for a Licensee, however, there are currently no published standards for Licensees. At this early stage, the controls put forward by ASIC during the RI matter can be used as a guideline but, given the ambiguity, it is recommended that businesses seek bespoke legal and IT advice when implementing cyber security measures.

RI failed to implement control processes

Although not at the level considered suitable by ASIC, RI did still have control processes in place to manage its cyber security risks. This included professional standards, incident reporting processes, and seeking confirmation from its authorised representatives that they had understood these standards and processes. Their processes improved significantly during 2020/2021. This was not, however, enough to satisfy ASIC as the Regulator still brought proceedings against RI.

outcome

The parties agreed on settlement terms which were accepted by the Court. In her judgment, the Hon. Justice Rofe recognised that it is “not possible to reduce cyber security risk to zero”, but that such risk could still be reduced to an acceptable level.

The Court ordered RI to pay part of ASIC’s legal costs ($750,000) and to engage a cyber security expert to identify and implement further measures, if necessary, to manage their cyber security risks.

Interestingly, ASIC looked to use this as a test case to establish cyber security standards, however, this was not considered in the judgment, with the standards required for licensees to meet their general obligations no clearer.

takeaways

This case highlights the need for Licensees, and all businesses, to review their cyber security processes and ensure they have appropriate measures in place. Given there are no clear standards or obligations, a legal team(whether in-house or external) should be used in collaboration with IT in establishing the appropriate processes required.

Having compliance measures in place will not necessarily mean your business meets its general obligations. Businesses must remain vigilant, have adequate auditing procedures in place, and commit to continue to build upon existing procedures. Technology is constantly evolving, so it is important that businesses’ cyber security risk management strategies and procedures continue to evolve too.

If you would like to speak to our team about mitigating cyber risks, contact Managing Principal Lawyer Kelly Dickson out of our Dandenong office.