AFSL Holders and Cybersecurity: Federal Court Sets the Standard

Cybersecurity is an important consideration for all businesses.

Cyber-attacks can damage your reputation and bottom line.

The Federal Court of Australia recently considered a case in which a financial services licensee failed to implement proper cyber security protocols.

The decision is a timely reminder of the importance of cybersecurity, particularly for those businesses handling their clients’ personal and sensitive information.

The facts

RI Advice Group Pty Ltd (RI Advice) is the holder of an Australian Financial Services Licence (AFSL).

RI Advice authorised various independent entities (Authorised Entities) to provide financial services on its behalf.

Over the period June 2014 to May 2020, the Authorised Entities suffered nine cybersecurity incidents.

The incidents included ransomware attacks, fraudulent emails scams and loss of client data.

These incidents caught the attention of ASIC, which commenced proceedings claiming that RI Advice had breached the following obligations under the Corporations Act:

• To do all things necessary to ensure that the financial services covered by the AFSL are provided efficiently, honestly and fairly (s912A(1)(a)).
• To have adequate risk management systems (s912A(1)(h)).

The decision

Prior to a final hearing, RI Advice agreed orders with ASIC in which it admitted the alleged contraventions of the Corporations Act.

The Court accepted those agreed orders, finding that RI Advice had failed to ensure that “adequate cybersecurity measures were in place and/or adequately implemented”. [fn ASIC v RI Advice Group Pty Ltd [2022] FCA 496, [65]]

Further, RI Advice had “failed to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing…its clients to an unacceptable level of risk”. [fn ASIC v RI Advice Group Pty Ltd [2022] FCA 496, [66]]

Accordingly, the Court made orders:

• declaring that RI Advice had contravened the Corporations Act;
• requiring RI Advice to engage an independent expert consultant to review and rectify its cyber security protocols and report back to ASIC on same; and
• requiring RI Advice to pay $750,000.00 towards ASIC’s costs of the proceedings.

In addition, RI Advice will have incurred significant legal fees of its own, as well as damage to its reputation in the market.

Lavan comment

This decision sends a clear message to financial service providers that cybersecurity is an essential part of doing business.

Repeated (or even one-off) cybersecurity incidents may draw the attention of the regulator, potentially resulting in protracted, expensive, and damaging litigation.

As outlined by the Court in its decision, standards of cybersecurity are largely determined by experts in the field, rather than customer expectations. Financial service providers must use their own initiative to engage expert personnel to ensure that their cybersecurity protocols are adequate.

The Court acknowledges that “it is not possible to reduce cybersecurity to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.” [fn ASIC v RI Advice Group Pty Ltd [2022] FCA 496, [58]]

If you require advice with respect to your legal obligations arising out of cybersecurity, do not hesitate to contact Iain Freeman or Andrew Sutton.