Financial Services businesses need robust processes and controls to protect their customer information from cyber attack – that’s the message from the Federal Court’s recent decision in ASIC v RI Advice Group [2022] FCA 496.
Background
RI Advice Group (RI Advice) is a financial services provider and it approved independently owned authorised representatives (ARs) to provide financial services on its behalf. These ARs electronically receive, store, and access confidential and sensitive personal information about RI Advice’s retail clients.
What happened?
Between June 2014 and May 2020, RI Advice’s ARs suffered nine cybersecurity incidents, with the most severe occurring in December 2017 when the personal information of several thousand clients was compromised.
The personal information included:
- personal details, including full names, addresses and dates of birth and in some instances health information;
- contact information, including contact phone numbers and email addresses; and
- copies of documents such as driver’s licences, passports and other financial information.
In one incident in June 2014, one of the ARs email accounts was hacked and five clients received a fraudulent email requesting the transfer of funds.
One client made transfers totalling $50,000.
In August 2020, ASIC commenced proceedings against RI Advice for its failure to have implemented policies, plans, procedures and controls which were reasonably appropriate to manage the risk of cyber attack in its AR network.
What cybersecurity issues were identified?
It was revealed that there were a variety of issues in the ARs’ management of cybersecurity risk at the time of the incidents.
These included:
- computer systems which did not have up-to-date antivirus software installed and operating;
- no filtering or quarantining of emails;
- no backup systems in place, or backups not being performed; and
- poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
Cybersecurity measures were present, but inadequate
RI Advice did have cybersecurity measures in place.
As it became aware of the cybersecurity incidents, RI Advice had taken steps and had in place measures to reduce cybersecurity risk for its ARs, including:
- training sessions, professional development events, and information provided through RI Advice’s weekly newsletter for ARs;
- an incident reporting process where cyber incidents could be discussed; and
- ‘Professional Standards’ recommendations and obligations for its ARs including password-protecting documents sent via email that contained clients’ personal information; not using personal email addresses; using up to date security software; backing up data; and implementing a password policy.
Following the incidents, RI Advice engaged multiple external advisory firms to investigate past failures and review cybersecurity practices.
However, RI Advice admitted that prior to doing so, it did not have systems in place that were ‘adequate’ to manage cybersecurity risk across its AR network, and it took too long to implement and ensure the appropriate measures were in place.
As a result, the Court declared that RI Advice had breached ss 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), which requires financial services licensees to (a) “do all things necessary to ensure that the financial services covered by the Licence are provided efficiently, honestly and fairly” and (h) “have adequate risk management systems”.
What were the consequences for RI Advice?
Despite having already engaged experts, the Federal Court ordered that RI Advice must engage a cybersecurity expert to identify what, if any, further measures were necessary to adequately manage cybersecurity risk.
The implementation of any recommended measures was required to be commenced within 90 days, with the cost of these measures to be paid by RI Advice.
RI Advice was also ordered to pay a fixed amount of $750,000 towards ASIC’s costs.
What should businesses take from this?
This decision is a reminder that you shouldn’t wait for cybersecurity issues to arise before you take action to improve your company’s cybersecurity infrastructure.
The fact that RI Advice had taken steps to implement updated measures was insufficient to prevent the legal action taken against them by ASIC for the incidences that occurred.
RI Advice accepted that it should have had a more robust implementation of its cybersecurity program across all of its AR network.
What else?
Even if you have provided for adequate cybersecurity systems in the past, this does not mean that your current systems remain adequate.
The Court said:
“Risks relating to cybersecurity, and the controls that can be deployed to address such risks, evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased.
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
Read the full judgement of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] here.
Stay tuned for more from the Aptum leadership team, as we discuss and expand on legal issues businesses are facing.
Aptum are specialists in complex commercial and tax litigation. For clarity in the pathway to resolving your dispute, contact us today.