Company Law – A first for ASIC: Cracking down on cyber security failure
On 21 August 2020, ASIC announced that it had commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to ensure that financial advisers under its control protected sensitive data from a “brute force” cyber incident.
RI was formerly a wholly owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). From 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).
ASIC’s actions come after several alleged cyber breaches at certain authorised representatives of RI, between late 2016 and April 2020. These authorised representatives provide financial services on behalf of RI and include Wise Financial Planning, RetireInvest Circular Quay, the Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier), RI Shepparton and Empowered. The alleged incidents included the ransomware hacking of an authorised representative’s reception computer and unauthorised access to emails.
An alleged ransomware attack occurred at Wise Financial Planning in late December 2016, resulting in an office computer being hacked and files being encrypted, thereby making them inaccessible.
The alleged incident at Frontier occurred between December 2017 and May 2018. ASIC describes the incident as a “brute force” attack whereby cybercriminals gained unauthorised access to Frontier’s server for over six days. The server contained sensitive client information including identification documents. Furthermore, Frontier failed to detect the breach until 16 April 2018, more than three months after it had commenced.
During the relevant period, RI received several reports on cyber security including one from KPMG. The reports recommended that RI conduct reviews of all of its authorised representatives. This was imperative given that the cyber security of the authorised representatives was rated as “Fair” at best. ASIC states that RI failed to conduct this review. The reports also stated that RI failed to implement adequate password security including multi-factor authentication.
ASIC claims that RI breached its AFS licence conditions and failed to discharge its duties and functions as an AFS licence holder, by failing to implement adequate systems, resources and policies which were reasonably required in the circumstances in order to manage cyber security risk and enhance cyber resilience.
Specifically, ASIC alleges that, after becoming aware of the Frontier breach, and with knowledge of the Wise Financial Planning, RetireInvest Circular Quay and RI Shepparton incidents, RI should have:
- promptly adopted a cyber security framework,
- undertaken a risk assessment across its full network of authorised representatives, and
- sought appropriate expert advice.
ASIC claims that RI failed to take such action. ASIC’s statement of claim alleges that RI’s failure led to an “unacceptable level of risk” to RI, its advisers and customers. The court documents also allege that RI’s cyber security processes were complicated by the transition of the company from ANZ to IOOF’s ownership. In particular, IOOF’s standard cyber security documentation was not tailored to the RI acquisition.
What is ASIC seeking?
ASIC is seeking:
- declarations that RI contravened the Corporations Act 2001 (Act), specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A)
- orders that RI pay a civil penalty in an appropriate amount to be determined by the court, and
- compliance orders that RI implements systems which are reasonably appropriate to adequately manage risk in respect of cyber security and cyber resilience and provide a report from a suitably qualified independent expert, confirming that such systems have been implemented.
Where the Corporations Act fits in
ASIC’s allegations are founded on breaches of s 912A(1) and s 912A(5A) of the Corporations Act. Section 912A(1) provides that AFS licensees must, amongst other obligations, have adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and have adequate risk management systems in place.
ASIC’s interpretation of s 912A(1), to encompass cyber security, should not come as a surprise. ASIC clearly stated in March 2015 in Report 429, that “given the increased threat of cyber attacks, we expect our regulated population, particular[ly] licensees, to address cyber risks as part of its legal and compliance obligations”.
Please subscribe to our content for detailed commentary on s 912A of the Corporations Act, including how the section is interpreted by the courts.
A landmark for ASIC
Although ASIC has been increasingly focusing on cyber security in recent years, this is the first time that ASIC has initiated legal proceedings alleging deficient cyber security practices. ASIC has indicated in the past that managing cyber security risks falls with the realm of general directors’ duties. However, in this case, ASIC’s claim against RI alleges contravention of its obligations as an AFS licence holder as opposed to breach of its director duties.
ASIC’s legal proceedings reflect the Australian Government’s increased focus on the protection and security of critical business infrastructure. This is a key initiative of Australia’s Cyber Security Strategy 2020.
What does this mean for corporations?
The RI litigation may be seen as a shift in ASIC’s focus from merely educational to actual enforcement. It sends a clear signal to insurers and financial service providers that the corporate regulator takes cyber security lapses very seriously and should serve as a critical reminder to corporations of the importance of maintaining adequate cyber security systems. This is even more imperative in light of the critical reliance on cyber security in the age of Covid-19, where organisations are conducting a large portion of their operations online.
Financial service providers, in particular, can be prime targets for cyber criminals due to the vast amounts of confidential client information that they collate and store, including sensitive financial data.
This is not the time for entities to become complacent in their current systems or processes. These should be reviewed. Companies need to warrant that they have taken all reasonable steps in the circumstances to ensure that the people, processes and technologies that they employ to protect the security of information, are fit for purpose. It is also recommended that corporations have their technical systems and processes tested by independent cyber security experts, in order to ensure compliance.
This litigation may also open the floodgates for other regulators, such as APRA, the ACCC or the Office of the Australian Information Commissioner (OAIC) to bring enforcement actions in similar circumstances for alleged cyber security breaches or subsequent breaches of privacy.
Sources: ASIC, 20-191MR, ASIC commences proceedings against RI Advice Group Pty Ltd for alleged failure to have adequate cyber security systems, 21 August 2020, accessed 9 September 2020.
Australian Financial Review, IOOF hit with lawsuit alleging cybersecurity failure, 21 August 2020, accessed 9 September 2020.
ASIC, Cyber resilience good practices, accessed 9 September 2020.