‘Reliance on Third-Party Providers is Always a Risk’: ASIC’s Renewed Focus on Cybersecurity for Financial Institutions

13 Dec 2023

Major cyber-attacks against Medibank and Optus in 2022 pushed cyber security to the forefront for many Australian businesses. Last month, the Australian Securities and Investment Commission (ASIC) chairman, Mr Joe Longo, in a speech to the Australian Financial Review Cyber Summit said that ‘cyber security and cyber resilience has got to be a top priority’ for all boards of financial institutions. Mr Longo warned that companies that don’t adopt an active approach to cyber security could incur civil penalties, both for directors and the company itself.

Lessons from ASIC v RI Advice Group Pty Ltd [2022] FCA 496

ASIC’s focus on cyber security from a corporate governance perspective follows its successful action against RI Advice Group Pty Ltd (RI Advice) in 2022, in which the Federal Court of Australia declared contravention of Sections 912(1)(a) and 912(1)(h) of the Corporations Act 2001 (Cth) (the Act) and ordered payment of ASIC’s costs to the tune of $750,000. RI Advice was also ordered to engage a cybersecurity expert to examine its systems at its own expense.

This finding was a result of several cyber security breaches occurring between 2014 and 2020, which in some cases resulted in the unauthorised access of customers’ personal information. RI Advice did not comply with its obligations to have adequate risk management systems in place (Section 912(1)(h)) and to provide its financial services efficiently, honestly and fairly (Section 912(1)(a) of the Act). In her Honour’s judgment, Rofe J recognised that cybersecurity risk has increased as ‘financial services are increasingly conducted using digital and computer technology’ and potential cyber threats now present ‘a significant risk connected with the conduct of the business and provision of financial services.’[1] Her Honour found that in order to comply with obligations relating to cybersecurity, a firm is required to:

  1. Identify the cyber security risk involved with providing financial services.
  2. Maintain documentation, controls and risk management systems to manage cybersecurity risk; and
  3. Assess cybersecurity risk in line with recommendations of those who have technical expertise in the area as opposed to public expectations.

Managing Risk from Third-Party Providers and Across the Digital Supply Chain

In his speech, Mr Longo emphasised the risk that reliance on third-party cybersecurity services poses for financial institutions. He noted that 44% of respondents to ASIC’s Cyber Pulse survey indicated that they did not manage third-party or supply chain risk, a cause for concern, as the liability still rests with the financial service provider should any risks eventuate. Mr Longo recommended that directors take a holistic approach and engage with their digital supply chain and third-party providers to ensure this risk is adequately managed. Mr Longo stated ‘cyber security and resilience are not merely technical matters on the fringes of directors’ duties… ASIC also expects [risk management] to include oversight of cyber security risk throughout your organisation’s digital supply chain.’[2] He warned that ‘if boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC’.

Director’s Liability and Disclosure Requirements

For directors to comply with their cyber security obligations, it is not a matter of having ‘impregnable systems’. As recognised by Mr Longo, ‘that’s not possible’. Instead, directors should ensure their firms are prepared to weather a cyber-attack through sufficient security, but also through adequate ‘cyber resilience’ – the ability of the firm to withstand and respond to the attack. This involves planning your cyber security approach, testing to identify any critical vulnerabilities, and continued evaluation of the systems put in place. The ever-evolving nature of technology means that a ‘set and forget’ approach could prove fatal. Doing so puts the company at risk, with the risk increasing each day that potential vulnerabilities are not addressed.

Not only does a failure to have adequate cybersecurity systems in place have the potential for large financial and reputational damage, to put companies and directors on risk for the regulatory enforcement action and to open the door to lengthy shareholder class action proceedings, but it also can attract disclosure obligations for listed companies. Typically, when the market discovers a company has been the subject of a cyber-attack, the company’s share price falls by about 5%.[3] The staggering impact of an attack on the market suggests that a cyber-attack is a material event, therefore falling under continuous disclosure requirements. This is a view shared by Mr Daniel Moran, the ASX’s chief compliance officer, who warned that listed companies should disclose what they know regarding a cyber-attack against them as early as possible. With this is mind, reviewing cyber strategy may be more important than you think.

ASIC’s Cybersecurity Outlook

ASIC’s renewed focus on cybersecurity measures taken by financial institutions comes in tandem with an increased willingness to seek court-based outcomes for breaches of this type. This could mean significant pecuniary penalties for the company or the personal liability of directors who do not adhere to their obligations.

Firms should remain vigilant and seek to evaluate their cybersecurity risk management systems internally, externally through their third-party providers and throughout their digital supply chain to avoid the disruption of a cyber-attack and potential enforcement action from the regulator. As put by Mr Longo, ‘measures taken should be proportionate to the nature, scale, and complexity of your organisation’ and should be reviewed on an ongoing basis.


[1] ASIC v RI Advice Group Pty Ltd [2022] FCA 496, [58] (Rofe J).

[2] Longo (n 1).

[3] Patrick Durkin, ‘Only 11 of 36 hacks revealed to market: ASIC warns on disclosure’, Australian Financial Review (online, 20 February 2023) <https://www.afr.com/technology/only-11-of-36-hacks-revealed-to-market-asic-warns-on-disclosure-20230216-p5cl28>.


   
 

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.