Failing to have appropriate risk compliance systems to guard against potential cybersecurity breaches may amount to a contravention of an Australian Financial Services Licence (AFSL) holder’s obligations under the Corporations Act 2001 (Cth) (“Corporations Act”). This possibility has hit home and become a reality for RI Advice Group Pty Ltd (RI). On 21 August 2020, ASIC commenced proceedings against RI alleging that its failure to implement adequate cybersecurity measures violated the Corporations Act.
This matter is of significant interest and should be watched closely by all businesses that hold an AFSL as it is the first time that proceedings have been initiated by ASIC, and which it has alleged inadequate cybersecurity systems. Moreover, in the time of COVID-19, in which there has been a significant shift by businesses to the digital space, it is particularly important for businesses to focus on ensuring their security systems are fit for purpose.
The Claim
RI holds an AFSL and engages many authorised representatives (Agents) to provide financial services to clients on its behalf. ASIC in this novel litigation is seeking:
- A declaration from the Federal Court of Australia that RI contravened its licensee obligations arising from the Corporations Act;
- Pecuniary penalty of at least 50,000 units; and
- A compliance order requiring RI to put into effect adequate cybersecurity measures within 3 months of the date of the orders and to provide a written report within 5 months from that date that an independent expert has confirmed RI’s compliance.
Between 2016 and 2020, a number of RI’s Agents were victims of a number of cyber breaches. In one particular incident, an anonymous rogue obtained access to the file server of Frontier Financial Group (FFG). The rogue spent over 150 hours in the server, enabling access to sensitive client information. The data breach took more than 3 months to be identified.
ASIC’s Notice of Filing alleges that “it is essential that an AFSL holder such as RI, which holds (including by its ARs) confidential and sensitive client information and documents, has in place adequate risk management systems, and resources (including technological and other resources), in respect of cybersecurity and cyber resilience”.
In particular, ASIC is alleging that RI has contravened section 912A(1)(a), (b), (c), (d), (h) and (5A), which relevantly require RI to:
- do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly;
- comply with the conditions on the licence;
- comply with the financial services laws;
- have adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence to carry out the supervisory arrangements; and
- have adequate risk management systems.
Implications of the Case
Time will only tell whether ASIC will be successful in this unique matter. The outcome of the matter will likely influence how readily ASIC will embark upon this type of litigation in the future.
Although particularly relevant to holders of an AFSL, this case highlights the importance for all organisations to ensure that they have taken all reasonable steps to implement cybersecurity measures to protect sensitive information entrusted to them, and to continuously review those measures to ensure they are effective and fit for purpose.
