The Federal Court has ruled that a former ANZ subsidiary holding an Australian financial services licence contravened the Corporations Act by not having adequate cybersecurity risk management in place.
In a judgment handed down earlier this month (Australian Securities and Investments Commission v RI Advice Group Pty Ltd 2022 FCA 496), the court ruled that RI Advice Group failed to have documentation and controls in place in respect of cybersecurity and cyber resilience “that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR [authorised representative] network”.
As a result, it failed “to do all things necessary to ensure the financial services covered by the licence were provided efficiently and fairly”.
Legal commentators have described the case as a landmark. Gadens said it was highly significant because it clarified the meaning of “efficiently, honesty and fairly” under section 912A of the Corporations Act in the context of the risk management of cybersecurity.
Barry.Nilsson Lawyers said the judgment represents a “seismic shift” in expectations of both the corporate regulator and the courts. “Moving forward, enforcement action for inadequate cybersecurity can no longer be seen by ASIC’s regulated population as an unknown or remote risk,” it said.
Hall & Wilcox said the ruling confirms that cybersecurity is now a fundamental aspect of risk management.
RI Advice was an ANZ subsidiary until September 2018, when it was one of three ANZ financial licensees sold to IOOF Holdings (now called Insignia Financial).
Between June 2014 and May 2020 nine cybersecurity incidents occurred at RI authorised representative practices. ASIC took the matter to court in August 2020.
The matter was settled earlier this year and the parties prepared an agreed statement of facts and gave the court proposed declarations and orders.
In the course of business, RI’s authorised representatives received and stored personal information relating to 60,000 clients, including names, addresses, dates of birth, health information, contact details and copies of documents such as drivers’ licences, passports and financial information.
The cybersecurity incidents included hacked email accounts, fraudulent emails requesting the transfer of funds and ransomware attacks. One client made transfers totalling A$50,000 in response to fraudulent requests.
In one practice there was a single password that all staff used to access client information. In another practice, a malicious actor had access to the server for several months.
Later inquiries found that computer systems did not have up-to-date antivirus software, there were no backup systems or no backups were being done, and password practices were poor.
By 2018, RI was taking steps to fix the problems but they should have been more robust and took too long to implement.
The court ordered the company to engage a cybersecurity expert agreed to by ASIC to put a cybersecurity risk management program in place. It must get the work done as soon as possible and it must report back to ASIC on its progress.