On 5 May 2022, in a landmark Australian decision, the Federal Court found that RI Advice had breached its obligations as an Australian financial services (AFS) licensee to act efficiently, honestly and fairly, as a result of its failure to have in place adequate risk management systems to manage cybersecurity risks.
In handing down her judgment, Justice Rofe warned that “cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services”. Her Honour noted that the declarations ordered in the matter should deter other AFS licensees from engaging in similar conduct.
AFS licensees should consider their risk management systems anew in light of the decision, and take stock of the particular cybersecurity risks that may arise in their businesses.
For the most part, the Australian Securities and Investment Commission (ASIC) and RI Advice agreed as to the accepted principles regarding the assessment of an AFS licensee’s compliance with section 912A(1)(a) of the Corporations Act 2001 (Cth) (Act) (the requirement that an AFS licensee provide financial services efficiently, honestly and fairly). Justice Rofe reiterated those principles as set out in cases including ASIC v Westpac Securities Administration Ltd (2019) 272 FCR 170 and ASIC v Westpac Banking Corporation (No 2)  FCA 751. Justice Rofe did, however, resolve one disagreement between the parties, finding that the requirement for an AFS licensee to provide financial services “efficiently” cannot, in a highly technical area like cyber risk management, be assessed by reference to public expectation. The reasonable standard of performance is instead to be assessed by reference to the reasonable person qualified in the area.
Justice Rofe also clarified the application of section 912A(1)(h) of the Act (the requirement that an AFS licensee have “adequate risk management systems”). Her Honour concluded that the notion of “adequacy” imports a normative standard of conduct. The particular focus of the provision is on “risk management systems”, and for that reason the provision requires identification of the specific risks that arise in the context of a particular business. For RI Advice, this meant identifying risks to authorised representatives, rather than [just to] RI Advice itself. Further, in the context of cyber risk management, the provision requires consideration of the risks faced in relation to a business’ operations and IT environment. The applicable standard of “adequacy” to be applied in a given situation is ultimately one for the Court to decide, however the Court’s assessment will likely be informed by evidence from qualified experts in the field.
The final hearing in ASIC v RI Advice Group Pty Ltd  FCA 496 had been fixed to commence on 4 April 2022, however the matter was settled before the hearing began. As part of the settlement process, the parties proposed directions and orders to be made by consent, and Justice Rofe found there to be a proper basis for making such orders.
The case concerned the conduct of RI Advice, a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited. RI Advice carries on a financial services business of authorising independently-owned corporate authorised representatives and individual authorised representatives to provide financial services to retail clients on its behalf and pursuant to its AFS licence. The authorised representatives, pursuant to RI Advice’s AFS licence, collected certain confidential and sensitive personal information and documents in relation to their retail clients. Between June 2014 and May 2020, nine cybersecurity incidents occurred involving the authorised representatives.
These incidents were found to be the result of a variety of issues with the authorised representatives’ management of cybersecurity risk, including:
- using computer systems which did not have up-to-date antivirus software installed and operating;
- not implementing filtering or quarantining of emails;
- not having backup systems in place, or backups not being performed; and
- poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
RI Advice, after becoming aware of the most serious of these incidents in May 2018, took steps and put in place certain documentation, controls and risk management measures for its authorised representatives, including:
- training sessions, professional development events, and information being provided through RI Advice’s weekly newsletter for authorised representatives;
- an incident reporting process where cyber incidents could be discussed; and
- obligations in the “Professional Standards” contractual terms between authorised representatives and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy.
However, RI Advice admitted that it took too long to ensure that such measures were in place across all of its authorised representatives. Justice Rofe accepted that RI Advice should have had a more robust implementation of its program, and so found that RI Advice continued to contravene section 912A(1)(h) of the Act until 5 August 2021. On that basis, Her Honour ordered RI Advice to undertake a compliance program, including engaging an external expert to assess the adequacy of its cybersecurity risk management systems. Her Honour also ordered RI Advice to pay ASIC’s costs in the proceedings of $750,000.
To discuss how our experience can assist you, or if you have any questions on any of the matters above, please do not hesitate to liaise with your usual contact at Baker McKenzie or the lawyers listed in this Alert.