In a recent Federal Court case, an Australian financial services licence (AFSL) holder was found to have breached its AFSL obligations by failing to adequately address its cybersecurity risks. Following this case, AFSL holders should ensure they have suitable processes in place to manage cybersecurity risk and engage relevantly qualified professionals to confirm the competency of their cyber risk management systems. Further robust monitoring and auditing systems will be an important tool for AFSL holders to regularly review the adequacy of their cyber risk management systems against the evolving nature of cybersecurity requirements.
Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496
On 5 May 2022, the Federal Court found that RI Advice Group Pty Ltd (RI Advice), by failing to adequately address its cybersecurity risks, had breached its Australian financial services licence (AFSL) obligations to:
- provide financial services 'efficiently, honestly and fairly'; and
- to have adequate risk management systems in place.
This case is an Australian first and AFSL holders should be alert to the importance of managing cybersecurity risks to ensure compliance with their AFSL obligations.
RI Advice is the holder of an AFSL, and it engaged authorised representatives to provide financial services on its behalf. Between June 2014 and May 2020, RI Advice through its authorised representatives was the subject of nine cyber incidents. In mid 2018, RI Advice became aware of the shortcomings in their compliance systems and the cyber incidents. Despite this, it took RI Advice until 6 August 2021 to implement improved cybersecurity and cyber resilience controls across its authorised representatives.
The case has wide-ranging implications for AFSL holders and we have set out below key takeaways from the judgment:
- The digitalisation of financial services through the uptake of digital and computer technology has increased the industry’s vulnerability to cybersecurity risk. This case highlights the importance for financial services providers to implement adequate controls to minimise their cybersecurity risk.
- A failure to maintain and/or implement adequate cybersecurity measures for an AFSL holder and its authorised representatives may amount to a breach of an AFSL holder’s obligations to provide financial services “efficiently, honestly and fairly” and have adequate risk management systems (s912A(1)(a) and (h) of the Corporations Act 2001 (Cth)).
- A significant consideration in this case was the response time RI Advice took to address the cyber incidents after becoming aware of them. Upon identifying a cyber incident or inadequacy in the system, businesses should ensure they implement appropriate cybersecurity controls in a timely manner as the risk increases over time.
- “Cyber risk management is a highly technical area of expertise” and the “Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts”. In the same vein, when implementing cybersecurity risk management systems businesses should engage the advice of cyber experts to determine the adequacy of their systems.
- “Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time”. It is important for businesses to not only implement adequate risk management systems but to also have processes to monitor and audit compliance with the businesses’ cybersecurity requirements. This will assist businesses in understanding whether its controls are still adequate in mitigating those risks which have evolved over time.
Following this case, AFSL holders should ensure they have suitable processes in place to manage cybersecurity risk and engage relevantly qualified professionals to confirm the competency of their cyber risk management systems. Further, robust monitoring and auditing systems will be an important tool for AFSL holders to regularly review the adequacy of their cyber risk management systems against the evolving nature of cybersecurity requirements.
Material in this article is available for information purposes only and is a high level summary of the subject matter. It is not, and is not intended to be, legal advice. Hazelbrook does not guarantee the accuracy of the information provided. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: firstname.lastname@example.org