ALERT: AFSL HOLDERS – CYBER RISK TO YOUR LICENCE

AFSL holders are familiar with the importance of compliance. The obligations of an AFSL holder under the Corporations Act include ensuring that its services are provided efficiently, honestly and fairly, and having adequate risk management systems in place, and the potential for cyber security breaches is a risk that must be adequately addressed and managed.

In the recent case of Australian Securities Investments Commission v RI Advice Group Pty Ltd [2002] FCSA 496, RI Advice Group Pty Ltd (RI Advice) was ordered to pay $750,000 for not having adequate cybersecurity risk management systems in place. The court held that RI advice contravened sections 912A(1)(a) and (h) of the Corporations Act between 2018 and 2021 as it:

• failed to do all things necessary to ensure the financial services covered by the AFSL were provided efficiently and fairly – section 912A(1)(a); and
• failed to have adequate risk management systems in place – section 912A(1)(h).

AFSL holders and in particular financial advisers are a prime target of cyber criminals. They invariably hold personal information including financial information and this is valuable information for cyber criminals.

One of the potential consequences of failing to have adequate risk management systems in place is loss of the AFSL. Chair of the ASIC Commission, Joseph Longo recently said ” … where…a firm has not met its cyber risk management obligations, we will consider enforcement action to drive changes in behaviour” [Speech by Chair Joseph Longo at the Law Council of Australia Business Law Section Corporations Workshop, 4 June 2022].

Background

RI Advice carries on financial services business within the meaning of the Corporations Act and authorises individual and corporate representatives to provide financial services to retail clients on behalf of RI Advice. In the course of providing advice, personal information was collected from a large number of retail clients (at least 60,000 clients since 2018). The information included full names, addresses, dates of birth and in some instances health information, contact phone numbers, email addresses and copies of documents such as driver’s licences, and passports. The information also included personal financial information.

It was found that between 2014 and 2020 nine cybersecurity incidents occurred, which resulted in clients receiving fraudulent emails, fake home pages being created and ransomware attacks (to name a few). The inquiries and reports made on behalf of RI Advice following the cybersecurity incidents revealed that, as at the dates of those incidents, there were a variety of issues in the respective ARs’ management of cybersecurity risks, which included:

• computer systems which did not have up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

RI Advice gave evidence that it had taken steps to implement controls and risk management measures in respect of cybersecurity such as training sessions and professional development sessions, but the court held that it took too long to implement those measures.  In addition to paying a substantial penalty of $750,000, RI Advice was ordered to engage a cyber security expert to identify what documentation and controls in respect of cybersecurity and cyber resilience are necessary for RI Advice to implement, and to proceed with implementing those measures.

What can you do to minimise cyber risk?

Organisations should be following current market expectations and practices when it comes to cybersecurity. If an organisation is unsure where to start, it would be a sensible approach to look to ASIC’s 8 key questions that organisations should be asking when it comes to the topic of cybersecurity:

1. Are cyber risks an integral part of the organisation’s risk management framework?
2. How often is the cyber resilience program reviewed at the board level?
3. What risk is posed by cyber threats to the organisation’s business?
4. Does the board need further expertise to understand the risk?
5. How can cyber risk be monitored and what escalation triggers should be adopted?
6. What is the people strategy around cybersecurity?
7. What is in place to protect critical information assets?
8. What needs to occur in the event of a breach?

In the recent publication of ‘Risk management for directors: A guide’ published by the Governance Institute of Australia it was highlighted that government agencies such as APRA have stated that it ‘‘expects boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues”.

What these and other commentaries demonstrate is that an organisation should have a top down approach to cyber security. It is not just a matter of acquiring DDOS software. The board and CEO must be directly involved in the assessment of risk and the development of strategies and policies and seeing that they are implemented and reviewed and updated on a regular basis.

Key take-aways

The judge in the RI Advice case, Her Honour Justice Rofe, made it clear that cybersecurity should be front of mind for all licensees, stating, ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’ Key takeaways from the case are:

• Be aware – make sure you have a general understanding of cyber security and your own systems and policies surrounding it.
• Adopt a top down approach; be diligent – consider ASIC’s 8 key questions on cybersecurity.
• Time is of the essence – systems need to be implemented now and if breaches occur they need to be addressed as soon as possible.
• Remember – ASIC (and other government agencies) are watching!

Don’t push cyber security to the side if you’re unsure whether your current cybersecurity system and policies are adequate. You need to keep up to date with developments.

Queries

For further information regarding the above, please contact the author or any member of our Corporate & Commercial team.

Disclaimer

This information and the contents of this publication, current as at the date of publication, is general in nature to offer assistance to Cornwalls’ clients, prospective clients and stakeholders, and is for reference purposes only. It does not constitute legal or financial advice. If you are concerned about any topic covered, we recommend that you seek your own specific legal and financial advice before taking any action.