Prepared by Jodi Ainsworth.
ASIC has launched proceedings in the Federal Court of Australia against an AFSL holder, RI Advice Group Pty Ltd (RI), arising from alleged failings in RI’s cybersecurity systems. This case is significant as it provides the Federal Court with an opportunity to consider and provide clarity on the obligations of AFSL holders in relation to cybersecurity.
According to ASIC’s claim, as at 1 May 2020 RI had 293 authorised individual and corporate authorised representatives (AR), and was a subsidiary of IOOF Holdings Limited (having previously been a subsidiary of ANZ). ASIC alleges that RI became aware, between late 2016 and 2020, of a number of cybersecurity incidents involving its ARs, including hackings, unauthorised access to an AR’s computer likely through a Trojan (malicious software) and an unauthorised malicious “brute force” attack on a file server containing sensitive client information though an employee’s account.
ASIC makes various allegations about the inadequacy of RI’s cybersecurity risk management, including that its documents were ANZ-developed documents which had not been tailored to RI’s and its ARs’ particular requirements. Further, that upon identification of these cyber incidents and despite review by external providers, steps were still not taken to implement appropriate cybersecurity documentation and controls.
ASIC is seeking:
- declarations that RI contravened s 912A(1) and s 912A(5A) of the Corporations Act;
- orders that RI pay a civil penalty; and
- compliance orders that RI implement appropriate systems to manage cybersecurity and cyber-resilience risk, and provide an expert report confirming this.
In addition to giving guidance as to the nature and scope of AFSL holders’ obligations to manage cybersecurity risk under the Corporations Act, this case may also have implications for privacy law (e.g. protection of sensitive client information in cyber space). We will follow it with interest and keep you updated!
In the meantime, it serves as a useful reminder for all AFSL holders – ensure that you have sufficient systems and resources to manage cybersecurity and cyber-resilience risk. If you identify a cyber risk or incident, it should be suitably investigated. If you engage an external IT provider to review your risk, make sure you act appropriately on their recommendations. Do not stick your head in the sand!
ASIC has a number of resources on the topic, which along with its media release on the RI case, can be found here: https://asic.gov.au/about-asic/news-centre/find-a-media-release/2020-releases/20-191mr-asic-commences-proceedings-against-ri-advice-group-pty-ltd-for-alleged-failure-to-have-adequate-cyber-security-systems/
If you would like to discuss your obligations in relation to cybersecurity, please feel free to reach out to one of the Kit Legal team.