Cybersecurity risk management: key lessons from Australia’s first test case | Allen & Overy LLP

For the first time in Australia, a court has brought a case brought by Australia’s financial services regulator, ASIC, that a company’s failure to have a proper risk management system in place to manage its financial services. a cybersecurity incident is a breach of the financial services licensee’s obligations.

Although declaring and ordering in ASIC v RI Consulting Group Pty Ltd [2022] FCA 496 was introduced by mutual consent, which represents a landmark decision in the implementation of Australia’s cybersecurity principles. It serves as a warning to Australian companies operating under an Australian financial services license that the risks they are obliged to manage as a condition of their license include cybersecurity risks and Their network security risk management systems face increasing scrutiny and enforcement action, by regulatory agencies. It is not clear how these particular incidents were brought to the attention of ASIC. However, the ASIC Chairman confirmed that while “ASIC does not seek to regulate technical standards or provide expert guidance on cybersecurity… when we believe a company has not met its cyber risk management obligations, we will consider action. implemented to promote changes in behavior. “^first

Truth

RI Consulting Group Pty Ltd (RI) is an Australian company providing financial advisory services. Prior to 1 October 2018, it was a subsidiary of a major Australian bank until it was acquired by a major financial group. It has an Australian Financial Services License (DISCLAIMER) whereby it allows company representatives and independently owned individuals to provide financial services to retail clients on their behalf. In the course of providing financial services, authorized representatives of RI Consulting will receive, store and electronically access confidential and sensitive personal information and documents relating to their clients ( such as name, address, health information, contact information and copies of personal documents).

Between June 2014 and May 2020, nine cybersecurity incidents occurred involving authorized representatives of RI Consulting. The incidents included hacked emails and websites, physically attacked computers, phishing and phishing emails, ransomware attacks, as well as unauthorized access to servers and emails. These attacks have the effect of damaging and allowing third parties to gain unauthorized access to customers’ personal information.

Following these cybersecurity incidents, inquiries revealed problems in managing cyber risks by authorized representatives of RI Consulting. For example:

• computer systems must not install and operate up-to-date anti-virus software;
• no email filtering or isolation;
• no backup system in place, or backups not being performed; and
• Poor password practices exist, including sharing passwords among employees, using default passwords, passwords, and other security details kept in places easily accessible or known to third parties .²

As of May 15, 2018, RI Consulting has taken several steps to manage cybersecurity risks, including:

• training sessions, professional development events and information provided via weekly newsletter to its representatives;
• an incident reporting process in which network problems can be discussed; and
• sets forth the obligations in the “Professional Standards” contractual terms between the authorized representative and the RI Consultant in relation to information security and other related areas.³

However, as of May 15, 2018, RI Consulting did not have adequate documentation, control and risk management systems to manage cybersecurity-related risks on its representative network.

However, the court noted that after being acquired by a large financial group, RI Consulting resolved these historical issues and made significant improvements to the cybersecurity risk management system. now available. These improvements were achieved through:

• independent investigation and review of past failures and cybersecurity practices by external advisors;
• monitor and evaluate compliance with the cybersecurity requirements contained in the RI Consultants’ Professional Standards; and
• the implementation of a live program with authorized representative practices to raise cybersecurity awareness and assist authorized representatives in identifying and applying good practices in terms of capabilities cyber recovery ( “Resilience Initiative”), on 6 August 2021, the majority of authorized representatives performed well (and RI Consultants has continued to do so since).

Result

RI Consulting admitted, and the court found that:

• due to failure to do all that is necessary to ensure that the financial services covered by AFSL are provided in an efficient and fair manner (due to failure to ensure that appropriate cybersecurity measures are in place). used and/or fully exercised between its authorized representatives from May 15, 2018 to August 5, 2021), RI Consultants countered section 912A(1)(a) of the Act enterprise 2001 (Cth) (Corporations Act); and
• due to the absence of an adequate risk management system, the failure to implement adequate cybersecurity and cyber resilience measures, and exposing the clients of its authorized representatives to an unacceptable level of risk. acceptable, RI Consultants violated section 912A(1)(h) of the Enterprises Act.

No penalty was issued however RI Consulting was ordered by the court to pay AUD 750,000 for ASIC costs. RI Consulting is also required to take certain steps to consult a cybersecurity expert and support the network of authorized representatives of RI Consulting.

Although the Cyber ​​Resilience Initiative that RI Consulting developed and implemented has improved cybersecurity and cyber resilience, the court noted and RI Consulting acknowledged that it took too long to implement and ensure such measures were applied across its entire network.

Important things

• Cybersecurity risk is a significant risk associated with the provision of financial services.
• Even if there are a relatively small number of cybersecurity incidents over a period of time, when taken as a whole, these incidents can be a sign of inadequate cybersecurity systems and processes. enough.
• Financial service providers, which are potential targets of cybercriminals, need to adequately manage cyber risks to protect their customers’ information and meet their licensing obligations. In particular, companies should adequately manage risk by avoiding delays in taking steps to investigate, monitor and improve identified violations.
• While it is not possible to reduce cybersecurity risk to zero, it is fundamentally possible to reduce cybersecurity risk to an acceptable level through adequate cybersecurity controls and documentation. Companies cannot simply react and should actively engage with cybersecurity professionals, provide training for employees, and monitor and audit compliance with cybersecurity requirements.
• This is the first case of its kind in Australia and signals that ASIC and other regulators are likely to continue to focus on cyber risk in their regulation of license conditions related to operators. provides professional and financial services, and will take enforcement actions where appropriate technology, policies and procedures are not in place to protect customer information.

Reviewing data and expecting more attention from regulators and enforcement agencies regarding cybersecurity flaws is one of the ten key challenges we identified for internal advisors. in Allen & Overy’s 2022 Cross-Border Crime and Investigations Review.

Note

1. https://asic.gov.au/about-asic/news-centre/spearies/reflections-from-the-asic-chair/
2. See ASIC v RI Consulting Group Pty Ltd [2022] FCA 496 [17]
3. Ibid [18]