Earlier this month, the Australian Federal Court handed down a cybersecurity ruling against AFS licensed financial services company RI Advice, signalling a toughening of the court’s stance on cybersecurity issues.
Whilst Australia is yet to formalise its own Cybersecurity Act, there are significant provisions under corporate legislation that do more than simply virtue signal when it comes to corporate cybersecurity responsibilities.
In the recent case of The Australian Securities and Investment Commission (ASIC) vs RI Advice the court ruled that RI Advice had been in breach of its Australian Financial Services (AFS) license obligations when it failed to adequately manage its cybersecurity risks.
Over a six-year period, from 2014 to 2020, a “significant number” of cybersecurity incidents occurred at authorised representatives of RI Advice. As a result, the confidential and personally identifiable records of thousands of clients were compromised. In once particular incident, a malicious agent was discovered to have gained unauthorised access to a representative’s file server. The incident was eventually discovered four months after access had been gained.
In handing down the judgement, Justice Rofe made it clear that cybersecurity best practice was a fundamental part of a licensee’s obligations. “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” she said. “It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access”. This cybersecurity ruling signifies a shift from previous cases.
For more information on the judgement, visit itbrief.com.au
The legal bit
The case was originally brought by ASIC under the auspices of the Corporations Act 2001; specifically in relation to section 912A(1)(a) – an AFS licensee’s obligation to provide financial services efficiently, honestly and fairly. Justice Rofe also clarified that section 912A(1)(h) applied, in that an AFS licensee must maintain adequate risk management systems.
When it comes to risk management, it was determined that an “adequate” assessment would reasonably include the cybersecurity implications for authorised representatives of RI Advice. As these representatives collected and stored sensitive data in relation to several retail customers, there is an implied duty of care to risk assess and take steps to secure this data.
Poor cybersecurity discipline
In total, there were nine cybersecurity incidents between 2014 and 2020 involving authorised representatives of RI Advice. These were deemed to have occurred as a result of poor cybersecurity risk management and included some common issues, including:
- using systems that did not have up-to-date antivirus software installed and operating
- not implementing filtering or quarantining of emails
- not having backup systems in place, or backups not being performed
- poor password practices, including sharing of passwords and use of default passwords
RI Advice took steps to put more rigorous policies in place after becoming aware of the most serious of these incidents, but admitted it took too long to implement the necessary changes.
Handing down the judgement, Justice Rofe ordered RI Advice to undertake a compliance program, including the engagement of an external expert to independently access the adequacy of its cybersecurity risk program. RI Advice was also ordered to pay $750,000 in court costs.
Zero trust, maximum protection
Cybersecurity has long ceased to be “just an IT issue”. However, even at board, level there is a degree of introspection about process and policy. This ruling is likely to be the first of many as the courts emphasise the wider duty of care organisations have to protect customer data. Starting in well-regulated industries, we could finally see a mindset shift if corporations are to be held liable for cybersecurity shortcomings.
A robust cybersecurity stance involves the use of both prevention and protection technologies. In a digitally enabled world, security needs to be enterprise-wide, which means extending protection beyond core infrastructure, all the way to the edge.
Network infrastructure, endpoints and file collaboration platforms all need to be hardened if they are to provide the levels of protection necessary to meet evolving standards of cybersecurity. For details of the Senetas range of cybersecurity solutions, check out the links below.