AFS Licensees on notice-cyber risks are taken seriously by ASIC and the courts

10 May 2022

Sally Weatherstone
Partner
Sparke Helmore Lawyers

Sally Weatherstone
Partner
Sparke Helmore Lawyers
t: +61 2 9260 2557

Sally is a corporate lawyer with strong mergers and acquisitions (M&A), equity capital markets and commercial contract experience. She is the National Service Line Leader of the firm’s Corporate Advisory team. Sally’s experience covers a broad range of sectors and industries but it’s her reputation in the energy and resources sector that is particularly strong—she has been recognised as a leading legal practitioner in the Chambers Asia Pacific Legal directory since 2013.

Marianne Robinson
Special Counsel
Sparke Helmore Lawyers

Marianne Robinson
Special Counsel
Sparke Helmore Lawyers
t: +61 2 9260 2755

Marianne is one of Australia's leading advisors to mutual companies. She has advised this sector for more than 16 years and has been involved with the creation and regulation of many mutual companies.

All.Corporate & Commercial.Regulatory & Investigations

When ASIC first started proceedings against AFS Licensee, RI Advice, many licensees were caught by surprise especially when the cyber incidents giving rise to the prosecution were not committed against the AFS Licensee itself but against the authorised representatives of the AFS Licensee.

The Federal Court in the matter of ASIC v RI Advice Group Pty Ltd [2022] FCA 496 has found that by failing to have adequate risk management systems in place to manage cybersecurity risks, RI Advice breached its AFS licence conditions and failed to act efficiently and fairly.

In her judgement, Her Honour Justice Rofe included the following statements:

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

“Cyber risks, an adequate response to such risks and building cyber-resilience requires appropriate assessment of the risks faced by a business in respect of its operations and IT environment. Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.”

“Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area.”

“While it may be said that the public would expect the holder of an AFSL to have adequate cybersecurity measures, this says nothing of the content. In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public.”

The penalty imposed included:

paying a $750,000 contribution towards ASIC’s legal costs
engaging a cybersecurity expert within one month to identify what further documentation and controls are required in respect of cybersecurity and cyber resilience across its AR network, and
within 30 days of the completion of the review, the licensee must provide ASIC with a written report from a cybersecurity expert about further requirements which the licensee will have one further month to implement.

Implications

This case highlights several important issues. AFS licensees are now formally on notice that:

cyber risk exposures must be actively managed with the help of cyber risk experts,
failure to adequately manage cyber risk exposes the licensee to financial penalties, investigation costs and a significant licence breach, and
the relevant standard of performance with respect to managing cyber risk is what technical experts in the field believe to be reasonable.

Often referred to as the ‘rent an AFS licence’ model (where one AFS licensee has multiple corporate and individual authorised representatives using the same AFS licence) the judgment draws attention to the level of risk such AFS licensees (in respect of their own licences) along with the businesses of all the Authorised Representatives whose businesses rely on that single AFS licence, are exposed to where cyber security is not properly and professionally managed.

Further, the case has implications for authorised representative agreements; existing agreements should be reviewed in light of the judgment. In particular, licensees should consider the addition of provisions that:

provide licensees with broad powers to enforce cyber risk management protocols and/or standards as a condition of the authorisation being given to the representative
include or strengthen indemnities in respect of losses arising as a result of cyber incidents, and
impose a right to conduct external cyber security audits.

At a time when Professional Indemnity for AFS licensees is becoming increasingly difficult to place, this judgment is likely to see an expansion of questions about risk management practices and cyber security programs from insurers. It also increases the need for an enhanced focus on cyber security and cyber risk in the context of due diligence programs undertaken for mergers and acquisitions in the financial services sector.

Background

Since 15 May 2018, RI Advice has had between about 89 and 119 Authorised Representative Practices.

Between June 2014 and May 2020 nine cybersecurity incidents occurred that gave unauthorised access to confidential and sensitive personal information and documents of retail clients, which were stored electronically. This included names, addresses, dates of birth, contact details, copies of driver’s licenses, passports and in some cases, health information.

The nine cyber incidents included:

June 2014—AR’s email account was hacked, and five clients received a fraudulent email urging the transfer of funds. One client made transfers totalling some $50,000.
June 2015—A third-party website provider engaged by the AR was hacked, resulting in a fake home page being placed on the AR’s website.
September 2016—One client received an email requesting money, apparently from an employee of an AR Practice. The email was not sent by the employee and had been sent fraudulently. It came to light that the AR used an email platform where information was stored “in the Cloud”, meaning there was no anti-virus software and there was only one password, which everyone used to access information.
January 2017—Where an AR’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible.
May 2017—Where an AR server was hacked by brute force through a remote access port, resulting in files containing the personal information of some 220 clients being held for ransom and ultimately not recoverable.
Between December 2017 and April 2018—Where an unknown malicious agent gained unauthorised access to the server for several months compromising the personal information of thousands of clients, a number of whom reported unauthorised use of the personal information.
May 2018—Where an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer.
August 2019—Where an unauthorised person used an AR employee’s email address to send phishing emails to over 150 clients.
April 2020—Where an unauthorised person used the same email address as in 2019 to send further phishing emails to the AR’s contacts.

Problems that were identified

As at the dates of the incidents, there were a variety of issues in the respective ARs’ management of cybersecurity risk. These included:

computer systems that did not have up-to-date antivirus software installed and operating
no filtering or quarantining of emails
no backup systems in place, or backups not being performed, and
poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

The court found that RI Advice had taken certain steps and had in place some documentation, controls and risk management measures in respect of cybersecurity risk for its Ars. These included:

training sessions, professional development events, and information provided through RI Advice’s weekly newsletter for ARs
an incident reporting process where cyber incidents could be discussed, and
obligations in the “Professional Standards” contractual terms between ARs and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy. The Professional Standards contained various recommendations and certain obligations designed to assist AR Practices in protecting client information from cybersecurity risks. These recommendations included password-protecting documents sent via email containing clients’ personal information; not using personal email addresses; using up to date security software; backing up data; and implementing a password policy.

RI Advice admitted that prior to and as at 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network. It also admitted that after receiving expert advice it was too slow to implement changes across the network of ARs

Future

This judgment highlights how widely the courts are interpreting the words “failed to act efficiently and fairly” and the importance of ensuring contracts entered into between AFS licensees and authorised representatives include clauses that allow licensees to fully audit the activities of the representatives.

Sparke Helmore can assist you with the review of your contracts and carrying out compliance audits in relation to your AFS licence obligations. If there is a cyber incident, we also have specialist resources available to assist you.

If you would like further information, please contact us.

03-05-2024 | EXV v Uniting Church in Australia Property Trust

24-04-2024 | Swiss climate change case

19-04-2024 | What is the meaning of 'hardship' in a s 38 variation, and can this be linked to a s 39 extension of time?

16-04-2024 | Director Information Series - The complete guide

08-03-2024 | Can a claim for property still be made when promises are broken?

05-03-2024 | Who owns the assets when inter-family asset protection arrangements are disputed?

Media room