AFS Licensees on notice-cyber risks are taken seriously by ASIC and the courts10 May 2022
When ASIC first started proceedings against AFS Licensee, RI Advice, many licensees were caught by surprise especially when the cyber incidents giving rise to the prosecution were not committed against the AFS Licensee itself but against the authorised representatives of the AFS Licensee.
The Federal Court in the matter of ASIC v RI Advice Group Pty Ltd  FCA 496 has found that by failing to have adequate risk management systems in place to manage cybersecurity risks, RI Advice breached its AFS licence conditions and failed to act efficiently and fairly.
In her judgement, Her Honour Justice Rofe included the following statements:
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
“Cyber risks, an adequate response to such risks and building cyber-resilience requires appropriate assessment of the risks faced by a business in respect of its operations and IT environment. Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.”
“Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area.”
“While it may be said that the public would expect the holder of an AFSL to have adequate cybersecurity measures, this says nothing of the content. In a technical area such as cybersecurity risk management, the reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, and likely the subject of expert evidence before the Court, not the expectations of the general public.”
The penalty imposed included:
- paying a $750,000 contribution towards ASIC’s legal costs
- engaging a cybersecurity expert within one month to identify what further documentation and controls are required in respect of cybersecurity and cyber resilience across its AR network, and
- within 30 days of the completion of the review, the licensee must provide ASIC with a written report from a cybersecurity expert about further requirements which the licensee will have one further month to implement.
This case highlights several important issues. AFS licensees are now formally on notice that:
- cyber risk exposures must be actively managed with the help of cyber risk experts,
- failure to adequately manage cyber risk exposes the licensee to financial penalties, investigation costs and a significant licence breach, and
- the relevant standard of performance with respect to managing cyber risk is what technical experts in the field believe to be reasonable.
Often referred to as the ‘rent an AFS licence’ model (where one AFS licensee has multiple corporate and individual authorised representatives using the same AFS licence) the judgment draws attention to the level of risk such AFS licensees (in respect of their own licences) along with the businesses of all the Authorised Representatives whose businesses rely on that single AFS licence, are exposed to where cyber security is not properly and professionally managed.
Further, the case has implications for authorised representative agreements; existing agreements should be reviewed in light of the judgment. In particular, licensees should consider the addition of provisions that:
- provide licensees with broad powers to enforce cyber risk management protocols and/or standards as a condition of the authorisation being given to the representative
- include or strengthen indemnities in respect of losses arising as a result of cyber incidents, and
- impose a right to conduct external cyber security audits.
At a time when Professional Indemnity for AFS licensees is becoming increasingly difficult to place, this judgment is likely to see an expansion of questions about risk management practices and cyber security programs from insurers. It also increases the need for an enhanced focus on cyber security and cyber risk in the context of due diligence programs undertaken for mergers and acquisitions in the financial services sector.
Since 15 May 2018, RI Advice has had between about 89 and 119 Authorised Representative Practices.
Between June 2014 and May 2020 nine cybersecurity incidents occurred that gave unauthorised access to confidential and sensitive personal information and documents of retail clients, which were stored electronically. This included names, addresses, dates of birth, contact details, copies of driver’s licenses, passports and in some cases, health information.
The nine cyber incidents included:
- June 2014—AR’s email account was hacked, and five clients received a fraudulent email urging the transfer of funds. One client made transfers totalling some $50,000.
- June 2015—A third-party website provider engaged by the AR was hacked, resulting in a fake home page being placed on the AR’s website.
- September 2016—One client received an email requesting money, apparently from an employee of an AR Practice. The email was not sent by the employee and had been sent fraudulently. It came to light that the AR used an email platform where information was stored “in the Cloud”, meaning there was no anti-virus software and there was only one password, which everyone used to access information.
- January 2017—Where an AR’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible.
- May 2017—Where an AR server was hacked by brute force through a remote access port, resulting in files containing the personal information of some 220 clients being held for ransom and ultimately not recoverable.
- Between December 2017 and April 2018—Where an unknown malicious agent gained unauthorised access to the server for several months compromising the personal information of thousands of clients, a number of whom reported unauthorised use of the personal information.
- May 2018—Where an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer.
- August 2019—Where an unauthorised person used an AR employee’s email address to send phishing emails to over 150 clients.
- April 2020—Where an unauthorised person used the same email address as in 2019 to send further phishing emails to the AR’s contacts.
Problems that were identified
As at the dates of the incidents, there were a variety of issues in the respective ARs’ management of cybersecurity risk. These included:
- computer systems that did not have up-to-date antivirus software installed and operating
- no filtering or quarantining of emails
- no backup systems in place, or backups not being performed, and
- poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
The court found that RI Advice had taken certain steps and had in place some documentation, controls and risk management measures in respect of cybersecurity risk for its Ars. These included:
- training sessions, professional development events, and information provided through RI Advice’s weekly newsletter for ARs
- an incident reporting process where cyber incidents could be discussed, and
- obligations in the “Professional Standards” contractual terms between ARs and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy. The Professional Standards contained various recommendations and certain obligations designed to assist AR Practices in protecting client information from cybersecurity risks. These recommendations included password-protecting documents sent via email containing clients’ personal information; not using personal email addresses; using up to date security software; backing up data; and implementing a password policy.
RI Advice admitted that prior to and as at 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network. It also admitted that after receiving expert advice it was too slow to implement changes across the network of ARs
This judgment highlights how widely the courts are interpreting the words “failed to act efficiently and fairly” and the importance of ensuring contracts entered into between AFS licensees and authorised representatives include clauses that allow licensees to fully audit the activities of the representatives.
Sparke Helmore can assist you with the review of your contracts and carrying out compliance audits in relation to your AFS licence obligations. If there is a cyber incident, we also have specialist resources available to assist you.
If you would like further information, please contact us.