“danced with both open and closed embrace, or anywhere in between, with dancers responding emotionally and sometimes instinctively ”
The new tango
For a few years now, we’ve been writing about data security, cyber-resilience and cyber-security and the need for you to look at your obligations, your risk framework, your outsourced providers and how you are managing one of your most valuable assets, your data.
As an adviser, you may have dismissed the topic as a problem for your licensee.
As a licensee, you may have dismissed it as a theoretical risk or dismissed the capability of the OAIC.
In a previous article, we highlighted that those positions are fundamentally flawed and showed how dangerously mistaken you are to think that way.
In case you missed it, the case sees ASIC muscling aside the Office of the Privacy Commissioner and taking action against the RI Advice Group, for its failure (and its authorised representative’s failure) to adequately protect its data and systems from external parties.
You may have dismissed ASIC’s activity as reflecting nothing more than their perennial regulatory engagement with IOOF entities, but ASIC is not alone in pursuing these matters. We have also seen the ACCC taking successful action for companies’ misuse of data.
Admittedly, it seems RI Advice is always in an enforcement dance with ASIC.
Their public tango began in 2019 when ASIC commenced court action against RI Advice as a follow up to the Royal Commission.
Clearly, they’d been on the dance floor before Commissioner Hayne critiqued their lethargic engagement, but the refreshed ASIC is now energetically pursuing RI Advice.
Their civil action against RI Advice and a former Melbourne financial adviser, John Doyle, is awaiting a further case management hearing on a date after 15 September 2020.
In their most recent dance, ASIC alleges that RI Advice (and its authorised representative) failed to have, and failed to implement policies, procedures, controls that were
‘reasonably appropriate to adequately manage risk in respect of cyber security and cyber resilience’.
As a result, ASIC assert that RI Advice breached its general obligations under s912A of the Corporations Act, including its obligation to:
- provide services efficiently, honestly and fairly;
- establish compliance measures to ensure compliance with financial services laws;
- have adequate resources (financial, technological and human) to carry out supervisory arrangements; and
- have adequate risk management systems.
ASIC is seeking pecuniary penalties in the range of $12 million and compliance orders requiring RI to implement appropriate policies and procedures to manage cyber security risks, and to provide an independent expert report assessing its compliance with those orders.
What is interesting about this case, is that the Office of Australian Information and Commissioner can pursue civil penalties in relation to the Privacy Act which extend to:
- a serious or repeated interference with privacy (s 13G) – 2000 penalty units
- various civil penalty provisions set out in Part IIIA – Credit reporting, with penalties of either 500, 1000 or 2000 penalty units.
In contrast, ASIC is seeking pecuniary penalty orders under s 1317G(1)(a) of the Act, compliance orders under s 1101B(1)(a) of the Act and costs for a breach of obligations as a financial services licensee and contravened ss 912A(1)(a), (b), (c), (d) and (h) and (5A) of the Act.
The maximum civil penalty for companies is the greater of:
- 50,000 penalty units (currently $11.1 million),
- three times the benefit obtained and detriment avoided, or
- 10% of annual turnover, capped at 2.5 million penalty units (currently $555 million).
In our previous article we suggested some actions you should take to protect yourself, and they included regularly deploying updates and back-ups. A ransomware attack exposed RI Advice and, in addition, they are also being pursued for a hacking incident that affected 226 clients.
You need to ask yourself, how safe are your systems from hacking?
Are you aware of who is accessing your servers?
Are you confident that your records are secure?
In the case of RI Advice, an unknown malicious agent obtained and retained unauthorised remote access (through an employee’s account) to an authorised representative’s files.
The malicious (or simply curious) agent spent more than 155 hours accessing systems and records that contained sensitive client information including identification documents.
Unfortunately, it took RI Advice three months to detect this unauthorised access and this security breach exposed 8,104 individuals.
ASIC, and not OAIC, commenced action in response to the data breach.
So, while we’ll continue to write about conduct risk, we’ll also continue to highlight these risks because the consequences of cyber security incidents (and their increased likelihood) are more significant than you imagine.
In situations like these, it’s not unusual to respond emotionally and sometimes instinctively to the emotion, risk and and regulatory rhythm. Your governance framework may provide you with confidence in your footwork and your capacity to react, but we’d suggest you prepare a little more first.
You can’t sit this one out so we’d recommend four preparatory steps for your consideration:
- Acknowledge and own that cyber security is a real risk and right now should be one of your top priorities.
- Consider how you govern and manage cyber risk. And these risks don’t just extend to Technology risks, you need to look at your people and your outsourced providers as well.
- Do a stocktake of your risks, vulnerabilities and controls. Do you have cyber policies that enshrine your rules and expectations? Have you communicated these? How are you regularly checking that people are living and applying your policies, procedures and processes?
- Do your people know how to identify, escalate and respond to cyber incidents?