“[The AFSL and its representatives] receive and store, electronically, confidential and sensitive client information and documents, including relating to financial matters. It therefore was, and is, incumbent on [it] in discharging its duties and functions as a licensee to have adequate systems, policies, procedures and controls in place … in relation to cybersecurity and cyber resilience.”
— Notice of Filing, AUSTRALIAN SECURITIES AND INVESTMENTS COMMISSION v RI ADVICE GROUP PTY LTD , VID556/2020
Did you forget, you’re the target?
Reconsidering your obligations
Although you might be surprised by 20-191MR “ASIC commences proceedings against RI Advice Group”, you’ll no doubt recall our previous warning that, as an AFSL, s912A(1)(a) of the Corporations Act requires you to ensure that the financial services covered by your licence are provided efficiently, honestly, and fairly. In addition, you need adequate resources and adequate risk management systems.
While some licensees grudgingly accepted their obligation to have a compliance manual and something resembling a supervision framework, many licensees failed to adequately address their use of technology beyond licensing software. Despite the obvious dangers, and the increasingly specific warnings from the OAIC, few licensees prioritised data security to extent they should have.
In reality, this level of complacency may be unsustainable.
In August 2020, ASIC shattered licensees’ complacency by commencing proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.
While you might wonder why ASIC, and not the OAIC initiated proceedings, it is important to appreciate the scope and impact of these proceedings. Even if ASIC are ultimately unsuccessful, every licensee and adviser needs to take immediate and ongoing action.
ASIC notice of filing
“ASIC alleges that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.”
— 2019-MR, 21 August 2020
In addition to securing data, ASIC require Licensees to ensure the records are kept for 7 years after the day the personal advice was provided to the client.
Critically, these records also have to be accessible to, and able to be produced by, the Licensee during this period.
You will recall that we see data theft as almost an existential threat for advisers and licensees; this drove our previous advice to you that
managing fraud and securing your valuable client data goes to the heart of your licensee obligations. History shows that with every crisis, we see a spike in fraud and cybercrime.
Security, Fraud and Financial Services
“ASIC alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.”
— 20-191MR, 21 August 2020
Our focus on client data and data security was premised on our appreciation of the rich data held by advisers and licensees, and our anticipation of regulatory action.
We had observed that few licensees adequately responded to:
- REP 429 Cyber resilience: Health check
- REP 651 Cyber resilience of firms in Australia’s financial markets: 2018–19; or
- ASIC’s 2019 publication “Cyber resilience good practices”
While ASIC’s guidance needed to adapt to the nature, scale and complexity of the licensee (and the advisers’ practices), it was clear that ASIC expected Licensees to implement protective measures and controls. In fact, in REP429 ASIC stated that
“Given the increased threat of cyber attacks, we expect our regulated population, particular licensees, to address cyber risks as part of its legal and compliance obligations—including risk management and disclosure requirements.”
— REP429 at Page 38
To their credit, ASIC were clear and direct about their expectations of Licensees. They were unequivocal about the need to take reasonable steps to protect personal information held from misuse, interference and loss.
According to ASIC, RI Advice’s alleged failures, including their vulnerability to a 155 hour ‘brute force’ cyber attack suggests that reasonable steps had not been taken.
This may not prove to be the case.
RI Advice might argue, or be able to prove, that (notwithstanding the failure) the licensee took reasonable steps. They might argue that the attack could not have been prevented. They might argue that the Licensee took reasonable steps but the Authorised Representative did not and that failure is a contravention of their authorisation and the terms of their agreement with the Licensee.
In any event, it would be prudent for each licensee to consider whether they have adequate security arrangements to satisfy ASIC, their licence conditions and their obligation to maintain “consumer trust and confidence.”
Bear in mind that the Australian Cyber Security Centre recently conducted a survey across small to medium businesses (SMBs) in Australia and found that:
- Only 3% of sole traders outsource their own cyber security, compared to 35 per cent of businesses with 5-19 employees
- One in five small businesses that use Windows have an operating system that stopped receiving security updates in January 2020
- Nearly half of SMBs spend less than $500 dollars annually on cyber security, which suggests that many SMBs take a DIY approach
- 62% had experienced a cyber incident
- Incidents are more common among businesses with five or more employees, affecting around three quarters of small (5-19 employees) and medium (20-199 employees) businesses
- For sole traders and micro businesses, over half of those surveyed had experienced a cyber incident
Regardless of the nature, scale and complexity of your business, you should implement preventative, interrogative and remedial processes to address cybersecurity risks. At a bare minimum, you should secure client information through:
- Your operating system is the most important piece of software on your computer, so make sure you regularly update; backup; and maintain it.
- Ensure you stay up to date with software updates as they improve online security, improve protection, and enhance features and efficiencies. Turn on auto-updates especially for operating systems; install updates as soon as possible and use anti-virus software and ensure they are automatically updated
- A backup is a digital copy of your business’ most important information. Disconnect and remove your back up and storage device after each backup to ensure it is not impacted during a cyber incident.
Multi-Factor Authentication (MFA)
- Multi-factor authentication only provides access if a user successfully presents two or more pieces of evidence (or factors) to an authentication mechanism. It typically requires a combination of something the user knows (pin, secret question etc), physically possesses (i.e. card, token) or inherently possesses (i.e. fingerprint, retina).
People and Procedures
- Access control: consider a process to regulate who can access what within your business’ computing environment.
- Passphrases: use a phrase or sentence, not one word, as your password. Did you know that the use of the word “password123” is one of the most commonly used passwords on the planet!
- Employee training: teach your staff how to recognise, avoid, report, remove and recover from cyber-attacks.
Think before you click
- Be cautious of requests for money, especially urgent and overdue messages
- Be wary about bank account changes
- Do not open attachments automatically unless you can verify it’s from a reliable source
- Be cautious about requests to check or confirm login details
Regardless of the nature, scale and complexity of your business, you need to be alert to these risks.
- Take the time to review, and consider, the NIST Cybersecurity Framework, the standards, guidelines and best practices designed to help you manage cybersecurity risk.
- Undertake an audit of the technology infrastructure underpinning your AFSL
- Engage an external expert to test your IT security
If you’ve been attacked
- Report all cybercrime activity to the Australian Criminal Intelligence Commission (ACIC) and the ReportCyber website. The website also provides advice on how to protect yourself online and frequently asked questions that provide information regarding cybercrime trends.
- Lodge Breach Reports with ASIC.
- Lodge Mandatory Data Breach reports with OAIC.
- Review your vulnerabilities and controls.