“When the unexpected meets with the unprepared … we find the greatest astonishments”
— Mehmet Murat ildan, Chief Risk Officer
ASIC v RI Advice
Smart people understand that although principles-based regulation provides flexibility and dynamism, it can also be problematic when those regulations are interpreted to be limited, static or fixed. In previous articles (“The (regulatory) cost of complacency” and “Emerging liabilities: Data”) we’ve explored and explained how, and why, AFS Licensees need to be appropriately focused on cyber security risk management.
In this article , we respond to readers’ requests for more detail and summarise the matter that brought cyber-security into compliance – Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496.
You can read the judgment at your leisure but, if you’re an AFS Licensee, we’ll try to show you why, and how much, this case should matter to you.
The Central Issue
The central proposition of this case was whether the respondent, RI Advice Group Pty Ltd, contravened section 912A(1)(a) and (h) of the Corporations Act 2001 by failing to have adequate cybersecurity risk management in place.
This is where the flexibility of the Corporations Act really shines.
You’ll no doubt be aware that the Corporations Act makes no explicit reference to cyber-security. It offers no definition of cyber-risk and there’s no explicit obligation to have, or to use, specific technology. Chapter 7 certainly doesn’t prescribe the software, hardware or technology stacks required to provide financial advice or services but, as principles based legislation, it can adapt (or be adapted) to emerging risks and evolving needs.
This is what happened in this case.
After warning the industry since 2013 about cyber-security, cyber-resilience and technological risk management, ASIC took the opportunity to send an emphatic message to the financial services industry.
Essentially, ASIC asserted that by failing to have and maintain adequate information security measures, RI Advice had contravened the law because the Corporations Act mandates that a financial services licensee must:
“Do all things necessary to ensure that the financial services covered by the license are provided efficiently, honestly and fairly” s912A(1)(a); and
“subject to subsection (5) (which excludes APRA regulated bodies and RSE licensees) – have adequate risk management systems” s912A(1)(h).
Licensees had long recognised the need to have risk management systems appropriate for the nature, scale and complexity of their activities but their arrangements, where they existed, were most commonly directed to financial risk, conduct risk and compliance risk. IT, as most compliance managers would have asserted, was an operational risk monitored, and better managed, outside the licensee’s compliance framework.
Unfortunately, that widespread and commonly understood position, did not accord with ASIC’s view.
“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
— David Brin
RI Advice Group Pty Limited ABN 23 001 774 125 was, and still is, an Australian Financial Services License (AFSL 238429).
Now part of the Insignia Group, RI Advice overwhelmingly provides advice and services through a network of intermediaries – mostly Corporate Authorised Representatives and Authorised Representatives.
In the course of providing the authorised financial services, these Authorised Representatives collect, receive, store and access personal, confidential and sensitive personal information in relation to their clients. The Privacy Act (one of the financial services laws with which AFS Licensees must comply) requires recipients of personal information to adequately secure personal information and prevent its misuse or unauthorised access or release.
Unfortunately for RI Advice, between June 2014 and May 2020, nine cybersecurity incidents occurred at various practices and ASIC commenced action against RI Advice for failing to detect, and prevent, these breaches.
The personal information accessed
The data exposed or exploited as a consequence of RI Advice’s alleged failures included:
- Personal details including full names, addresses and dates of birth and in some instances health information,
- Contact information, including contact phone numbers and email addresses, and
- Copies of documents such as driver’s licenses, passports and other financial information.
The nine specific incidents
It’s important to realise that ASIC did not over-react to a single incident; they alleged (and proved) multiple failures over the course of many years. The incidents involved
- An Authorised Representative’s email being hacked and five clients receiving fraudulent email requesting transfer of funds. One client transferred $50,000,
- Third party website provider engaged by a practice was hacked, resulting in a fake home page being placed on the practice’s website,
- Incident where a client received an email from the practice requesting money, apparently from an employee of the practice. The practice used an email platform where information was stored ‘in the cloud’, meaning there was no anti-virus software and there was only one password for everyone,
- A practice’s server was subject to ransomware delivered by email, making certain files inaccessible,
- A practice’s server was hacked by brute force through a remote access port, resulting in files containing the personal information of some 220 clients being held for ransom (and ultimately not recovered),
- An incident where an unknown malicious agent gained unauthorised access to a practice’s server for a period of several months between December 2017 and April 2018, compromising the personal information of several thousand clients, a number of which reported unauthorised use of the personal information,
- An incident where an unknown person gained unauthorised access to the email address of an Authorised Representative and sent a fraudulent email to the Representative’s bookkeeper requesting a bank transfer,
- An incident in August 2019 where an unauthorised person used an employee’s email address to send phishing emails to over 150 clients, and
- An incident in April 2020 where an unauthorised person used the same email address as in the previous paragraph to send further phishing emails to the Practice’s contacts.
- Computer systems did not have up to date antivirus software installed and operating,
- No filtering or quarantining of emails,
- No backup systems in place, or back ups not being performed, and
- Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
Although they later conceded they were inadequate, prior to the court proceedings RI Advice had taken steps to address cyber security risks including:
- Training sessions,
- Professional development events,
- Incident reporting process,
- Refining their contractual terms with their representatives to explicitly address information security, electronic storage, incident notification requirements, fraud procedures and privacy,
- engaging external advisory firms, and
- monitoring and auditing compliance with RI Advice’s cybersecurity requirements contained in RI Advice’s Professional Standards.
Application of law to the facts:
By now you’re probably aware that RI Advice admitted, that by virtue of section 912A(1)(a) and (h), it was required to:
- Identify the risks that its representatives faced in the course of providing financial services, including in relation to cybersecurity and cyber resilience, and
- Have documentation, controls and risk management systems in place that were adequate to manage these risks.
Justice Rofe’s judgement explicitly confirmed ASIC’s proposition (and RI Advice’s admission) that cybersecurity should, reasonably, be an element of a licensee’s risk management framework and that data loss or exploitation are risks that, if reasonable steps are taken, can be reduced to a manageable level. Accordingly, a failure to take adequate steps, or institute appropriate controls and measures, is a core licensee failure (and likely a Reportable Situation).
If you have any doubt, consider Line 58:
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level”
and Line 65:
“I find that from 15 May 2018 to 5 August 2021, RI Advice contravened s 912A(1)(a) of the Act in that it failed to do all things necessary to ensure that the financial services covered by its Licence were provided efficiently and fairly, by failing to ensure that adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representatives”
and Line 66:
“I find that from 15 May 2018 to 5 August 2021, RI Advice contravened s 912A(1)(h) of the Act in that it failed to have adequate risk management systems, by failing to implement adequate cybersecurity and cyber resilience measures and exposing its Authorised Representatives’ clients to an unacceptable level of risk”
- RI Advice was ordered to engage a cybersecurity expert to identify what, if any, further documentation and controls in respect of cybersecurity and cyber resilience are necessary to implement to adequately manage cybersecurity and cyber resilience across its network (Further Measures),
- If Further Measures are identified, RI Advice must in consultation with the cyber security expert, agree upon the earliest reasonably practicable date by which RI Advice will implement the Further Measures (Agreed Date), and
- RI Advice was ordered to make a contribution of $750,000 to ASIC’s costs.
Your Call to Action
- Arrange/review your Cyber Risk Insurance. Contact an expert [ask us for a referral]
- Install (and test) current antivirus software on your network.
- Implement (and monitor and enforce) password protocols and 2 factor authentication.
- Test your backup systems
- Engage and external security advisory firm to undertake an assessment and provide recommendations.
- Train your staff (on cyber-security, fraud prevention, data breach notifications and Privacy [see our catalogue])
- Add an effective monitoring and audit element to your compliance framework.
- Include “IT and data security” as mandatory components of your Compliance Committee reporting.