In an Australian first, the Federal Court has read into an Australian Financial Services License (AFSL) holders’ general duties an obligation to maintain adequate cybersecurity protections and mitigate cybersecurity risks, including holding AFSL holders responsible for the failure of any Authorised Representatives which perform work on its behalf.
AFSL holders have general duties to provide financial services efficiently, honestly, and fairly, and to maintain adequate risk management systems. By failing to maintain adequate cybersecurity protections, the Federal Court (in the decision of ASIC v RI Advice [2022] FCA 496) found that RI Advice (RI), a subsidiary of ANZ, had failed to meet both of these duties.
RI relied on a network of independently owned authorised representatives (ARs) to provide financial advice to RI clients on its behalf. This network of ARs electronically received, hosted, and accessed personal information of RI’s clients, such as their full names, phone numbers, email addresses and drivers’ licenses. As independent operators, these ARs varied in levels of cybersecurity protection, leaving the personal information of many RI clients vulnerable to the efforts of hackers.
Between May 2018 and August 2021, many of RI’s ARs were the subject of at least nine cyber security breaches across. As a consequence of the breaches, fraudulent emails were sent from hacked AR email accounts to RI clients, urging them to transfer funds (including one client who made numerous transfers totalling almost $50,000). In a separate incident hackers accessed and held files containing the personal information of up to 220 clients for ransom. The most egregious incident involved a malicious agent gaining access to an AR practice’s server, undetected for several months. This server held the personal information of several thousand clients of RI.
Up to May 2018, RI had taken certain steps in respect of its cybersecurity risk for its ARs, including:
Despite this, inquiries made by RI following these cybersecurity incidents revealed that there were a variety of issues in the respective ARs’ management of cybersecurity risk, including:
Ultimately, RI did not have adequate risk management systems to mitigate cybersecurity threats during this period.
As an AFS licensee, RI is bound by duties under the Corporations Act 2001 (Cth) (‘the Act’), including:
The Court considered that the standard of ‘efficiently, honestly, and fairly’ meant that it was appropriate to measure the alleged conduct against the reasonable standard that a person qualified in the relevant field would expect. Given the variety of issues in RI’s cybersecurity protocols detailed above, it was clear that RI’s conduct fell short of what a cybersecurity expert would expect of a financial services firm working with clients’ sensitive personal information.
Furthermore, the Court recognised that the obligation on AFS licensees to have adequate risk management systems extends to cybersecurity, as it forms a “significant risk connected with the …provision of financial services”. Although the Court recognised that cybersecurity risk cannot be reduced to zero, RI failed to implement adequate cybersecurity documentation and controls to reduce cybersecurity risk to an acceptable level.
RI was subsequently found in breach of both sections s 912A(1)(a) and 912A(1)(h) and was ordered to pay an amount of $750,000 towards ASIC’s legal costs, among other orders.
This case was a statement by ASIC to AFS licensees to ensure they are taking the threat of hackers and cyberspace vulnerabilities seriously. To achieve this, AFS licensees can take the following actions, as recommended by the Federal Court:
Authored by Hamish Fraser and Alexander Dimovski