Attention AFSL holders: cybersecurity now forms part of a holder’s general duties

In an Australian first, the Federal Court has read into an Australian Financial Services License (AFSL) holders’ general duties an obligation to maintain adequate cybersecurity protections and mitigate cybersecurity risks, including holding AFSL holders responsible for the failure of any Authorised Representatives which perform work on its behalf.

AFSL holders have general duties to provide financial services efficiently, honestly, and fairly, and to maintain adequate risk management systems. By failing to maintain adequate cybersecurity protections, the Federal Court (in the decision of ASIC v RI Advice [2022] FCA 496) found that RI Advice (RI), a subsidiary of ANZ, had failed to meet both of these duties.

What happened?

RI relied on a network of independently owned authorised representatives (ARs) to provide financial advice to RI clients on its behalf. This network of ARs electronically received, hosted, and accessed personal information of RI’s clients, such as their full names, phone numbers, email addresses and drivers’ licenses. As independent operators, these ARs varied in levels of cybersecurity protection, leaving the personal information of many RI clients vulnerable to the efforts of hackers.

Between May 2018 and August 2021, many of RI’s ARs were the subject of at least nine cyber security breaches across. As a consequence of the breaches, fraudulent emails were sent from hacked AR email accounts to RI clients, urging them to transfer funds (including one client who made numerous transfers totalling almost $50,000). In a separate incident hackers accessed and held files containing the personal information of up to 220 clients for ransom. The most egregious incident involved a malicious agent gaining access to an AR practice’s server, undetected for several months. This server held the personal information of several thousand clients of RI.

Did RI have any cybersecurity protections at the time?

Up to May 2018, RI had taken certain steps in respect of its cybersecurity risk for its ARs, including:

• training sessions, professional development events and information provided through RI’s weekly newsletter for ARs,
• an incident reporting process where the cyber incidents could be discussed, and
• obligations contained within the “Professional Standards” contract terms between ARs and RI, including recommendations to protect client info, such as:
  • password protecting documents sent via email which contained clients’ personal information
  • not using personal email addresses
  • using up-to-date security software
  • backing up data, and
  • implementing a password policy

Despite this, inquiries made by RI following these cybersecurity incidents revealed that there were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

• computer systems which did not have up-to-date antivirus software installed and operating
• no filtering or quarantining of emails
• no backup systems in place
• poor password practices, including sharing of passwords between employees and passwords being stored in easily accessible places

Ultimately, RI did not have adequate risk management systems to mitigate cybersecurity threats during this period.

What did the Court find?

As an AFS licensee, RI is bound by duties under the Corporations Act 2001 (Cth) (‘the Act’), including:

• to do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly, and fairly (s 912A(1)(a)), and
• to have adequate risk management systems (s 912A(1)(h))

The Court considered that the standard of ‘efficiently, honestly, and fairly’ meant that it was appropriate to measure the alleged conduct against the reasonable standard that a person qualified in the relevant field would expect. Given the variety of issues in RI’s cybersecurity protocols detailed above, it was clear that RI’s conduct fell short of what a cybersecurity expert would expect of a financial services firm working with clients’ sensitive personal information.

Furthermore, the Court recognised that the obligation on AFS licensees to have adequate risk management systems extends to cybersecurity, as it forms a “significant risk connected with the …provision of financial services”. Although the Court recognised that cybersecurity risk cannot be reduced to zero, RI failed to implement adequate cybersecurity documentation and controls to reduce cybersecurity risk to an acceptable level.

RI was subsequently found in breach of both sections s 912A(1)(a) and 912A(1)(h) and was ordered to pay an amount of $750,000 towards ASIC’s legal costs, among other orders.

What does this mean for AFS licensees in future?

This case was a statement by ASIC to AFS licensees to ensure they are taking the threat of hackers and cyberspace vulnerabilities seriously. To achieve this, AFS licensees can take the following actions, as recommended by the Federal Court:

• Eliminate ‘common-sense’ poor cyber security practices – as seen in the above case, cyber security risks can be mitigated by maintaining up-to-date antivirus software, establishing effective backup systems, and implementing best practice password guidelines, such as not sharing passwords between employees or using default passwords and not making passwords easily available (such as keeping them on notes)
• Implement strong cyber risk management controls – AFS licensees should implement strong controls and risk management systems such as firewalls and multi-factor authentication, given the sensitivity of clients’ personal information
• Engage external experts – as ordered by the Court in this instance, AFS licensees should look to engage external cybersecurity experts, to ensure that their risk management systems are to the standard expected of a financial services firm and to keep up to date with developments (and potential vulnerabilities) in cybersecurity
• Maintain consistent security policies with third parties – AFS licensees outsourcing work to third parties such as ARs should ensure those third parties operate at minimum with cybersecurity practices as strong as the licensee itself, and should conduct regular compliance checks to ensure third parties are meeting these standards
• Plan for the inevitable – draft a plan to quickly respond in the event of a cybersecurity breach, including notifying those affected, as well as relevant authorities such as the Australian Cyber Security Centre.

Authored by Hamish Fraser and Alexander Dimovski