10 May 2022
In ASIC v RI Advice Group Pty Ltd  FCA 496, ASIC brought a claim against a financial services licensee, RI Advice, for failures by its authorised representatives to manage their cyber security risks. While the matter ultimately settled, the approval of the settlement and the proposed orders demonstrate that obligations under section 912A of the Corporations Act 2001 (Cth) (Corporations Act) may extend to the cyber security risks faced by licensees and the adequacy of the risk management systems implemented by the licensees to mitigate that risk.
It was agreed by the parties that RI Advice had breached sections 912A(1)(a) and (h) of the Corporations Act. These subsections require financial services licensees to:
RI Advice authorised independent representatives to provide financial services on its behalf (authorised representatives). From June 2014 to May 2020, a series of cyber security incidents occurred at the practices of a number of authorised representatives. These incidents involved unknown individuals gaining access to email accounts, online servers and website pages belonging to the authorised representatives, as well as the personal information of their clients. During one incident, an unknown person gained access to an authorised representative’s server for several months and collected the private information of thousands of clients.
In 2018, RI Advice identified a number of issues in the management of cyber security risk by the authorised representatives, including failures to update antivirus software, not quarantining emails, using poor password management practices and not having backup systems in place.
From May 2018 to August 2021, RI Advice engaged a cyber security consultant and introduced a ‘Cyber Resilience Initiative’ to improve its risk management systems.
Rofe J made the following observations relating to the obligations imposed under sections 912(A)(1)(a) and (h):
Rofe J concluded that RI Advice contravened sections 912A(1)(a) and (h) and made all declarations sought by the parties. Her Honour held that ASIC had a real interest in seeking the declarations as a public regulator and that it was in their best interest to clarify to licensees that sections 912A(1)(a) and (h) apply to the management of cyber security risk. Her Honour also made compliance orders under section 1101B of the Corporations Act compelling RI Advice to engage a cyber security expert to identify further documentation and controls necessary for the adequate management of cyber security and cyber resilience risk.
Going forward, it is imperative that financial services licensees ensure that their authorised representatives have proper controls in place to manage their cyber security risks and to ensure cyber resilience.
If you have any questions or would like to get in contact with us, please send an enquiry here.
Authors: Susan Goodman & Thomas Rubic
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.