Cybersecurity: is your company managing its risks?

In the 2020-2021 financial year, the Australian Cyber ​​Center received over 67,500 cybercrime reports, with incidents increasingly targeting large businesses. Rising risks have forced many companies to address cybersecurity issues, but it’s only recently that companies have faced regulatory consequences for failing to meet their obligations.

On May 5, 2022, the Federal Court finalized its judgment in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. In an Australian first, it was ruled that RI Advice Group Pty Ltd (IR) had breached its obligations as a holder of an Australian Financial Services License (Licensed) by not having adequate risk management systems in place to manage its cybersecurity risks.

The ruling is an important lesson for all regulated entities, as it signals ASIC’s increased regulatory focus on companies’ cybersecurity processes. However, the lesson remains the same for all businesses, large or small. All companies should ensure they have appropriate measures in place to address cybersecurity breaches or risk receiving significant civil penalties.

how did RI breach its cybersecurity obligations?

RI provides financial services under a third-party business owner model, with authorized representatives providing financial services to clients. Between 2014 and 2020, RI experienced nine cyber incidents. ASIC argued that RI failed to proactively respond to these incidents and put in place appropriate measures. ASIC alleged that RI’s failure to put in place appropriate cybersecurity risk management breached the general obligations of licensees under section 912A of the Companies Act 2001 (Cth ) (the law).

minimum cybersecurity standards

In the course of the case, ASIC detailed a set of 68 documentation and security screening standards which it believed would be the minimum standards for a licensee, however, there are currently no published standards. for licensees. At this early stage, the controls proposed by ASIC during the RI case can be used as a guideline but, given the ambiguity, it is recommended that companies seek bespoke legal and IT advice when making implementation of cybersecurity measures.

RI has not implemented control processes

Although not at the level considered appropriate by ASIC, RI still had control processes in place to manage its cybersecurity risks. This included professional standards, incident reporting processes, and seeking confirmation from its authorized representatives that they understood these standards and processes. Their processes have improved significantly in 2020/2021. This was not enough to satisfy ASIC, however, as the regulator filed suit against RI anyway.

results

The parties agreed on terms of settlement which were accepted by the court. In his judgment, the Hon. Judge Rofe acknowledged that it is “not possible to reduce cybersecurity risk to zero”, but that risk could still be reduced to an acceptable level.

The Court ordered RI to pay a portion of ASIC’s legal fees ($750,000) and to hire a cybersecurity expert to identify and implement other measures, if necessary, to manage its cybersecurity risks. cybersecurity.

Interestingly, ASIC sought to use it as a test case to establish cybersecurity standards, but this was not taken into account in the judgment, the standards required for licensees to meet their general obligations n not being any clearer.

take away food

This case highlights the need for licensees, and all businesses, to review their cybersecurity processes and ensure they have the appropriate measures in place. Since there are no clear standards or requirements, a legal team (internal or external) should be used in conjunction with IT to establish the appropriate processes required.

Having compliance measures in place does not necessarily mean that your company is meeting its general obligations. Companies must remain vigilant, put in place adequate audit procedures and commit to continue to rely on existing procedures. Technology is constantly evolving, so it is important that companies’ cybersecurity risk management strategies and procedures also continue to evolve.

Comments are closed.