RI Advice breach
On 5 May 2022, a landmark decision was made in Australia. The Federal Court found that RI Advice had breached its obligations as an Australian financial services (AFS) licensee to act efficiently, honestly, and somewhat because it failed to have adequate risk management systems to manage cybersecurity risks.
In handing down her judgment, Justice Rofe warned that “cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services”. Her Honour noted that the declarations ordered should deter other AFS licensees from engaging in similar conduct.
AFS licensees should consider their risk management systems anew in light of the decision and take stock of the particular cybersecurity risks in their businesses.
Key takeaways – cybersecurity risks
For the most part, the Australian Securities and Investment Commission (ASIC) and RI Advice agreed as to the accepted principles regarding the assessment of an AFS licensee’s compliance with section 912A(1)(a) of the Corporations Act 2001 (Cth) (Act) (the requirement that an AFS licensee provides financial services efficiently, honestly and fairly).
Justice Rofe reiterated those principles as set out in cases including ASIC v Westpac Securities Administration Ltd (2019) 272 FCR 170 and ASIC v Westpac Banking Corporation (No 2)  FCA 751. Justice Rofe did, however, resolve one disagreement between the parties, finding that the requirement for an AFS licensee to provide financial services “efficiently” cannot, in a highly technical area like cyber risk management, be assessed by reference to public expectation.
The reasonable performance standard is instead to be assessed by reference to the reasonable person qualified in the area.
Justice Rofe also clarified the application of section 912A(1)(h) of the Act (the requirement that an AFS licensee has “adequate risk management systems”). Her Honour concluded that the notion of “adequacy” imports a normative standard of conduct.
The particular focus of the provision is on “risk management systems”, and for that reason, the provision requires the identification of the specific risks that arise in the context of a particular business. RI Advice meant identifying risks to authorised representatives, rather than [just to] RI Advice itself.
Further, in cyber risk management, the provision requires considering the risks faced concerning a business’s operations and IT environment.
The applicable standard of “adequacy” in each situation is ultimately one for the Court to decide. However, the Court’s assessment will likely be informed by evidence from qualified experts in the field.
RI Advice hearing
The final hearing in ASIC v RI Advice Group Pty Ltd  FCA 496 had been fixed to commence on 4 April 2022. However, the matter was settled before the hearing began. As part of the settlement process, the parties proposed directions and orders be made by consent, and Justice Rofe found a reasonable basis for making such orders.
The case concerned the conduct of RI Advice, a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited. RI Advice carries on a financial services business of authorising independently owned corporate authorised representatives and individual authorised representatives to provide financial services to retail clients on its behalf and according to its AFS licence.
According to RI Advice’s AFS licence, the authorised representatives collected confidential and sensitive personal information and documents concerning their retail clients. As a result, nine cybersecurity incidents occurred between June 2014 and May 2020 involving the authorised representatives.
These incidents were found to be the result of a variety of issues with the authorised representatives’ management of cybersecurity risk, including:
- using computer systems that did not have up-to-date antivirus software installed and operating
- not implementing filtering or quarantining of emails
- not having backup systems in place, or backups not being performed; and
- Poor password practices include sharing passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
RI Advice became aware of the most severe incident in May 2018 and then took steps and put in place specific documentation, controls, and risk management measures for its authorised representatives, including:
- RI Advice’s weekly newsletter for authorised representatives provides training sessions, professional development events, and information.
- An incident reporting process where cyber incidents could be discussed; and
- obligations in the “Professional Standards” contractual terms between authorised representatives and RI Advice relating to information security, electronic storage, incident notification requirements, fraud procedures and privacy.
However, RI Advice admitted that it took too long to ensure that such measures were in place across all its authorised representatives. Justice Rofe accepted that RI Advice should have had a more robust implementation of its program and found that RI Advice continued to contravene section 912A(1)(h) of the Act until 5 August 2021.
On that basis, Her Honour ordered RI Advice to undertake a compliance program, including engaging an external expert to assess the adequacy of its cybersecurity risk management systems. Her Honour also ordered RI Advice to pay ASIC’s costs in the proceedings of $750,000.
Vogue Advisory Group – providing you with professional and licensed financial advice
An excellent financial adviser works with you to understand your needs, set your financial goals, and create a plan to help you achieve them.
Before getting financial advice, decide what you want to get out of it. Consider your stage of life, how much money you have, and what you’re trying to achieve.
A financial adviser can help you make financial decisions and plans, including advice about budgeting, investing, super, retirement planning, estate planning, insurance, and taxation.
If you require any financial advice, please get in touch, and one of our advisors will help you.