Cyber Risk Management – Quick and Effective Implementation?
In the modern age, Australian Financial Services Licence holders and their authorised representatives hold vast amounts of sensitive and confidential information about their clients electronically.
The Federal Court of Australia has recently considered the link between the AFS Licence holder’s obligations under the Corporations Act and its efforts to keep that sensitive and confidential information secure against and resilient to cyber-attacks.
The Court has found the link to exist and to be a strong one.
The case before the Federal Court involved a well-known AFS Licence holder and its extensive network of authorised representatives.
Over a period from June 2014 to May 2020 the information which the authorised representatives held electronically had been the subject of nine cybersecurity incidents. Investigations into those incidents revealed that the anti-virus software was not up to date, emails were not being filtered or quarantined, back-up systems did not exist and password practices were poor.
As a consequence of those investigations the AFS Licence holder implemented several steps to combat and address the weaknesses which had been identified, including an extensive program to increase awareness of cybersecurity and to assist in identifying weaknesses and the adoption of good cyber security practices.
But the AFS Licence holder took too long to implement its response to the weaknesses identified and ensure that robust systems were in place across the length and breadth of its network.
The Australian Securities and Investments Commission alleged in the Federal Court that the AFS Licence holder was in breach of its obligations under the Corporations Act because it had failed to have and implement a proper plan in respect of cyber security and resilience.
Under the Corporations Act, an AFS Licence holder’s obligations extend to:-
doing things necessary to ensure the financial services covered by the licence are provided efficiently and fairly; and
having adequate risk management systems (‘Obligations’).
Here the problem was not that the risks had not been identified, a broad response not conceived or that response not implemented. Here the problem was the speed and effectiveness of the implementation. As the AFS Licence holder admitted and the Federal Court accepted: -
‘it took too long to implement and ensure such measures were in place across its (authorised representatives’) practises. (I)t should have had a more robust implementation of its programme so that the measures were more quickly in place at each (authorised representative) practice and the majority of the (authorised representative) network was confirmed as operating pursuant to such cybersecurity and cyber resilience measures earlier than 6 August 2021.’
The Federal Court found that the delay in implementation was a breach of the Obligations, made declarations to the effect and directed the AFS Licence holder to take steps to assess and improve its cyber security and resilience measures.
This case demonstrates that AFS Licence holders must act quickly and effectively in rendering their practices secure against and resilient to cyber incidents.
But behind this case is the warning that the Australian Securities and Investment Commission is looking at this matter very carefully and will take action to bring to the attention of the Federal Court conduct which it considers falls short of the proper discharge by the AFS Licence holder of its obligations.
The name of the case is Australian and Securities Investment Commission v RI Advice Group Pty Ltd  FCA 496.