Inadequate risk management of cyber security contravenes the Corporations Act
The Australian Securities and Investment Commission (ASIC) has successfully prosecuted RI Advice Group Pty Ltd (RI) for failing to implement adequate cyber security risk management.
In its decision, the Federal Court found that RI had contravened the Corporations Act 2001 (Cth) (Law) by not having adequate cyber security risk management and ordered RI to:
- engage a cybersecurity expert;
- implement an adequate cyber security risk management system within one month; and
- contribute AUD 750,000 to pay ASIC’s costs.
What does this mean for Australian business?
This decision is a warning to all businesses in Australia that not properly understanding and managing your cyber security risks will be regarded as a systemic failure of corporate governance, whether your business holds an Australian Financial Services Licence or not.
If you own a business or run a company, it is critical that you:
- understand your cyber security obligations;
- have robust and appropriate systems and processes in place to manage cyber security risks; and
- regularly review and update cyber security policies and processes to address new and emerging threats.
This is a good time to assess your own cyber risks and resilience by performing a cyber security risk assessment and reviewing the efficiency of your current data protection mechanisms.
What went wrong for RI?
The court found that RI, failed to have documentation and controls in place “that were adequate to manage risk in respect of cyber security and cyber resilience”.[1]
The court provided some helpful definitions of key terms:
- cyber security as “the ability of an organisation to protect and defend the use of cyberspace from attacks”; and
- cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources”.[2]
RI’s failed to manage cyber security incidents
RI sparked ASIC’s attention after experiencing several cyber security incidents. Between June 2014 and May 2020 nine incidents occurred at RI.
RI holds significant amounts of personal information about its 60,000 clients and this information was seriously compromised with incidents including hacked email accounts, fraudulent emails requesting the transfer of funds and several ransomware attacks due to systematic failures in their cyber security protection.
Cyber security processes across RI were poor and included inappropriate practices such as:
- all staff using a single password to access client information;
- not having up-to-date antivirus software;
- no backup systems or password protection across systems;
- Little to no security monitoring; and
- a malicious actor having undetected access to RI’s server for several months.
Court’s assessment of RI’s cyber security management
Even though RI had taken some steps to fix its cyber security problems and implement more secure systems, the court ruled that the practices were too little and too late.
Key Takeaways
This decision highlights that cyber security is now seen as a fundamental pillar of risk management and proper corporate governance. It emphasises the need to be proactive and manage risks with a security by design approach which puts cyber security at the forefront of all business practices.
We believe Australian companies can expect to see ASIC acting where companies fail to manage cyber security risks properly and adequately protect customer data. Moreover, this sets a precedent that could lead to enhanced obligations for entities who must comply with the Security of Critical Infrastructure Act (2018) (Cth). Considering this decision, we recommend you:
- assess your cyber security risks and organisational resilience;
- implement appropriate strategies to manage your specific cyber security risks; and
- train staff to make them aware of the risks.
For tailored advice relating to your cyber security risks, please contact the Sainty Law team.
[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 [62].
[2] Ibid [8].