In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current approaches are adequately resourced and operating effectively?
Contents
Introduction
The decision has been labelled as a watershed decision in Australia – a ‘first of its kind’ case that puts financial services firms, and more broadly, corporate Australia, on notice that failures to adequately understand and manage cybersecurity and cyber resilience risks will no longer be tolerated by Australia’s regulatory agencies.
The judgment itself is relatively brief and the Court’s findings are limited in detail and largely accepted the facts agreed between the parties. However, a close analysis of the judgment and the accompanying Statement of Agreed Facts and Admissions, provides insight into the issues and lessons to which AFSL holders and all Australian companies should pay close attention in order to appropriately manage cybersecurity and cyber resilience risks.
Lesson 1 – Context is everything
Ensure that cyber-risk assessments are updated with an appropriate frequency, dependent upon the organisation’s context and business model. Where risks are evolving rapidly, update with increased frequency – annual review may no longer be appropriate.
The Court declared RI Advice had breached ss 912(1)(a) and 912(1)(h) of the Corporations Act (the Act) from 15 May 2018 to 5 August 2021, by failing to provide its licensed services ‘efficiently and fairly’, and by failing to have adequate risk management systems in place to deal with cyber-risks respectively. RI admitted it was obliged to identify risks including cybersecurity and cyber-resilience, and have adequate controls and systems to manage those risks.
RI Advice’s business model involved the provision of financial advice to retail clients via a number of contracted independent “authorised representatives” (AR). These ARs managed client data independently, but within the terms of their appointment by RI Advice which included limited cybersecurity requirements.
Despite these requirements, RI Advice’s ARs suffered nine cybersecurity incidents in the period from 2014 to 2021. Notably, the contraventions of the Act declared by the Court are limited to the period after15 May 2018, when RI Advice became aware of the most significant cybersecurity incident which had occurred in December 2017. Prompted by the December 2017 incident, RI made various improvements and extensions to its existing cybersecurity risk management systems between May 2018 and August 2021, however it admitted that it took too long to implement these. The December 2017 incident appears to have put RI Advice “on notice” that its risk environment had changed, and it subsequently failed to respond with due speed and urgency in driving improvements across cybersecurity and cyber-resilience.
The cybersecurity threat environment today is greater than 2018, and it would be hard for any company to argue today that it was not aware of cyber-risks and the need to manage them. The decision emphasises that these risks are both individual to each organisation and constantly evolving.
Lesson 2 – Are Attestations Dead?
Adapt cyber-risk assurance processes to be commensurate with the risks posed by your digital supply chain. Ensure that alternate assurance processes or multi-factor assessments are used when operating in a heightened risk environment.
In failing to act, the Statement of Agreed Facts and Admissions referred to RI Advice requiring attestations from its ARs that they had implemented the required cybersecurity standards. This culminated in a quasi-audit and review process that demonstrated the ARs had not, in fact, met the standards, despite providing attestations that the standards had been met. In finding that RI Advice had failed in its duties with regard to its ARs’ cybersecurity practices, the decision appears to have, at least in part, questioned the value of attestations in managing digital supply chain cyber-risks.
Attestations are commonplace across digital supply chains to confirm counter-parties are complying with contractual cybersecurity and privacy requirements. This is especially true in larger organisations with multiple suppliers where the resources, time and cost of annual audits would be prohibitive. There have been other notable failures of the attestation process in managing digital risks – Facebook received multiple attestations from Cambridge Analytica that it had deleted Facebook’s data, when in fact it had not – and the decision in this case has undermined their value further.
While it is likely that RI Advice’s knowledge of the risk its ARs’ cybersecurity practices represented to stakeholders meant that RI Advice’s reliance upon attestations was no longer reasonable, the judgment demonstrates that companies must consider adapting their assurance processes where the risk environment requires it. While not advocating for annual audits of all suppliers and dispensing with attestations, organisations should consider adopting risk indicator assessments when determining the level of assurance required and providing a dynamic suite of options.
Lesson 3 – The right standard: A reasonable one informed by experts.
Cybersecurity risk management is now subject to a standard of legal reasonableness. Lawyers and risk advisors, both in house and outside, have a significant role to play in helping executives assess and operate an organisation’s cybersecurity risk management systems, processes and responses.
An important feature of the judgment was the Court’s clear articulation of the standard for cybersecurity and cyber-resilience risk management: that of a reasonable person qualified in the area. The expectations of the general public, while important for reputation management, were dismissed as a legal standard.
It was acknowledged that cybersecurity risk cannot be reduced to zero, but that appropriate consideration, planning, investment and review was required. This dynamic consideration of cybersecurity and cyber-resilience through the eyes of technical experts has clearly set the bar for organisations.
However, the judgment is clear that the standard of adequacy is for the court to decide, informed by evidence from relevantly qualified experts in the field. This decision has laid the gauntlet down in Australia – the reasonableness of cybersecurity risk management is a legal question informed by technical expertise. Lawyers and risk advisors have an important role to play in understanding cybersecurity risks and controls, challenging technical teams and ultimately advising clients where the standard may not be met.
Conclusion
The decision is a watershed moment in Australian cybersecurity law. Consideration of the agreed facts and the judgment reveals a trove of issues and practical considerations for all organisations across Australia. Australia’s corporate regulators are united in stating that cybersecurity is a priority focus, as has the Federal Government with recent amendments to critical infrastructure legislation and the broader cybersecurity consultation.
Cybersecurity has been a growing concern for boards and executives for the past few years. Now it should be on the mind of GCs and lawyers as well and the critical role they should be playing in helping their organisations appropriately manage evolving cyber-risks. Governance and accountability are core to managing cybersecurity risk, and the board must ensure it has an effective and appropriately skilled, resourced and diverse team in place, not just technical experts.
[1] [2022] FCA 496
