Insight,

OnBoard,

Cybersecurity obligations arising out of ASIC v RI Advice Group Pty Ltd [2022] FCA 496

29 June 2022

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |
Authored by: Claudia Holland

Directors and officers of corporations that hold an Australian Financial Services Licence (AFSL), may be at risk of personal liability if the licensee contravenes the Corporations Act 2001 (Cth) (Act) as a result of having inadequate cybersecurity or cyber resilience. This risk is a result of two recent shifts in Australian law.

The first is the landmark decision of the Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v RI Advice), which shows that general AFSL obligations under the Act include obligations to manage cyber resilience and cybersecurity risks adequately. This case represents the first time in Australia that a financial institution has been found to be in breach of the Act due to conduct involving cybersecurity.

The second is the increasing prevalence of so called “stepping-stones” cases brought by ASIC. That is, cases in which a company’s breach of the Act leads to the allegation that directors or officers breached their duty of care by causing or failing to prevent the company from contravening the law.

This article explores what ASIC v RI Advice may mean for directors’ and officers’ cybersecurity obligations under the Act. From the judgment, it appears that these obligations are not overly onerous but require a general understanding of the company’s cybersecurity risks, engagement with cybersecurity experts, and implementation of adequate cybersecurity risk management systems.

While the case concerned an AFSL holder, it is also highly relevant to other entities that are subject to similar obligations, such as APRA-regulated ADIs (who are required to comply with CPS 234 (Information Security)), and Australian credit licensees under the National Consumer Credit Protection Act 2009 (Cth).

An Australian first: ASIC v RI advice

On 5 May 2022, the Federal Court made declarations that RI Advice Group Pty Ltd (RI Advice) breached its obligations under:

  • s 912A(1)(a) of the Act by failing to ensure adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representatives (AR)
  • s 912A(1)(h) of the Act by failing to implement adequate cybersecurity and cyber resilience measures and exposing its ARs’ clients to an unacceptable level of risk.[1]

The finding comes after nine cybersecurity incidents occurred at RI Advices’ AR practices between June 2014 and May 2020. The incidents included hacking, ransomware, phishing emails, and most significantly, for a period of several months between December 2017 and April 2018, an unknown malicious agent gained unauthorised access to an AR practice’s server. This compromised the personal information of several thousand clients, a number of which reported unauthorised use of the personal information.[2]

The Federal Court ordered that RI Advice pay $750,000 towards ASIC’s costs and, at its own expense, engage a cybersecurity expert to identify any further measures which are necessary for RI Advice to implement.[3]

Stepping-stone liability and duty of care

Broadly, the stepping stones approach to directors’ or officers’ civil liability refers to a trend in cases over recent years in which ASIC uses a contravention by a company of the Act as a “stepping-stone” to find directors or officers breached their duty of care.[4] The rationale for this approach is that responsible directors or officers contravened their statutory duty of care under s 180(1) of the Act by exposing their company to a risk of harm, which is not limited to financial harm and could include prosecution, litigation or damage to the company’s reputation.[5]

While the terminology of “stepping-stones liability” is useful to refer to this trend, courts have emphasised that these cases still require an orthodox application of the duty of care.[6] While it is usual, it is not necessary for ASIC to first establish that the corporation contravened the law in order to find a breach under s 180(1). Conversely, a contravention by the company of the Act does not automatically give rise to a breach of the directors’ duties.[7] The court’s focus is on the conduct of the director or officer. The central question is whether their conduct has met the objective degree of care and diligence required of them by the statutory standard contained in s 180(1) of the Act.[8]

At common law, in determining whether a defendant has breached their duty of care, the Shirt Calculus requires the court to consider:

  • whether a reasonable person in the defendant’s position would have foreseen that their conduct involved a risk of harm to the company;
  • if so, whether the defendant’s conduct was a reasonable response to that risk, considering:
    • the probability of the risk occurring
    • the gravity of the harm if the risk does occur
    • the cost and difficulty of taking precautions
    • any conflicting responsibilities of the defendant.[9]

In light of ASIC v RI Advice, directors and officers should consider whether their response to the cybersecurity risk posed to their company is reasonable.

Responding to the cybersecurity risk: what directors & company officers should do

Applying the Shirt Calculus, ASIC v RI Advice establishes that in relation to the first limb of the test, directors must consider whether there is now a foreseeable risk of harm to their companies (particularly those with a statutory obligation to manage risks) in relation to cybersecurity. As recognised by Rofe J, due to the reliance on digital and computer technology to deliver financial services, “cybersecurity risk forms a significant risk connected with the conduct of the business.”[10]  As such, directors and officers should be seeking to take reasonable steps to respond to and reduce that risk in order to avoid breaching their duty of care.

ASIC v RI Advice provides some clarity on the content of general obligations to manage cybersecurity risks. From the judgment, it appears that these obligations are not overly onerous, with  Rofe J recognising “it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”[11] Rofe J also observed that the relevant risks and controls deployed to address cybersecurity evolve over time.[12] However, when considering the broad obligations of AFSL holders under s 912A(1)(a) and s 912A(1)(h) in the context of cybersecurity and cyber resilience, the court found that:

  • AFSL holders are required to identify the risks that they face in the course of providing financial services pursuant to the licence, including in relation to cybersecurity and cyber resilience [13]
  • AFSL holders must have documentation, controls and risk management systems in place that are adequate to manage risk in respect of cybersecurity and cyber resilience across their advice network[14]
  • as cybersecurity risk management is a technical area, the adequacy of risk management must be informed by people with technical expertise in that area.[15] The reasonable standard of performance is to be assessed by reference to the reasonable person qualified in that area, not the expectations of the general public.[16]

In light of these findings, directors and officers (particularly directors and officers of companies with a statutory obligation to manage risks) should ensure that they:

  • have a general understanding of cybersecurity risks as they affect their company
  • engage qualified cybersecurity experts as employees or consultants to assess their company’s cybersecurity risks, implement controls to a level reasonably required to manage those risks (without necessarily having to reduce the risks to zero) and report periodically to the board
  • have an incident response plan to minimise the damage that may be caused by a successful cyber-attack, including back-up systems.

For further key resources and guidance to help assess compliance:

ASIC v RI Advice establishes that the content of general obligations under s 912A of the Act for AFSL holders extends to a consideration of cybersecurity matters. The court will have regard to such matters when determining compliance under the Act. While Rofe J did not go on to specify that cybersecurity matters would also be considered in determining compliance with other provisions of the Act such as directors’ duties, given the prevalence of stepping-stone cases brought by ASIC over recent years, this is a likely consequence of the case.

Directors and officers should view this case as a reminder to ensure appropriate experts are engaged to assess and implement proper controls that address risks relating to cybersecurity and cyber resilience.

References

[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, 14-15 [65]- [66].

[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, 2 [16].

[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, ii.

[4] Ian Ramsay and Miranda Webster, ‘An analysis of the use of stepping stones liability against company directors and officers’ (2021) 50(1) Australian Bar Review 1.

[5] Ibid (Ramsay and Webster) 3; Australian Securities and Investments Commission v Cassimatis [No 8] (2016) 336 ALR 209, 301 [482]; Pamela Hanrahan and Tim Bednall, ‘From stepping-stones to throwing stones: Officers’ liability for compliance failures after Cassimatis’ (2021) 49(3) Federal Law Review 17.

[6] Pamela Hanrahan and Tim Bednall, ‘From stepping-stones to throwing stones: Officers’ liability for compliance failures after Cassimatis’ (2021) 49(3) Federal Law Review, 14; Cassimatis v Australian Securities and Investments Commission (2020) 275 FCR 533, 555 [79].

[7] Pamela Hanrahan and Tim Bednall, ‘From stepping-stones to throwing stones: Officers’ liability for compliance failures after Cassimatis’ (2021) 49(3) Federal Law Review, 15; Australian Securities and Investments Commission v Warrenmang Ltd (2007) 63 ACSR 623 [22] – [23].

[8] Cassimatis v Australian Securities and Investments Commission (2020) 275 FCR 533, 555, 641 [79], [463].

[9] The Council of the Shire of Wyong v Shirt (1980) 146 CLR 40, 47 - 48.

[10] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].

[11] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].

[12] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [58].

[13] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [28].

[14] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [28].

[15] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [47].

[16] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, [49].

Categories
LATEST THINKING
Insight
Australia’s Merger Reforms: what it means for commercial real estate deals
The Australian Government has proposed a new merger control regime replacing the existing voluntary informal notification and authorisation process regimes with a mandatory and suspensory clearance regime.

30 October 2024

Insight
The Dispatch - October 2024
Welcome to our bumper edition of The Dispatch showcasing a range of our team’s deals from August through to October.

30 October 2024

Insight
The role of patents in protecting investment in mRNA technology
The idea that there was a form of RNA that carried genetic instructions from DNA to the protein-making machinery of cells was only conceived of in 1960.

28 October 2024

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies