Last week, the Federal Court handed down judgment in proceedings brought by the corporate regulator against a financial services provider for its failure to have adequate cyber security and cyber resilience risk management controls. That judgment offers key lessons, both for law firms and in-house teams.
Last Thursday (5 May), Clyde & Co partner Reece Corbett-Wilkins (pictured) spoke at the 2022 Corporate Counsel Summit, discussing the role of the law department in managing cyber risk.
He, alongside fellow panellists Accenture advisory executive Justin Forsell and Accenture global legal lead (strategic partnerships) Annie Haggar, challenged those in attendance to consider “revamping” their roles and to take a more active position as a trusted adviser in managing data and privacy legal risks for businesses.
Earlier that day, the Federal Court of Australia had handed down its decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496. Mr Corbett-Wilkins waved a copy of the judgment in front of the audience, noting that they should all read its findings.
That judgment, he told Lawyers Weekly, is a “perfect case study for making that business case”.
ASIC v RI Advice Group
In an “Australian first”, the Federal Court found in ASIC v RI Advice Group that the financial services provider had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
The finding arose from a “significant number” of cyber incidents, the corporate regulator noted, occurring between June 2014 and May 2020. There was proper basis for making declarations – in a form agreed by ASIC and RI Advice – that, as a result of that failure to manage cyber security risks and cyber resilience, the provider had breached its obligations under s912(1)(a) and (h) of the Corporations Act.
In a statement, ASIC deputy chair Sarah Court said: “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment,” she added.
The court ordered RI Advice to pay $750,000 towards ASIC’s costs and to engage a cyber expert to “identify and implement what, if any, further measures are necessary to adequately manage cyber security risks across RI Advice’s authorised representative network”.
Moreover, Justice Helen Rofe recorded the court’s disapproval of the conduct, noting that the findings should deter other AFSLs from engaging in similar conduct.
The outcome follows reforms introduced on the back of the Hayne royal commission, which denote that failure to comply with certain AFS licensing obligations, including obligations relating to how cyber risks are addressed, may give rise to a civil penalty.
In this particular case, those cyber incidents occurred before the reforms were introduced.
Key takeaways for the legal profession
In her judgment, Justice Rofe stressed that cyber security should be front of mind for all licensees.
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” her honour espoused.
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
This is the first time, Allens partners Valeska Bloch, Christopher Kerrigan and James Campbell noted in an insights blog posted on the firm’s website, that ASIC has exercised its enforcement powers for a company’s failure to have satisfactory cyber security and resilience risk management controls.
“While it had all the hallmarks of a test case to establish expectations in relation to cyber risk management, Rofe J’s findings and the orders (which were made by consent) are limited in detail, largely accepting facts agreed between the parties,” the trio wrote.
“Nonetheless, ASIC is following a path well-trodden by its overseas counterparts and we don’t expect this to be a one-off.
“While this case focuses on the particular risks present in the financial services sector, it is now more important than ever that all organisations take steps to improve their cybersecurity posture.”
The proceedings have highlighted, Ms Bloch, Mr Kerrigan and Mr Campbell continued, that “seemingly benign incidents” can have regulatory consequences if not thoroughly addressed.
In conversation with Lawyers Weekly, Herbert Smith Freehills partners Peter Jones, Christine Wong, Cameron Whittfield and Tania Gray said that there is “no bright line test” as to what is or is not acceptable for companies in managing cyber risk.
This will ultimately be fact-dependent, the quartet mused, but it is challenging given the various obligations that might attach, including under financial services, security of critical infrastructure laws and prudential requirements.
What the case of ASIC v RI Advice Group does demonstrate, however, is that “this is not a ‘set and forget’ piece”, they warned.
“Systems and processes for managing cyber risk must respond to the evolving nature and profile of the risks,” they said.
Furthermore, they said, “proper investment in uplift will be important. Given the potentially significant nature of the risks, there is an expectation that identified improvements will be implemented quickly.”
‘Clear message to corporate Australia’
The “landmark” ruling, KordaMentha executive director Noah Jacobson wrote, should sound “major warning bells” about risk management strategies pertaining to cyber.
It sends a “clear message to corporate Australia”, he opined, that cyber security regulators are not actively enforcing minimum security expectations.
“Organisations must take seriously the need to implement cybersecurity programs and keep them up to date. The stark reality is, this landmark case is only the beginning as it is now the ideal springboard for all regulators, not just ASIC, to pursue the many similar cases they have waiting in the wings,” he said.
“The case also plainly demonstrates the significant expense saved by onboarding cybersecurity programs and addressing risks before as well as when they arise. RI Advice could potentially have avoided legal action and major financial consequences had it put adequate cybersecurity programs in place and adopted remediation strategies following the attacks on its servers.”
“Significant reputational damage aside (within hours of the ruling Insignia shares fell 1.03 per cent to $3.36), consider the expense now faced by RI Advice. Meeting the court order’s lengthy list of requirements will potentially run into millions of dollars – money that could have been saved by having appropriate risk management in place and addressing issues as they arose,” Mr Jacobson continued.
Those running or acquiring corporations across Australia, no matter their size or industry, are on notice, he surmised.
“If cybersecurity is continually swept under the carpet, dismissed as being too expensive to implement or merely paid lip service, the consequences are now very real and possibly dire,” he said.
Governance and compliance
Clyde & Co partners Avryl Lattin and Alec Christie reflected that this case is “confirmation” of what has been witnessed in the last year or so in terms of increased regulatory focus on cyber security.
The decision may not have established a proscriptive standard for regulated entities, they said, but it is “nonetheless a watershed moment”.
“While this consent judgment did not define specifically what measures AFSL holders must have in place to manage cyber risk, it establishes that a standard of care is required and what is reasonable in the circumstances,” the pair outlined.
“That is, AFSL holders must have appropriate documentation, controls and risk management systems in place to ‘adequately’ manage risk in respect of cybersecurity and cyber resilience. The adequacy of such arrangements is to be determined by experts (such as qualified and experienced IT security firms) but the arrangements must at least meet general community expectations.”
“Of course, the cyber security risk landscape is not static and will require ongoing assessment. AFSL holders will need to constantly assess what is ‘adequate’ on an ongoing basis,” Ms Lattin and Mr Christie added.
RI Advice did not receive a penalty in this case, but it was ordered to pay ASIC’s costs and will have to front up for remediation costs for an uplift to its cyber security.
These costs, Clyde & Co partner John Moran mused, “are likely to be substantial”.
This, he said, “in addition to the defence costs incurred in responding to the litigation, highlights the potential financial exposure associated with regulatory investigations in respect of cyber security”.
“ASIC and other regulators are flexing their muscles in the enforcement space including in relation to ransomware attacks, and so the lessons learned from this case will be useful in determining how to interpret compliance with other regulated regimes,” he advised.
Clyde & Co’s advice, Mr Moran detailed, is that investment in cyber resilience is more important than ever before.
“Perhaps more critically, when an incident happens, focus your investigation not only on identifying the root cause but also ensuring that underlying vulnerabilities and systemic practices are remediated. Too frequently clients get caught up in the ‘storm’ of the incident response aftermath and put remediation work on the long finger,” he said.
“What ASIC is telling us is that repeated breaches will not be tolerated and that they intend to focus on look back exercises to ensure that measures were in place to try and attempt to avoid the incident in the first place, or put in place post incident to avoid reoccurrence.”
Class action risk
There is also, the Allens trio of partners identified, the risk of class actions by shareholders or customers for inadequate cyber measures.
“The common thread across all of these regimes is that organisations need to have adequate and appropriate systems and processes in place to manage cyber risk. Senior level (if not board level) accountability is an essential part of this. These principles should also guide organisations’ approach to risk management more generally,” they noted.
The HSF quartet agreed, noting there a failure by directors to exercise due care and diligence could be a “stepping stone” to such proceedings being launched.
What law firms and in-house teams must do now
The message from this case, Mr Corbett-Wilkins surmised, is clear.
Cyber risk is not something, he said, that should be delegated simply to the IT function. Instead, it must be raised with the broader business risk management decision-makers and be treated as a whole-of-business issue.
“Legal teams have a unique opportunity to bring this issue to the appropriate levels – be it the board, risk and audit committee, or CFO, and should be involved in those discussions if not already,” he stressed.
Law firms and in-house teams, Mr Corbett-Wilkins went on, should use this case as a “marker” for their own practices.
“This decision serves as a useful legal precedent for establishing a nexus between cyber security risk management and compliance with broader professional obligations,” he said.
“It also goes some way to establishing a precedent that could apply across the professional services industry more broadly in terms of their own data handling and cyber security practices.”
Put another way, Mr Corbett-Wilkins noted, this case should not be viewed as unique to financial services.
Another lesson, he added, is that what started out as a series of IT issues ultimately escalated to becoming a high-profile ASIC prosecution involving legal compliance and reputational risk management issues.
As Mr Forsell – the former nbn chief legal counsel – noted last week at the Corporate Counsel Summit, when the legal and IT teams work closely together, a lot can be achieved in both managing cyber risk and driving a business forward.
“This case can and should be used to support further investment in cross-collaboration, as well as further investment in cyber security and legal spend to ensure in-house teams can adequately manage these issues,” Mr Corbett-Wilkins concluded.