Commissioner Danielle Press said that the landmark ruling against RI Advice — which found that the local firm breached its licence obligations by failing to have adequate risk management systems to manage its cyber security risks — should serve as a timely reminder for company directors about cyber security risk oversight and disclosure obligations.

In May, Lawyers Weekly unpacked the lessons for lawyers coming out of this “Australian first” case, in which RI Advice was ordered to pay $750,000 towards ASIC’s costs.

“ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations,” Mr Press said.

“Measures taken should be proportionate to the nature, scale and complexity of your organisation — and the criticality and sensitivity of the key assets held. This includes reassessment of cyber security risks on an ongoing basis, based on threat intelligence and vulnerability identification.

“ASIC also expects this to include oversight of cyber security risk throughout your organisation’s digital supply chain.”

Ms Press said that in a bid to drive a strong “cyber resilience culture”, company directors should look to assess their current risk management framework and make adjustments where needed, inquire about incident response and business continuity plans and ensure access to resources to effectively manage cyber security risks.

Ms Press also reminded directors that they might be required to disclose cyber risks and incidents and that failure to do so may be a breach of their directors’ duties.

VIEW ALL

Following the ruling against RI Advice, ASIC reported a “significant number” of cyber incidents that occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.

The comments follow predictions that expanded definition of critical infrastructure sectors may catch small businesses out in failures to report cyber attacks, and a report from a BigLaw firm that such attacks will have “severe financial and reputational consequences” in 2022.

Recently, Lawyers Weekly’s sister brand, Cyber Security Connect, spoke with two BigLaw partners about how cyber has evolved into a legal obligation for businesses and firms.