Ignore Cyber Protection – Pay the Price: Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496
Ignore Cyber Protection – Pay the Price: Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496

It has happened: a company that failed to implement proper cyber security measures in Australia has been taken to court by the regulators, with the company ordered to pay costs of $750,000.

In the matter of the Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Court found that a financial services provider had breached its licence obligations, and failed to act efficiently or fairly by not having in place adequate risk management systems to cater for risks arising in relation to cyber security.

Even though the company had experienced a number of cyber incidents, it failed to take steps to properly manage the risk, and in doing so breached its obligations under sections 912 of the Corporations Act 2001.

In handing down her decision, Justice Rolfe noted that "cyber security risk forms a significant risk connected with the conduct of the business and the provision of financial services".

Whilst it was recognised that it was not possible to reduce cyber security risk to zero it was "possible to materially reduce cyber security risks throug adequate cyber security documentation and controls to an acceptable level".

Readers are reminded of earlier articles on cyber security in which we referred to the Essential Eight, and observed that, at some stage in the future, it was likely that courts will negatively view those who do not implement basic cyber security measures.

Although this case related to a statutory breach in the financial services industry, it is now more important than ever for organisations to take steps to improve their cyber security positions.

Not only has this case marked the first time the courts have dealt with the issue in Australia, but it is also likely to be the first of many.

If you are a business owner or sit on the board of larger enterprise, it is crucial to have a full understanding of your obligations in relation to cyber security. You must have adequate and appropriate systems and processes in place to manage that risk.

Essentially, the matter of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 shows how quickly things can escalate. The enterprise started with a series of IT issues, which ultimately manifested themselves in an ASIC prosecution. 

That prosecution resulted in a $750,000 contribution towards ASIC’s costs, and an obligation to put in place proper security measures moving forward – plus, of course, the significant damage (both immediate and reputational) that flowed from the cyber security attacks themselves.

We take this opportunity to remind readers of our previous article in relation to developments in the United States.

There was a prosecution a few years ago by the Fair Trade Commission (the FTC is the equivalent of the Australian Competition and Consumer Commission) against an organisation for posting misleading representations on its websites regarding how the company safeguarded customer information. In the 2015 matter of FTC v Wyndham, the Federal Trade Commission alleged that Wyndham unfairly failed to maintain reasonable data security practices, leading to three separate data breaches involving hackers accessing sensitive consumer data.

The incidents resulted in the export of hundreds of thousands of consumers' payment card and personal information to a domain registered in Russia and more than $10.6 million in fraud loss.

The company was alleged to have violated Section 5 of the Fair Trade Commission Act, which prohibits deceptive and unfair practices in commerce. Allegedly, Wyndham did not have several of the essential IT controls in place to protect their data, failing to implement firewall protection, provision access appropriately, enforce strong authentication parameters, etc. 

Furthermore, Wyndham neglected to mitigate known IT vulnerabilities – despite what their website asserted. The matter ultimately settled.  

So apart from regulatory compliance and a potential breach of duty to your customers and clients, misleading people about the state of your cyber security systems may also result in actions against the company.

If you have a query relating to any of the information in this article, or you require assistance with compliance, policies or procedures, please don’t hesitate to get in contact with our Holman Webb’s Technology Law Group today. 

Recent Posts