Every financial services licensee has statutory obligations to do all things necessary to ensure that financial services covered by its licence are provided efficiently and fairly, and to have adequate risk management systems in place.
In an Australian first, the Federal Court has determined in a “test case” prosecution brought by the Australian Securities and Investments Commission that failing to have adequate risk management controls within its cybersecurity constitutes a breach of these statutory provisions.
The financial services licensee, RI Advice, authorised corporate representatives to provide financial services on its behalf.
Following a number of incidents across the RI Advice network between June 2014 and May 2020, RI Advice conceded that it had insufficient practices in place to manage cybersecurity with respect to:
- Controls; and
- Risk management systems.
Examples included licensees’ email accounts being hacked or accessed without authorisation, resulting in a number of clients receiving ‘fraudulent’ email requests for money. The delivery of ransomware, and lack of anti-virus software (including where a ‘Cloud’ storage system is used), compromised servers and storage of client information.
The Court considered that the statutory requirement of financial services to be provided ‘efficiently, honestly and fairly’ is to be read together, and not as three distinct behaviours. The Court cautioned that conduct may fail to meet the statutory obligations even in circumstances where the conduct is not capable of being described as ‘dishonest’. A breach of the standard required within these obligations is not limited to ‘morally wrong conduct in the commercial sense.’ This standard creates an obligation of ‘competence’ on the licence holder. The Court determined that RI advice had breached this standard.
Comment and key takeaways
The increasing digitisation of professional services brings risks with rewards and increasing obligation on businesses to have adequate protections in place with respect to cybersecurity.
ASIC has indicated that cybersecurity and deficiencies in risk management generally will be more closely scrutinised. Organisations should expect that regulators will take an increased interest in assessing entities and their cybersecurity controls. The Deputy Chair of ASIC Sarah Court has indicated that it is imperative that all entities, including licensees, have adequate systems to protect against cyber-attacks.
A starting point for businesses, ASIC’s guide on good practice strategies for cyber resilience, may be accessed here.