Cybersecurity requires expert risk management
As noted in Australis Chambers’ Digital News Why is cybersecurity so important in 2021? — Dr. Nigel Wilson (australischambers.com), in 2020 ASIC commenced proceedings for the alleged breach of licence obligations under the Corporations Act 2001 (Cth) against an Australian Financial Services Licence (AFSL) holder for failing to have adequate cybersecurity systems following an earlier cyberattack.
In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 Justice Rofe made consent orders on 5 May 2022 that RI Advice contravened s 912A(1)(a) and (h) of the Corporations Act from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR network and that its failed to do all things necessary to ensure the financial services covered by the Licence were provided efficiently and fairly and failed to have adequate risk management systems.
In doing so, Justice Rofe held:
Cyber risks, an adequate response to such risks and building cyber-resilience requires appropriate assessment of the risks faced by a business in respect of its operations and IT environment. Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.
Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area.
Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.
The Court held that, due to the inadequacies in its risk management systems in respect of cybersecurity and cyber resilience, it was appropriate that an external expert assess the adequacy of RI Advice’s current documentation and controls in respect of cybersecurity and cyber resilience and assess whether any further measures were required. RI Advice was also ordered to pay $750,000 towards ASIC’s costs.
These findings again reinforce the importance of proactive and positive answers to these questions:
Is your organisation cybersecurity safe and cyber-risk aware?
Does your organisation:
(a) have an effective cybersecurity programme in place to prevent and/ or mitigate a cybersecurity event?
(b) know what to do if a cybersecurity event occurs?
(c) know what its cybersecurity obligations are, for example, if a data breach involving serious harm occurs?
(d) have a professionally-trained, cybersecurity and cyber-risk aware culture?
Professional assistance to address these questions and to provide expert training is available and should be sought, as appropriate.
Dr Nigel Wilson is an Australian lawyer and cybersecurity specialist with nearly thirty years’ experience. He is the author of the international, award-winning Teaching Professionals and is a professional workplace trainer and educator for corporations, legal practices, governments, critical infrastructures and national judicial colleges on law, cybersecurity, regulation, governance, technology, insurance and risk.
Dr Nigel Wilson, Australis Chambers
LLB (Hons), BEc, BCL Oxford, Cybersecurity Harvard, PhD
wilson@australischambers.com www.australischambers.com 0413 807 585
Liability limited by a scheme approved under the Professional Standards Legislation