The Federal Court of Australia have set a ground-breaking new precedent for cyber security. This important new judgement, which is having wide-reaching implications for IT management, is the result of a case focused on appropriate cyber security controls.
“On 5 May 2022, the Federal Court of Australia delivered its judgment in ASIC v RI Advice Group Pty Ltd – the first case dealing with the issue as to whether failure to manage cyber risk is a breach of financial services obligations” writes global law firm Clyde & Co.
The case established that failing to manage cyber risk is in fact, a breach of financial services obligations.
In her judgment, Justice Rofe noted that RI Advice had ‘a number of inadequate risk management practices across its network’ and failed to have ‘appropriate cyber security controls and cyber resilience in place to manage not only its own cyber risks, but those across its network of authorised representatives as well’ as reported by ASIC.
She made it clear that ‘cybersecurity should be front of mind for all AFS licensees. She acknowledged that while ‘it is not possible to reduce cybersecurity risk to zero … it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls…’
Importantly, it was emphasised that while there is a community expectation that reasonable cyber security measures are in place, the adequacy of cyber risk management must be determined by technical experts.
ASIC have since published guidance outlining the critical measures AFSL holders are now expected to have in place.
Key Takeout’s
- AFSL holders must adequately manage cybersecurity risks.
- All organisations must regularly re-assess their cyber risks and ensure their detection, mitigation and response measures adequately support the business and the sensitivity of information they hold.
- Cyber risk management is a highly technical area of expertise. The assessment of any cyber risk management system requires the technical expertise of a relevantly skilled person.
- It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce risk through adequate cyber security documentation and controls to an acceptable level.
- Failure to implement necessary measures in a timely manner can constitute a breach of financial services obligations.
- ASIC will take enforcement action when an AFS licensee does not meet these obligations.
- This case is the culmination of ASIC’s focus on cyber security over the past 18-24 months. The emphasis on building cyber resilience is also in line with developments in other regulated sectors and the requirements foreshadowed by the critical infrastructure changes late last year and early this year.