In a landmark decision, legislation has been passed by the Federal Court that will hold Australian financial service licensees legally responsible for their cyber security defence. Given these firms have such valuable financial and personal data in their possession, it comes as no surprise that ineffective cyber measures will now have very serious legal implications.
The Federal Court came to this conclusion after an action was brought by the Australian Securities and Investments Commission against investment firm RI Advice. It decided that RI Advice had breached its license obligations and ruled that the group did not act ‘efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.’
This case was brought to the Federal Court after nearly six years of cyber breaches including access to a file server. The court has also ordered RI Advice to undertake security training within a month by an independent security organisation, implement the security measures that the organisation recommends and pay $750,000 towards ASIC’s costs.
Announcing the win, ASIC said similar incidents had occurred at RI Advice’s authorised representatives over nearly six years, from June 2014 to May 2020. According to ASIC, this included an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
On the bench, Federal Court Justice Helen Rofe said the responsibility of cyber risk management should belong to the firms in possession of the data.
“Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level,” Justice Rofe said.
ASIC deputy chair Sarah Court also commented on the necessity of businesses making an active effort to defend and protect client information.
“These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.”
This ruling will highlight the importance of inputting stronger cyber security measures and prompt organisations to take action. While customer data protection is always an ethical and moral obligation, it is now undoubtedly a legal one. A decision like this will set a benchmark not just for the finance industry, but for all enterprises to ensure adequate cyber security systems are in place for the protection of their business assets, reputation and clientele.