ASIC hints at benchmark standards for cyber security
04 November 2021
04 November 2021
Financial services and credit licensees may face regulatory action if they fail to have adequate cyber security systems and procedures in place.
ASIC's test case against RI Advice Group Pty Ltd provides some insight into what the regulator considers to be minimum benchmarks for cyber security for financial services licensees.
There is an overwhelming consensus that cyber security risks are, and will continue to be, one of the most dynamic and difficult issues facing companies today. The Australian Cyber Security Centre's 2020-21 Annual Threat Report recorded a 13% increase in cybercrime reports from the previous financial year.
As companies scramble to protect their operations from cyber-attack, the Australian Securities and Investments Commission (ASIC) has confirmed that cyber security is one of its key regulatory priorities for 2021-2022.1
In a recent address, ASIC's Deputy Chair posed the question: "How well are you prepared for the real and growing threats posed by operational risks – particularly cyber?"2
ASIC's pleadings in its action against RI Advice Group Pty Limited (RI) provides some insight into what the regulator considers to be the minimum benchmark in respect of cyber security to comply with the obligations in sections 912A of the Corporations Act and the corresponding obligations under section 47 of the National Consumer Credit Protection Act 2009 (Cth) for credit licensees.
ASIC promises that this 'decisive, deterrence-based enforcement action' against RI, will not be its last. The regulator has vowed to 'ensure regulatory incentives for cyber resilience remain in open play'.
Financial services and credit licensees are likely to be at the centre of ASIC's focus on minimum cyber security requirements as they hold large volumes of confidential and sensitive client information and such information is increasingly becoming digitalised and thereby vulnerable to cyber-attack.
In August 2020, ASIC commenced proceedings against RI for failing to have adequate cyber security systems and processes to appropriately manage cyber security risk. RI sought to have parts of ASIC's case struck out but the Federal Court, handing down its judgment in October this year, dismissed RI's application. The case will go to trial in April 2022.
Between 2014 and 2020, certain authorised representatives of RI were subject to multiple cyber security incidents, including ransomware and hacking attacks. Cyber criminals obtained access to sensitive client information as a result of these attacks.
ASIC claims that RI failed to:
a) implement plans, procedures, guidelines, frameworks, systems, resources and controls to adequately manage cyber security risk;
b) properly review and monitor the effectiveness of cyber security controls relevant to these incidents;
c) adopt and implement adequate and tailored cyber security documentation and controls; and
d) identify the cause of each of the alleged cyber security incidents and use that information to mitigate future risk of cyber-attacks.
As a result, ASIC pleads that RI contravened sections 912A(1)(a), (b), (c), (d) and (h) of the Corporations Act. ASIC claims that RI:
Although ASIC's case against RI is yet to be decided by the court, it provides a guide to what ASIC expects are minimum benchmark standards in respect of cyber security and cyber resilience. These include:
Ultimately, the question of whether there is a mandated industry benchmark or baseline for financial services and credit licensees in relation to cyber security and cyber resilience will be determined by the court. However, the Minimum Cybersecurity Requirements embodied in the 68 documents identified by ASIC's expert provide licensees with a working framework of minimum standards that reflects ASIC's current expectations.
In light of the recent changes to breach reporting (see How to comply with the new breach reporting regime), financial services and credit licensees should continuously monitor and maintain cyber security systems to mitigate the risk of non-compliance with the core obligations in section 912A(1) or section 47(1) and to:
Authors: Rob Hanley, Partner (Ashurst Strategic Governance Services – Legal Governance Advisory); Edmond Park, Counsel (Ashurst); Maxine Viertmann, Lawyer (Ashurst Strategic Governance Services – Legal Governance Advisory).
1. ASIC Corporate Plan 2021-25, pages 4-5, 8, 15-16, 21.
2. Australian Institutional Investor Roundtable, a speech by Deputy Chair Karen Chester, to the Australian Institutional Investor Roundtable hosted by Standards Board for Alternative Investments, Thursday 22 April 2021: https://asic.gov.au/about-asic/news-centre/speeches/australian-institutional-investor-roundtable/