Beyond Cyber Key lessons in ASIC v RI Advice Group

What you need to know

• ASIC v RI Advice Group Pty Ltd [2022] FCA 496 demonstrates that licensees need to take a holistic approach when assessing incidents.  A relatively small number of incidents over a period, when viewed collectively, can be indicative of broader deficiencies in systems and processes.  
• An AFSL holder's compliance measures across their network of authorised representatives or credit representatives may be insufficient if the measures and their implementation are not regularly audited or monitored. 

What you need to do

• Licensees need to "join the dots" across incidents. They need to ensure they have robust monitoring of incidents to proactively identify broader systemic issues or system deficiencies.
• Avoid delay in developing and implementing improved compliance measures once a deficiency has been identified. 
• Consider compliance measures that are in place in relation to authorised representatives and credit representatives and ensure there is adequate auditing and compliance mechanisms in place to ensure requirements are understood and are being met. 

Background

RI Advice Group had an authorised representative network of between 89 to 119 practices.  Over a six year period (between June 2014 and May 2020), 9 cyber security incidents occurred at those AR practices (ranging from fraudulently sent emails to phishing incidents and hacking attacks). 

Importantly, RI Advice Group had taken a number of steps to manage cyber security risk for its network of authorised representatives, and among other things, had in place contractual 'Professional Standards' and an incident reporting process.  They sought confirmation that all authorised representatives had read and were aware of these compliance measures.  RI Advice Group admitted that these measures were inadequate to manage the cyber security risk. 

RI Advice Group made significant improvements to these compliance measures after becoming aware of the cyber incidents, including taking steps to monitor and audit compliance with the 'Professional Standards' and introducing a Cyber Resilience Initiative to assist their authorised representatives to identify and adopt good practices.  Despite these improvements, RI Advice group admitted it took too long to implement them across their network, and it ought to have had a more robust program to ensure the measures were more quickly in place at each authorised representative practice.

Given these circumstances, the Court found that RI Advice Group had breached its section 912A(1)(a) obligation to do all things necessary to ensure its financial services were provided 'efficiently, honestly and fairly'. 

KEY LESSONS TO BE OBSERVED

Analysing your breach reporting data for emerging patterns

As indicated above, the Court determined that 9 failures of RI Advice Group's compliance system, over 6 years, and across an authorised representative network of between 89-119 practices amounted to an identifiable issue with the compliance system.  This aggregation of incidents illustrates the necessity of viewing incidents holistically and assessing what patterns, collectively, they indicate. 

A necessary characteristic of a good compliance system is monitoring and improvement where any deficiencies are identified.  Identifying emerging trends within the data of incidents would allow an AFSL holder to quickly, and more effectively respond to any systemic deficiencies. 

Recent enhancement of the breach reporting requirements (see How to comply with the new breach reporting regime), give ASIC a greater capability to join the dots between reported breaches and identify broader system failures that may constitute a breach of the 'efficiently, honestly and fairly' obligation.  AFSL holders should be put on notice and ensure that they are also proactively undertaking this analysis. 

Promptly implementing your improved compliance measures 

RI Advice Group became aware of the deficiency in their compliance system by 15 May 2018.  However, the improved measures they developed with the help of specialist experts were only implemented across the majority of authorised representatives by 6 August 2021 (some three years later).  The Court determined that this delay was inconsistent with the standard required. 

A reasonable standard of performance would have included a prompt and robust rectification of the identified deficiencies across the authorised representative network.  As such, when patterns emerge AFSL holders should respond without delay to address identified deficiencies in their compliance systems. 

Auditing (or other monitoring) of your compliance measures

As mentioned above, RI Advice group did have a number of commonly used compliance measures in place to govern the conduct of their authorised representatives.  However, compliance was not audited beyond simply seeking confirmation from authorised representatives that they had read and were aware of the 'Professional Standards'.  This was found to have breached the 'efficiently, honestly and fairly' obligation.  

Consequently, AFSL holders must ensure that they have adequate auditing (or other monitoring) to confirm that the requirements of the compliance measures are actually understood by any authorised representatives, and are being met.  The implementation of compliance measures should be a constantly evolving and iterative process to ensure that AFSL holders are adequately responding to new risks.

Authors: Narelle Smythe, Partner; Lucinda Hill, Partner; Stephanie Cameron, Senior Associate and Nandini Kaushik, Graduate