In the first case brought by the Australian Securities and Investments Commission (ASIC) against a financial services licensee concerning cybersecurity, the Federal Court of Australia has ruled for the first time that financial service providers have an obligation to adequately manage cybersecurity risks.
Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496
In a judgment delivered on Thursday, the Federal Court has found that an Australian Financial Services licensee breached its general obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. Justice Helen Rofe concluded that RI Advice, a financial planning licensee formerly owned by ANZ and now part of Insignia Financial, contravened the Corporations Act by failing to implement adequate cybersecurity and cyber resilience controls following nine cyberattacks that put confidential and sensitive client data at risk. The company has been ordered to pay AU$750,000 toward ASIC's costs, and to engage a cybersecurity expert to identify what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice's authorised representative network and to report on RI Advice implementation of those further measures.
In her reasons, Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
The case is believed to be the first in Australian legal history relating to the cybersecurity obligations of financial firms.
View the full judgment here. Fleur Shand acted for ASIC, led by Peter Collinson QC and Stephen Parmenter QC (with Paul Liondas).