Head office - Melbourne +61 3 8636 9100
Sydney office +61 2 9238 8028

Do companies require a cybersecurity risk management plan, under Australian law?

Legal Update – July 2022

Katarina Klaric, Principal, Stephens Lawyers & Consultants

A cybersecurity incident is reported about every 8 minutes in Australia causing significant business disruption and loss[i].  However, there is still a lack of understanding of regulatory obligations concerning cybersecurity and privacy risk management and knowing how to respond to cyber incidents and data breaches and the reporting requirements in respect of cyber incidents and data breaches.  

Companies which experience cybersecurity attacks and do not have adequate cybersecurity risk management plans, policies, systems and controls in place are at risk of prosecution by regulators for contravention of the Corporations Act and the Privacy Act.  They are also exposed to significant business disruption extending to supply channels and customers, resulting in financial losses and reputational damage and damages claims by parties affected by the cyber incident.

Company directors and other officers also face legal action for failing to exercise their duties in the management and control of the company with a reasonable degree of care and diligence[ii] if they have not implemented appropriate cybersecurity risk management and cyber resilience plans. Although a recent survey of company directors found that the number one issue that was keeping directors awake at night was – “cyber-crime and data security”[iii], there still appears to be a significant gap in organisations implementing a formal cybersecurity framework or strategy[iv].

Case Study

Australian Securities and Investment Commission (ASIC) v RI Advice Group Pty Ltd [2022] FCA 496

ASIC obtained court declarations that – RI Advice Group had contravened sections 912A(1)(a) and (h) of the Corporations Act as a result of its failure to have documentation and controls of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity[v] and cyber resilience[vi] across its network of authorised representative providing financial services.

The Federal Court of Australia also made orders for the engagement of a cybersecurity expert for the identification and implementation of further measures required to adequately manage risks in respect of cybersecurity and cyber resilience. RI Advice Group was also ordered to pay a contribution toward ASIC costs in the sum of AUD$750,000.

The court in making the declarations recognised that it is not possible to reduce cybersecurity to “zero” however it is possible to “materially reduce cybersecurity risks” through adequate cybersecurity risk management documentation, programs, systems and controls which covered both cybersecurity and cyber resilience. The court also recognised that controls deployed to address cybersecurity evolve over time.

This case involved nine (9) cyber incidents, which occurred between June 2014 and May 2020 and occurred at the practices of the authorised representatives that RI Advice had licensed to provide financial services pursuant to its Australian Financial Services Licence.  In the course of providing financial services, RI Advice’s authorised representatives handled and stored confidential and sensitive personal information and documents of about 60,000 retail clients. The personal information included personal details, contact information, health information, driver’s licences, passports and other financial information.

The nine (9) cyber incidents compromised the personal information of many clients and included –

  • Hacking of email accounts resulting in fraudulent emails being sent to customers for transfer of funds;
  • Hacking of third party website provider, resulting in a fake homepage on the website of the authorised representative’s website.
  • Unauthorised access and/or hacking of email accounts stored in cloud facilities without proper security and password protection.
  • Ransomware attacks on computers of authorised representatives making data inaccessible.
  • Hacking of a server by brute force through remote access port, resulting in files containing personal information of about 220 clients being held to ransom and ultimately unrecoverable.
  • Unknown malicious agent gaining unauthorised access to servers for a period of several months compromising the personal information of several thousand clients. A number of clients had reported unauthorised use of their personal information.
  • Unauthorised person used an employee’s email to send phishing emails to over 150 clients.

RI Advice admitted that prior to 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its authorised representative network. RI Advice also admitted that it took too long in implementing the cybersecurity and cyber resilience measures that it had assessed and developed during the period 15 May 2018 to 5 August 2021, across its network. These measures were still being implemented at the time that the court delivered its judgment in May 2022.

The compromise of personal and sensitive information of clients by the cyber incidents would have also resulted in breaches of the Privacy Act requiring notification of the data breach to the Office of the Australian Information Commissioner (OAIC) and resulting compensation claims by clients who had suffered loss.

Some Practical Steps for Cybersecurity and Privacy Risk Management

From a technological and legal perspective, cybersecurity and privacy risk management can be complex and daunting. However, with the right experts the concepts can be explained in a language that can be understood by those who are not “tech savvy”. At an organisational level, some to the practical steps that businesses can take to manage risk include:

  • Use of external expert(s) to assess the risks and assist in the preparation and implementation of appropriate cybersecurity and privacy compliance programs, policies, strategies and policies and controls. With these undergoing regular review and updates.
  • Ongoing training and education of the organisation’s directors, management and employees in respect of cyber security and privacy risks and compliance – and the legal framework and their regulatory obligations.
  • Monitoring and testing of IT systems to detect cyber security vulnerabilities and any attempted or actual unauthorised access to systems or cybersecurity threats or incidents.
  • Development and implementation of response and recovery plans for the effective and efficient response to cyber incidents or privacy breaches including mandatory reporting requirements. The plans should include appropriate data backup and recovery systems, proactive management of supply chain, customer and other third party risks and reputational damage.
  • Insurance cover for losses and costs associated with cyber incidents and privacy breaches. Some insurers are providing the insured organisation access to cybersecurity experts to assist organisations with the management of their risk as a part of the policy cover.

Businesses can also access resources to assist them with management of cybersecurity and privacy risks from the Australian Cybersecurity Centre and the OAIC.

Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants.

© 19 July 2022 — Stephens Lawyers & Consultants

Disclaimer: This article is not intended to replace obtaining legal advice

For Further Information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au 

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007

[i] ACSC Annual Cyber Threat Report – 1 July 2020 to 30 June 2022. The report states that over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year.

[ii] S180(1) Corporations Act

[iii] Director Sentiment Survey, 1st half 2022. Australian Institute of Company Directors.

[iv] Boards and Cyber Resilience Survey Findings, June 2022. Australian Institute of Company Directors and Australian Information Security Association. This survey found that – only 53% of directors surveyed reported that their organisation had a formal cybersecurity framework or strategy in place.

[v] ASIC v RI Advice Group Pty Ltd [2022] FCA 496 at [57], the court referred to “cybersecurity” as “the ability of an organisation to protect and defend the use of cyberspace from attacks” .

[vi]  ASIC v RI Advice Group Pty Ltd [2022]FCA 496 at[57], the court referred to “cyber resilience”  as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources”.