Landmark ruling enforces governance requirements for cyber risk management for all Australian businesses.
Federal Court Hands Down Landmark Ruling Relating to Cyber Security risk management.
On May 5, 2022, the Federal Court handed down a judgement that may have significant implications for the financial sector. The case was brought by ASIC against RI Advice Group PTY LTD, and the court found that there was a proper basis for making declarations, in this instance agreed to by ASIC and RI Advice, that as a result of failing to adequately manage cyber security and cyber risk, RI Advice was in breach of its obligations under section under section 912A(1)(a) and (h) of the Corporations Act 2001 (Commonwealth).
This is a somewhat surprising outcome given the Corporations Act is now 21 years old. The ruling demonstrates the foresight shown by the authors of this piece of legislation. The relevant section states that corporations must do all things necessary to ensure that the financial services covered by the licence were provided efficiently and fairly, and that the company have adequate risk management systems in place.
The application of ‘risk management systems’ to cyber security protection sends a strong message to the sector. This is the first time that ASIC has exercised its enforcement powers for a company’s failure relating to cyber resilience risk management controls and the first time section 912A of the Corporations Act has been used in this manner.
The finding has the hallmarks of a test case to establish expectations in relation to cyber risk management and therefore puts all financial entities on notice. The ruling was made by consent and based on agreement between all parties. We have seen cases brought by regulators overseas and is not expected to be the last of its kind in Australia. It signals ASIC’s emerging preparedness to hold financial companies to account in relation to their online protection practices and perceived risk management deficiencies.
Although section 912A only applies to the holders of Australian Financial Services Licence, we can expect that other regulatory bodies such as APRA and the OAIC to become more vigilant when it comes to cyber security practices. This will place an onus on thousands of Australian organisations, their boards and senior management, to lift their cyber security game. Failure to do so may lead to direct legal action. Fighting regulators through the courts is a long, slow, and costly process, and with test cases in place, we would expect that early settlements would be the most likely outcome of future cases.
Australian oversight bodies such as ASIC are often criticised for their lack of vigour. They are seen by many as slow moving bodies with an inability to remain abreast of the changes within their domain. This case may signal a willingness to challenge that perception.
Whatever your view of Australian regulators, now might be the time to ensure your organisation’s cyber security resilience policies and procedures would withstand close external scrutiny.
This is where Intalock’s Advisory Service can help you thoroughly assess the current state of your security operations and maturity levels to protect your systems and assets better.
Applying industry-standard risk assessments, we deliver a comprehensive review of the risks organisations face, including recommendations and treatment methods across:
- Threat, Risk & Response
- Audit & Compliance
- Strategy & Framework
Learn more about the Intalock Advisory Service and how to protect your organisation with cyber security solutions.
Download the Intalock Advisory Services Overview – Information sheet.
If you are experiencing a cyber-attack now, contact the Emergency Hotline 1300 554 798 or