ASIC takes enforcement action for cyber-security failings – implications for NZ institutions

ASIC is seeking declarations that, financial advice provider, RI Advice contravened provisions of the Corporations Act (including the obligation to provide financial services “efficiently, honestly and fairly"). The case is a significant development as it represents the first occasion on which the Australian regulator has used financial services regulation to prosecute cyber-security failings.

In New Zealand, the Financial Markets Authority (FMA) and financial institutions will be following this case with interest, as it highlights the potential for general regulatory requirements in New Zealand to be applied in a cyber-security context.

The case is also a reminder for all New Zealand market participants to ensure that they are using a recognised cyber-security framework to assist cyber resilience. This is particularly timely with the NZX Main Board and Debt markets being suspended this week in response to an apparent distributed denial of service attack.

We have summarised the ASIC proceedings and considered the implications of this development below.

Background

RI Advice Group Pty Ltd (RI Advice) is a “financial services licensee" under the Australian Corporations Act 2001. It operates a network of financial advisers across Australia who collect and store confidential and sensitive client information.

The background below is taken from ASIC's court filings. It does not reflect concluded findings of fact.

Between December 2016 and April 2020, RI Advice's adviser network was the subject of six separate cyber-security breaches:

December 2016: a ransomware attack encrypted an adviser's files and rendered them inaccessible.
May 2017: an adviser's local network was hacked via a remote access port that impacted approximately 226 client groups.
December 2017: a malicious user gained access to a server containing confidential client information via unauthorised use of an employee log in. The user spent more than 155 hours logged into the server and used the personal information of clients without their consent. The breach was detected three months after it began and exposed the personal information of more than 8,000 individuals.
May 2018: an unknown third party gained access to an employee's email account and attempted (unsuccessfully) to request a bookkeeper to transfer funds to a Turkish bank account.
August 2019: an unauthorised party compromised an employee's mailbox account.
April 2020: a phishing attack monitored an employee's account and accessed thousands of email addresses and contact details and over 10,000 emails.

After the May 2018 incident, RI Advice and/or the affected members of its adviser network obtained reports from three separate IT-service providers/cyber-security firms. These reports identified a number of deficiencies, including:

At one adviser firm, 90% of desktops had no current anti-virus software, no offsite backups were performed and passwords and other security details were available in text files on the server desktop.
Three out of five specific adviser firms surveyed were identified as having “poor" cyber-security status with no written cyber-security policies or procedures, no structured security governance programme and a high likelihood that a critical cyber-security event would occur in the following 12 months.
RI Advice was advised to immediately conduct a cyber-assurance risk review across all organisations in its adviser network.
KPMG identified that one adviser firm had been the subject of more than 27,000 unsuccessful login attempts using over 2,000 different user names from 10 different countries. It recommended the implementation of the eight essential cyber-security strategies followed by a vulnerability assessment and penetration testing.

In response, RI Advice initiated some discrete cyber-security initiatives. However, it did not conduct cyber-assurance risk reviews across its adviser network. Nor did it implement the strategies that KPMG recommended.

ASIC is seeking declarations that RI Advice contravened provisions of the Corporations Act (including the obligation to provide financial services “efficiently, honestly and fairly"). It has also asked the Court to impose a pecuniary penalty and require RI Advice to implement compliance improvements to adequately manage cyber-security risk and cyber resilience.

ASIC's cyber-security expectations

In ASIC's view, RI Advice did not respond adequately to the cyber-security incidents. ASIC also considered RI Advice's cyber-security risk management systems and resources were inadequate.

As a result of the cyber-security incidents, ASIC said that RI Advice should have:

Adopted a cyber-security framework to guide all of its cyber-related activities,
Undertaken a risk assessment across its entire network of advisers,
Sought technical security assurance across a number of its advisers,
Determined the current cyber-security risks applicable to its adviser network,
Developed and implemented a cyber-security remediation plan, and
Implemented reasonably sufficient and appropriate steps to adequately manage cyber-security risk on an ongoing basis.

According to ASIC, adequate cyber-security risk management systems require tailored documentation and controls in each of the following “cyber-security domains":

governance and business environment,
risk assessment and risk management,
asset management,
supply chain risk management,
access management,
personnel security training and awareness,
data security,
secure system development life cycle and change management,
baseline operational security,
security continuous monitoring,
vulnerability management,
incident response and communication, and
continuity and recovery planning.

However, as at May 2020, ASIC concluded that RI Advice “had still not adopted and implemented adequate and tailored cybersecurity documentation and controls in each of the cybersecurity domains". It commenced proceedings in the Federal Court.

The ASIC proceedings

ASIC has sought declarations that RI Advice has breached section 912A of the Corporations Act 2001. Section 912A imposes a number of general obligations on Australian financial services licence holders, including:

Do all things necessary to ensure that financial services are provided “effectively, honestly and fairly" (912A(1)(a)).
Comply with the condition of its license requiring it to establish and maintain compliance measures that ensure compliance with provisions of the financial services laws 912A(1)(b)).
Comply with the financial services laws (912A(1)(c)).
Have available adequate resources (including financial, technological and human resources) to provide the financial services and carry out its supervisory arrangements (912A(1)(d)) and
Have adequate risk management systems (912A(1)(h)).

ASIC alleges that RI Advice breached each of the above provisions by the conduct described above. In addition to declarations that RI Advice has contravened these provisions, ASIC is seeking a pecuniary penalty. The maximum penalty is the greatest of 50,000 penalty units (currently AU$11.1 million), three times the benefit obtained and detriment avoided, or 10% of annual turnover, capped at 2.5 million penalty units (currently AU$555 million). ASIC has also applied for an order requiring RI Advice to implement adequate cyber-security policies within three months and have them independently audited within five months.

What does this mean for New Zealand financial institutions?

Cyber resilience is an area of increased focus for financial regulators globally. In September 2017, the US Securities and Exchange Commission established a dedicated Cyber Unit within its enforcement division. In October 2018, the UK Financial Conduct Authority fined Tesco Bank £16.4 million for failing to respond to a cyber-attack with sufficient rigour, skill and urgency. In August 2019, the Monetary Authority of Singapore issued a set of legally binding requirements to raise cyber-security standards across financial institutions.

The picture is no different in New Zealand. The FMA has said that all market participants should make use of a recognised cyber-security framework to assist them in planning, prioritising and managing their cyber resilience. The FMA's 2019 Risk Outlook has identified “the rise of cyber-threats" as a particular risk for the banking and insurance sector. Just this week, trading on the NZX Main Board and Debt markets was suspended in apparent response to a distributed denial of service attack.

In that context, ASIC's proceedings provide a relatively novel example of how financial regulation can be used to enforce cyber security standards. Section 912A of the Corporations Act does not contain any specific requirements relating to cyber-security. Rather, ASIC has relied on generalised obligations to act “effectively, honestly and fairly", comply with licence conditions, and have adequate resources and risk management systems.

New Zealand financial institutions should be following these developments with interest. While section 912A of Corporations Act has no direct equivalent in New Zealand, other regulatory requirements could potentially fulfil a similar cyber-security role. For example:

Licensed insurers and non-bank deposit takers are required to have a risk management programme and take all practicable steps to comply with it.
Licensed market operators (such as NZX) are required to have sufficient resources (including technological resources) to operate their licensed markets properly.
Licensed market service providers must comply with the conditions of their licence including by having adequate and effective systems, policies, processes and controls.
Qualifying financial entities must comply with the conditions of their licence including by maintaining governance and compliance arrangements appropriate to their services and ensuring that retail clients receive adequate consumer protection.
Financial advice providers must exercise the care, diligence and skill that a prudent person engaged in the occupation of giving regulated financial advice would exercise in the same circumstances.

ASIC's proceedings are at a very early stage and it remains to be seen whether the Court grants the declarations sought. If ASIC is successful, it could provide a blueprint for a much more robust form of cyber-security regulation for financial institutions. Financial regulators tend to be well funded (in 2019, the FMA reported revenues of NZ$39 million compared to NZ$5.2 million for the Office of the Privacy Commissioner). In addition, breaches of financial regulations typically carry tougher penalties than corresponding breaches of privacy or data protection legislation (the maximum penalties available under the Financial Markets Conduct Act 2013 are considerably greater than those under the Privacy Act 2020).

We will be monitoring the ASIC proceedings closely as they progress through the Federal Court.

If you have any questions about the matters raised in this article, please get in touch with the contacts listed, or your usual Bell Gully adviser.

Disclaimer
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.