A recent Federal Court decision has highlighted ASIC’s determination to pursue legal action over the failure of regulated entities to institute and maintain adequate cyber security and data protection measures. Although there is no “one size fits all” summary of what steps to take or what penalties to expect, the approach of the Court is consistent. Regulated entities must have adequate risk management systems in place that are appropriate to their circumstances, and failure to do so will result in significant civil penalties.
The decision in Australian Securities and Investments Commission v Lanterne Fund Services Pty Limited, handed down on 10 April 2024, was another case brought by ASIC against a holder of an Australian Financial Services Licence (AFSL). It reaffirms the decision of the same court in 2022 regarding action brought by ASIC against another AFSL holder, RI Advice Group Pty Ltd.
Unlike the RI Advice case, which was settled with a consent order and RI Advice paying $750,000 of ASIC’s legal fees, the latest decision resulted in civil penalties of $1.25 million being imposed on Lanterne.
While is worth noting that there were additional breaches included in the case against Lanterne, and that the penalties included components not directly relevant to cyber and IT failures, it is clear that the courts will impose penalties appropriate for the specific circumstances of each case brought before them.
The specific circumstances a regulated entity finds itself in are also the key to understanding what constitutes adequate systems. In the earlier case, RI Advice had engaged a cyber security firm to improve their systems. Their failing essentially lay in taking too long to institute the recommendations. In the most recent case, Lanterne admitted that it failed to provide adequate risk management systems. That meant there was no need for the Court to decide what systems would have been adequate in the circumstances. In neither case did we get a clear statement of what specific steps (or even a broader picture of the required steps) the business needed to take.
The judge in the Lanterne case, Justice McEvoy, quoted approvingly from Justice Rofe’s observations in the RI Advice case. “The Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field”. Different circumstances will have different requirements to meet the standard and qualified specialists are best placed to make technical judgements on what those would be.
While this might be a little disappointing as it does not set out any guidelines for businesses keen to comply with their obligations, it does seem to point quite clearly to the need to have cyber security specialists advise on what systems are required.
The Lanterne decision also gives us a list of the systems that the Court noted were lacking. For the specific issue of risk management, these included: IT generally (whether internal or external); adequate IT or cyber security infrastructure; an IT resources or security management plan; a back-up disaster recovery protocol, and general compliance software.
Although the specific statutory breaches in both cases were failures as a holder of an AFSL, it seems reasonable to think that courts will adopt a similar approach to dealing with other regulatory issues such as those non-AFSL holders will have under their general duty as directors.
ASIC have identified cyber and operational resilience as a core strategic priority in their four-year corporate plan. It is worth noting that ASIC Deputy Chair Sarah Court, in response to the RI Advice decision said:
“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”
AFSL holders have a clear statutory obligation. No cases have yet been determined on directors’ duties regarding cyber security. It would be prudent nonetheless for all businesses or organisations that are at risk from cyber attacks to ensure that adequate risk management systems are in place.
Key Takeaways
- Businesses should consider how various statutory and common law obligations can require them to reasonably address cyber security.
- These decisions should be considered a strong warning against complacency or delay in addressing those matters.
- Senior executives and officers must be aware of their obligations to act or delegate.
- Regulators are committed to enforcing the obligations of organisations to mitigate cyber and digital security risks, through the courts where necessary.
- The need for organisations to obtain relevant advice and expertise has been consistently identified by the Court as the appropriate step for organisations to take in addressing this risk.
- Judgments aren’t restricted to the parties involved, and set precedent that affects all businesses that may find themselves subject to the same legal requirements.