A recent Federal Court decision has highlighted ASIC’s determination to pursue legal action over the failure of regulated entities to institute and maintain adequate cyber security and data protection measures. Although there is no “one size fits all” summary of what steps to take or what penalties to expect, the approach of the Court is consistent. Regulated entities must have adequate risk management systems in place that are appropriate to their circumstances, and failure to do so will result in significant civil penalties.

The decision in Australian Securities and Investments Commission v Lanterne Fund Services Pty Limited, handed down on 10 April 2024, was another case brought by ASIC against a holder of an Australian Financial Services Licence (AFSL). It reaffirms the decision of the same court in 2022 regarding action brought by ASIC against another AFSL holder, RI Advice Group Pty Ltd.

Unlike the RI Advice case, which was settled with a consent order and RI Advice paying $750,000 of ASIC’s legal fees, the latest decision resulted in civil penalties of $1.25 million being imposed on Lanterne.

While is worth noting that there were additional breaches included in the case against Lanterne, and that the penalties included components not directly relevant to cyber and IT failures, it is clear that the courts will impose penalties appropriate for the specific circumstances of each case brought before them.

The specific circumstances a regulated entity finds itself in are also the key to understanding what constitutes adequate systems. In the earlier case, RI Advice had engaged a cyber security firm to improve their systems. Their failing essentially lay in taking too long to institute the recommendations. In the most recent case, Lanterne admitted that it failed to provide adequate risk management systems. That meant there was no need for the Court to decide what systems would have been adequate in the circumstances. In neither case did we get a clear statement of what specific steps (or even a broader picture of the required steps) the business needed to take.

The judge in the Lanterne case, Justice McEvoy, quoted approvingly from Justice Rofe’s observations in the RI Advice case. “The Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field”. Different circumstances will have different requirements to meet the standard and qualified specialists are best placed to make technical judgements on what those would be.

While this might be a little disappointing as it does not set out any guidelines for businesses keen to comply with their obligations, it does seem to point quite clearly to the need to have cyber security specialists advise on what systems are required.

The Lanterne decision also gives us a list of the systems that the Court noted were lacking. For the specific issue of risk management, these included: IT generally (whether internal or external); adequate IT or cyber security infrastructure; an IT resources or security management plan; a back-up disaster recovery protocol, and general compliance software.

Although the specific statutory breaches in both cases were failures as a holder of an AFSL, it seems reasonable to think that courts will adopt a similar approach to dealing with other regulatory issues such as those non-AFSL holders will have under their general duty as directors.

ASIC have identified cyber and operational resilience as a core strategic priority in their four-year corporate plan. It is worth noting that ASIC Deputy Chair Sarah Court, in response to the RI Advice decision said:

“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”

AFSL holders have a clear statutory obligation. No cases have yet been determined on directors’ duties regarding cyber security. It would be prudent nonetheless for all businesses or organisations that are at risk from cyber attacks to ensure that adequate risk management systems are in place.

Key Takeaways