ASIC's cybersecurity test case in the clear
The Federal Court has found that ASIC's pleaded case is sufficiently clear to allow it to proceed with its claims (the first of their kind) against an AFSL holder, RI Advice Group, for failing to maintain "minimum cybersecurity requirements" pursuant to the general obligations imposed on licensees under Australia's Corporations Act.
On 21 August 2020, the Australian Securities and Investments Commission (ASIC) commenced proceedings against RI Advice Group Pty Ltd (RI Advice) for alleged contraventions of s912A(1) of the Corporations Act 2001 (Cth) (the Act).
RI Advice provides financial service advice to retail customers through a distributed national network of "authorised representatives" and holds an Australian Financial Services Licence (AFSL).
ASIC alleges that between 2014 and May 2020, a total of 10 cybersecurity incidents were experienced by "various" RI Advice authorised representatives and that RI Advice contravened s912A(1)(a)-(d) and (h) of the Act by failing to have:
"adequate cybersecurity documents and controls in place, and not identifying the cause of each of the cybersecurity incidents and using that information to mitigate futures risk of cyber-attack ".
Section 912A(1) of the Act imposes various general requirements on AFSL holders. It provides that:
"A financial services licensee must:
(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and
(b) comply with the conditions on the licence; and
(c) comply with the financial services laws; and
(d) subject to subsection (4) – have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and…
(h) subject to subsection (5) – have adequate risk management systems;…"
ASIC's allegations are supported by an expert report written by a cybersecurity expert (the Expert Report) and the pleadings included several schedules which contained multiple "publicly available" cybersecurity industry documents setting out 13 Cyber Security Domains that ASIC allege amount to an appropriate cybersecurity framework for an AFSL holder such as RI Advice. The 13 Cyber Security Domains include:
- Governance and business environment;
- Risk assessments and risk management;
- Asset management;
- Supply chain risk management;
- Access management;
- Personnel security, training and awareness;
- Data security;
- Secure system development life cycle and change management;
- Baseline operational security;
- Security continuous monitoring;
- Vulnerability management;
- Incident response and communications; and
- Continuity and recovery planning.
The pleadings did not state that ASIC relied on an expert opinion nor did they refer to the Expert Report directly rather they referred only to the source documents or industry standards identified in the Expert Report.
This point was not lost on the Judge hearing an application to strike out ASIC's pleading (discussed further below), Justice Rofe, who was critical of ASIC's approach to the pleadings that, according to her Honour, 'over-elevated' the significance of the industry standards before going on to remind ASIC of its obligations as a model litigant.
The ASIC pleadings alleged that RI Advice should have in place "baseline Cybersecurity Documentation and Controls necessary to adequately manage risk in respect of cybersecurity and cyber resilience for itself and across its [authorised representative] network". This 'baseline' was based on some 68 documents and was alleged to represent "the minimum standard required to satisfy the obligation imposed by s 912A(1) of the Act."
RI Advice applies to have ASIC pleadings struck out
On 28 July 2021, RI Advice sought orders to have a significant number of paragraphs in ASIC's further amended statement of claim struck out on account of being "evasive or ambiguous" or "likely to cause prejudice, embarrassment or delay" and/or failing "to disclose a reasonable cause of action".
RI Advice submitted that the pleadings and the supporting minimum cyber security requirements suffered from three principle defects (in summary):
- they were expressed in a vague, imprecise, jargonistic and convoluted manner;
- they failed to provide (by material fact or particulars) why RI Advice was required to meet these minimum cybersecurity standards; and
- whether the "rolled up" allegations pleaded under s912A (that RI Advice failed to meet all or some of the "unstated" minimum cybersecurity requirements) amount to a contravention of each paragraph of s912A(1)(a)-(d) and (h).
Obligation to maintain a minimum standard of cybersecurity stems from the Act – not a breach of some other duty (e.g. an industry standard)
Rofe J rejected RI Advice's application, finding that ASIC's pleadings were capable of being understood and that they adequately set out the regulator's case against RI Advice.
Her Honour also affirmed that a "contravention of the 'efficiently, honestly and fairly', standard of s912A(1)[(a)] does not require a contravention or breach of a separately existing legal duty or obligation, whether statutory, fiduciary, common law or otherwise", where "otherwise" could be taken to mean the publicly available cybersecurity standards pleaded by ASIC or the industry standards ASIC relied on. Rather, the "statutory standard itself [is] the source of the obligation".
Rofe J found, and ASIC "confirmed", that the publicly available industry standards "are not part of ASIC's case, other than in the sense that [the Expert] refers to them in the course of his reasoning set out in the [Expert] Report".
Rofe J dismissed the strike out application but made orders that ASIC clarify their pleadings by filing a "second further amended statement of claim" that incorporates "… the extensive further and better particulars" provided to RI Advice on 23 December 2020 and for ASIC to "remove the sources of confusion" identified by her Honour in dealing with RI Advice's application, which included among other things that:
- the further and better particulars provided were "extensive" and "difficult to navigate" (comprising 134 pages of pleading and seven schedules totalling 94 pages);
- the 13 Cybersecurity Domains set out in the pleadings used similar expressions to those in the alleged contraventions;
- the ASIC pleadings did not clarify that the source of the minimum cyber security standards was an expert opinion;
- the pleadings did not provide why RI Advice should have adopted the minimum cyber security standards referred to (i.e. ASIC's pleadings did not suggest that RI Advice was obligated, by any industry standard or practice, to adopt the minimum cyber security standards); and
- the minimum cyber security standards pleaded included multiple references to other industry standards.
This interlocutory finding should serve as a warning to ASFL holders that ASIC will continue to examine whether their cybersecurity framework is 'fit for purpose' and will take action where this is not the case, even if the minimum standard of cyber security required pursuant to s912A of the Act remains somewhat unclear.