Do businesses need a cybersecurity risk management plan, under Australian law?


A cybersecurity incident is reported approximately every 8 minutes in Australia, causing significant disruption and loss of business[i]. However, there is still a lack of understanding of regulatory obligations regarding cybersecurity and privacy risk management and how to respond to cyber incidents and data breaches and reporting requirements regarding cyber incidents and breaches. of data.

Companies that experience cybersecurity attacks and do not have adequate cybersecurity risk management plans, policies, systems and controls in place risk being prosecuted by regulators for violating the Corporations Act and the Privacy Act. They are also exposed to significant business disruptions extending to supply channels and customers, resulting in financial loss, reputational damage and compensation claims by parties affected by the cyber incident.

The directors and other officers of the company are also liable to legal action for failing to exercise their functions of management and control of the company with a reasonable degree of care and diligence.[ii] if they have not implemented appropriate cybersecurity and cyber-resilience risk management plans. Although a recent survey of business leaders revealed that the number one issue keeping directors up at night was – “cybercrime and data Security”[iii]there still appears to be a significant gap in organizations implementing a formal cybersecurity framework or strategy[iv].

Case study

Australian Securities and Investments Commission (ASIC) v RI Consulting Group Pty Ltd [2022] CIF 496

ASIC obtained court filings that – RI Advice Group violated Sections 912A(1)(a) and (h) of the Companies Act due to its failure to have documentation and controls of the cybersecurity and cyber-resilience in place that were adequate to manage risk with respect to cyber security[v] and cyber resilience[vi] through its network of agents providing financial services.

The Federal Court of Australia has also issued orders for the engagement of a cybersecurity expert to identify and implement additional measures necessary to adequately manage cybersecurity and cyber resilience risks. . RI Advice Group was also ordered to pay a contribution to ASIC’s costs in the amount of AU$750,000..

The court in making the statements acknowledged that it is not possible to reduce cybersecurity to “zero“however it is possible to”significantly reduce cybersecurity risks» through adequate cybersecurity risk management documentation, programs, systems and controls that covered both cybersecurity and cyber resilience. The court also recognized that the controls deployed to address cybersecurity evolve over time.

This case involved nine (9) cyber incidents, which occurred between June 2014 and May 2020 and occurred within the practices of authorized representatives that RI Advice had authorized to provide financial services in accordance with its Australian Financial Services License. In the course of providing financial services, authorized representatives of RI Advice handled and stored personal information and confidential and sensitive documents of approximately 60,000 retail clients. Personal information included personal details, contact details, health information, driver’s licenses, passports and other financial information.

The nine (9) cyber incidents compromised the personal information of numerous customers and included –

  • Hacking of email accounts resulting in the sending of fraudulent emails to customers for the transfer of funds;
  • Hacking of the third-party website provider, resulting in a fake homepage on the Authorized Representative’s website.
  • Unauthorized access and/or hacking of email accounts stored in cloud facilities without proper security and password protection.
  • Ransomware attacks on computers of authorized representatives making data inaccessible.
  • Hacking a server by brute force through a remote access port, resulting in files containing personal information of approximately 220 customers being held for ransom and ultimately unrecoverable.
  • Unknown malicious agent gaining unauthorized access to servers for several months compromising the personal information of several thousand customers. A number of customers have reported unauthorized use of their personal information.
  • An unauthorized person used an employee’s email to send phishing emails to over 150 customers.

RI Advice admitted that prior to May 15, 2018, it did not have adequate documentation, controls and risk management systems in place to manage cybersecurity risks across its network of authorized representatives. RI Advice also admitted to having taken too long to implement the cybersecurity and cyber-resilience measures it had assessed and developed during the period from May 15, 2018 to August 5, 2021, across its entire network. These measures were still being applied when the court delivered its judgment in May 2022.

The compromise of personal and sensitive customer information by cyber incidents would also have resulted in breaches of the Privacy Act requiring notification of the data breach to the Australian Information Commissioner’s Office (ICAO) and resulting compensation claims by customers who had suffered losses.

Some practical steps for managing cybersecurity and privacy risks

From a technological and legal perspective, managing cybersecurity and privacy risks can be complex and daunting. However, with the right experts, concepts can be explained in a language that can be understood by those who are not “tech savvy”. At the organizational level, some of the practical steps companies can take to manage risk include:

  • Use of external experts to assess risks and assist in the preparation and implementation of appropriate cybersecurity and privacy programs, policies, strategies, policies and controls. These are subject to regular reviews and updates.
  • Ongoing training and education of directors, management and employees of the organization regarding cybersecurity and privacy risk and compliance – as well as the legal framework and their regulatory obligations.
  • Monitoring and testing of computer systems to detect cybersecurity vulnerabilities and any attempted or actual unauthorized access to systems or cybersecurity threats or incidents.
  • Development and implementation of response and recovery plans for effective and efficient response to cyber incidents or privacy breaches, including mandatory reporting requirements. Plans should include appropriate data backup and recovery systems, proactive supply chain management, customer and other third party risks and reputational damage.
  • Insurance coverage for losses and costs associated with cyber incidents and privacy breaches. Some insurers provide the insured organization with access to cybersecurity experts to help organizations manage their risks under the policy coverage.

Businesses can also access resources to help them manage cybersecurity and privacy risks from the Australian Cybersecurity Center and OAIC.


About Author

Comments are closed.