Lessons from RI Advice vs ASIC case: McGrathNicol partner Shane Bell

When the Federal Court of Australia ruled that financial services licensee RI Advice breached its legal obligation to have adequate cybersecurity systems in place, it set a clear precedent for the industry.

Digital Nation Australia spoke to Shane Bell, partner, cyber at McGrathNicol, who acted as an independent cybersecurity expert on the case about the broader impacts on the industry.

“What it means is it's pretty clear that ASIC has built cybersecurity into its monitoring and compliance regime for its regulated entities,” said Bell.

“If organisations were unsure about whether cybersecurity was something that was of interest to the regulator, then I don't think that they can be unsure about that anymore.”

RI Advice experienced nine cybersecurity-related incidents involving unauthorised access or ransomware.

According to Bell, the issue that had the most significant ramifications referenced in the judgement included unauthorised access for a sustained period of time to a computer system with client data.

“The judgment essentially says that there were some inadequacies or some failings in meeting a particular standard, or adequately managing risk to a required level,” said Bell.

As this case was the first time that ASIC has pursued and brought action against a regulated entity for cybersecurity-related issues, Bell said that the outcome is a reminder to intermediaries of the importance of developing an approach to managing risk.

“If you’re not doing anything, you need to be doing something,” he said.

“If you are doing something, what you are doing needs to be risk-informed and you need to be actively managing the risk.”

Bell said that organisations need to articulate their program of work that relates to cyber security and consider their risk approach commensurate with the risk profile of the organisation.

“It needs to be geared towards managing risk, which means you need to have understood what your risk profile is and laid out what your risk appetite is and therefore what your strategy is for managing risk to the levels of which you're comfortable carrying that within your organisation,” said Bell.

“You need to call on the expertise of both internal and external experts in the area of cybersecurity to make sure that the strategic program that you're executing is a fulsome program, is representative of what would be an industry good standard, isn't set and forget. I don't think you can solve the issue of cybersecurity risk by doing a couple of things now, and then not doing anything for a couple of years. It's about continuous learning and uplift.”