Federal Court sets standard for cyber security management

In the first decision of its kind in Australia, on 5 May 2022, the Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 has established a legal precedent for the standard of cybersecurity diligence expected of businesses, directors and officers.

The Court found that RI Advice Group failed to have in place adequate risk management systems in relation to cybersecurity and cyber resilience of the Group’s operations.

The failure on the part of RI Advice Group to have adequate documentation, controls and risk management systems in place to manage cybersecurity risks left the business vulnerable to multiple cyber breaches. These included ransomware attacks and an attack resulting in unauthorised access to a file server containing confidential and sensitive personal information of several thousand clients over a number of months.

The case involved provisions of the Corporations Act governing financial services licences.

However, the Court’s findings are likely to have very broad implications for the standard of care and diligence that the law requires of businesses, and company directors and officers in relation to cyber security matters.

In that regard the Court considered that a reasonable standard of cybersecurity risk management should be determined according to appropriately qualified expert knowledge in the circumstances. The Court made the following observation:

“Cybersecurity risk forms a significant risk connected with the conduct of the business …... It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level”.

The case emphasises that the law will hold businesses accountable if they do not undertake a proper cybersecurity risk assessment and implement cyber security management systems and controls which are reasonably appropriate to address the businesses cybersecurity risk profile.

Directors who fail to ensure that companies implement and maintain an adequate cybersecurity management system as part of the company’s risk governance framework may be breaching their duties as directors under the Corporations Act and the general law.

The author would like to thank associate Lachlan Chuong for his assistance with this article.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has partnered with Comunet & Digital Trace Australia to form a comprehensive, industry leading cyber security service group, the Cyber Alliance Group.

Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.