The outcomes of two recent landmark court cases will help to establish a new level of cyber precedent in Australia which has governance implications for boards and directors.
For Australian company directors, the cyber security space is overflowing with principles and ‘how to’ guides.
There are principles about patching, passwords and people. There are principles about physical security, phishing and firewalls.
Amid this avalanche of information, directors must satisfy themselves that the organisations they govern are reasonably protected from cyber risks, a tenuous task in the lightning-fast digital world.
Until recently, there has been little legal precedent supporting these principles – and without such precedent, principles can be difficult to enforce. This is especially the case for boards, which oversee a range of varied and diverse competing priorities.
However, the last month has served up two landmark cases that will help establish a new level of cyber precedent in Australia – one in the Federal Court and one in the ACT Civil and Administrative Tribunal (ACAT). Both cases deserve the utmost attention from senior management, boards and directors as our nation navigates a new era of cyber security uplift. These cases should not be dismissed as just technical ‘principles’.
ASIC v RI Advice Group
After years of legal wrangling, the Federal Court released its highly anticipated judgment into action brought by the Australian Security and Investments Commission (ASIC) in 2020 against RI Advice Group (RI Advice). ASIC claimed RI Advice had inadequate cyber security controls in place, which the company failed to remedy, despite being aware of the issues. This resulted in sensitive client information being compromised multiple times over a six-year period, a brute force ransomware attack and one client losing $50,000.
It its judgement, the court found RI Advice had contravened the Corporations Act “as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience”.
While the judgement’s level of detail was reasonably limited given a settlement had been reached, RI Advice was ordered to pay a contribution towards ASIC’s costs, totalling $750,000, and to undertake a comprehensive cyber security overhaul, to be monitored by the court, within a month of the judgement.
Importantly, in the judgement, Her Honour Justice Rofe highlighted the central importance of organisational cyber security, stating: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level”.
Ultimately, this judgement highlights that ASIC will be paying close attention to the cyber security practices of organisations that fall under its remit – and is prepared to take action. And while the RI Advice action did not address issues at the board level, it signals that organisational cyber security is a priority for ASIC, with the potential to capture director conduct. It is a clarion call to all organisations right across the economy that the Corporations Act will be enforced as it relates to cyber security and it is only a matter of time before more cyber-related actions are brought before the courts.
SME dispute over business email compromise
The second case, a civil dispute between a vendor and a customer in the ACAT, is pertinent to all businesses, but small and medium enterprises (SMEs) should pay careful attention. They are a prime target for cyber criminals and generally have lower cyber protections – the soft underbelly of Australia’s cyber security ecosystem.
The case involved a machine supply company (the applicant) and a diesel fitting business (the respondent), with the respondent seeking to purchase a machine from the applicant. A deal was struck and bank details for the $5499 purchase exchanged.
Unfortunately, the respondent’s emails had been compromised by a cyber criminal. Within hours the criminal sent a fake email (purporting to be from the seller) informing the buyer the seller’s bank account details had changed, with the funds to be deposited in a different account. By the time both parties realised what had happened, the money was long gone.
This type of crime, known as business email compromise (BEC), is on the rise. According to the Australian Cyber Security Centre, Australians reported more than 4600 BECs equating to $81 million in thefts in 2020-21.
In this case, the applicant brought the matter to the ACAT to recover the $5499 owing. The respondent argued that payment had been made in good faith and therefore there was no case to answer, despite the money being stolen by a cyber criminal and the applicant never receiving the funds. Ultimately, the ACAT ruled in favour of the applicant, finding that “responsibility for correct payment rests with the respondent and it was incumbent upon the respondent to exercise care in ensuring payment was made. The money was paid into an account that did not belong to the applicant and it remains unpaid”.
For directors, a key takeaway from this decision is that basic cyber hygiene to help prevent email systems being compromised is vital. Furthermore, it also highlights that boards have a role to play in mandating regular, basis cyber training for all staff employed by an organisation when it comes to common forms of cyber compromise, like phishing and BEC. Staff need to know what to look out for and who to whom suspicious behaviour should be reported. The ‘human’ element of cyber security can never be underestimated.
As Australia races towards an increasingly digitised economy and more businesses, large and small house valuable data on internet facing systems– which is a good thing – unfortunately cases like these may become more prevalent. But they don’t have to.
Key steps that boards should be taking
While there is no perfect solution to the cyber security puzzle, no silver bullet to prevent cyber crime, there are steps all organisations can and should be taking to bolster their cyber defences. And boards have a key role to play.
And while principles are essential, there are three key concepts upon which all organisational approaches to cyber security should rest, from the board down – risk, resilience and recovery:
- Know what key risks are and manage them appropriately in a way that uniquely suits your organisation. There is no one-size-fits-all approach. Cyber risk cannot be eliminated but can be effectively managed.
- Build up cyber resilience to deal with identified risks but also ensure that people are central to resilience. Make cyber security intrinsic to your organisation’s culture.
- And recovery, because when things do go wrong, you need to have a plan. Organisations with a clear business continuity plan can recover more quickly, potentially reduce the impacts of a cyber incident, and get back to business.
Rachael Falk MAICD is CEO of the Cyber Security CRC, member of the Minister for Home Affairs’ Cyber Security Industry Advisory Committee and was recently appointed to the council of the Australian Strategic Policy Institute.
Already a member?
Login to view this content