HOW TO AVOID AN ASIC LAWSUIT

• Who is this applied to?
• Actionable steps ordered by the federal court
• What's in a Risk Assessment?

Getting on top of the everchanging legal requirements within your business operations is a feat most only dream of. With new intelligence reports threatening Australian businesses each hour, the pressure to introduce and maintain a compliant risk management program becomes overwhelming.

The recent lawsuit of Australian Securities and Investments Commission (ASIC) v IR Advice Group Pty Ltd whose judgement can be found here, set a firm precedent for Australian companies under the Corporations Act [2001] s912(1) and (h).^[1]

This precedent applies to all and any of the following:

• Traditional Trustee Company Services
  1. Note: Section 601RAC of the Corporations Act defines traditional services as:^[2]
     • performing estate management functions (as defined in s601RAC (2);
     • preparing a will, a trust instrument, a power of attorney or an agency arrangement;
     • applying for probate of a will, applying for grant of letters of administration, or electing to administer a deceased estate;
     • establishing and operating common funds; and
     • any other services prescribed by the regulations for the purpose of s601RAC (1).

• Financial Services
  1. Note: ASIC regulates this to include:^[3]
     • Giving financial product advice;
     • Dealing in a financial product;
     • Making a market for a financial product;
     • Buying or selling shares on behalf of a client;
     • Operating a registered scheme;
     • Providing a custodial or depositary service;
     • Providing a crowd-funding service;
     • Providing a claims handling and settling service; and
     • Providing a superannuation trustee service.

• Financial Products
  • Note: ASIC regulates this to include:^[4]
    • Shares;
    • Bonds;
    • Derivatives;
    • Interests in managed investment schemes; constituents
    • General Insurance; and
• Holders of an AFS License

The precedent has ruled that “all Australian companies which fall under any of the above must implement adequate cyber security risk management systems.”

The statute which was referenced (and cited by the judge in his final judgement) was this;
“– must have adequate risk management systems;” Corporation Act s912(1)(a) [2001]

The law defines ‘adequate’ as sufficient and equally in-part efficient. The law can be so expansive when it comes to who it is regulating, yet so vague when setting out the ways we can be compliant. It is no wonder, that 77% of organisations aren’t even aware they need to adopt an Incident Response Plan.^[5]  

It begs the question; what does an ‘adequate risk management system’ look like in the eyes of the court?^[6] Further, how do we meet these requirements? Let us delve in.

The actionable steps ordered by the court and placed upon IR Advice Group Pty Ltd were as follows:

• A thorough Risk Assessment completed through a third-party cyber security specialty vendor, engaged to:
  1. Look for gaps in documentation; and
  2. Controls;
• Supply the court with documentation on reported findings which included:
  1. Implementation recommendations; and
  2. That all recommendations be made in consideration of both cyber security and cyber resilience;
• That the commencement of all recommendations from reported findings begin within 90 days of engaging the third-party cyber security vendor; and
• That a document of the reported outcome be submitted within 30 days of implementation.

As the court pointed out, you must first engage in conversation with a specialist who can really dig to the crux of an organisation's environment. This recommendation aligns fully to the approach we at Loop advise to our clients.

The Risk Assessment we offer is an investigation into your organisation’s practices, going deeper than surface level to uncover both risks that you accept, and for those your executives and board do not: enabling treatment in accordance with risk appetite. This might include uncovering practices involving password management, storage of sensitive business information on personal devices, or (too commonly) user error through lack of security awareness training.

From there, the documented reports we produce, as aligned to the court's rulings, are presented back to you alongside an approach that speaks to your specific environments needs. The most sufficient and efficient remedy on the market for such regulated requirements would be a service Loop curated for this scenario namely; Continual Compliance.

This service ticks the boxes of every named requirement under this precedent and all other previous court rulings when it comes to the cybersecurity compliance of heavily regulated services. It aligns with all best practice certifications and is delivered holistically by people who place emphasis on respecting your investment.

ASIC in this one singular case sighted over 18+ lawsuits, 12 of which occurred in the last 4 years. These cases were all won and all related to cyber security malpractice. These lawsuits included Retail Outlets, Energy and Mining Companies, not all tied purely to financial services. The bottom line is if you ineffectively hold any information that has a plausible chance of causing a negative impact if breached; you will be held accountable. With the government grants available, an inadequate risk management system has never been more inexcusable in the eyes of the courts.

There is everything to lose by not engaging in sophisticated cyber security practices. Using IR Advice Group as an example;

• Reputational Damages;
• $750,000 payout to ASIC;
• Their Legal Fees; and
• The cost of engaging a cyber security vendor and the imposition of having to implement every single recommendation advised in their report.

Like all situations that can cause confusion and a feeling of unease, the best place to start is with a conversation between yourself and an expert in the field. For this, we recommend requesting a consultation with one of our Governance, Risk and Compliance specialists who can settle some of your concerns and develop a strategy with you that can mould and pivot to the needs of your organisation. Loop Secure are no stranger to the demands of auditors, government, and legal regulators. We are confident in what we offer and that through our services, you are highly unlikely to find yourself in a position such as IR Advice Group Pty Ltd.

[1] Corporations Act [2001] s912

[2] Corporations Act [2001] s601 RAC

[3] ASIC Consultation Paper 132 [March, 2010]

[4] ASIC Financial Regulatory Resources

[5] Veronis, Rob Sobers [2021]

[6] Australian Securities and Investments Commission v IR Advice Group Pty Ltd [2022]