ASIC has companies on high alert for their cyber security

At a glance:

  • The ASIC vs RI Advice Group Pty Ltd case has put financial service organisations with insufficient cyber security protocols on alert

  • How does ASIC’s decision impact the insurance market?

  • What does it mean for organisations?

ASIC claimed that between 2014-2020, RI Advice Group experienced multiple security breaches resulting in sensitive client data being leaked. They believe these breaches continued to occur due to a lack of cyber security policies and procedures, and that RI Advice Group should have implemented a response system to manage attacks and mitigate future hacks.

ASIC felt that RI Advice Group’s failure to implement these types of procedures is in conflict of the Corporations Act 2001 and therefore commenced proceedings against the financial services organisation back in 2020.

With ASIC’s recent win (April 2022) against RI Advice Group Pty Ltd, financial service organisations could come under scrutiny from ASIC with regulatory action if they’re deemed to have insufficient cyber security protocols in place. Therefore, a well-managed prevention and response plan are recommended.

The impact: how might this outcome affect the insurance landscape?

The ASIC decision will likely have an impact on the Cyber Insurance landscape as well as the Directors and Officers Liability Insurance market. With cyber insurers already seeking a much more stringent minimum-security standard from insureds, this decision will drive their justification in doing so. Leading Cyber Insurance policies provide Third Party Liability coverage and one would argue such clauses are designed to respond to an event like the RI case.

Now a precedent has been set with respect to insufficient cyber security practices, there is no doubt insurers will use this as an example to drive their ongoing underwriting remediation. Insureds can expect to be required to have robust cyber security standards that address:

  • Access Management

  • Muti-factor authentication

  • Back-up policies

  • Blocking and filtering solutions

  • Cybersecurity awareness and training

  • End of life support software

  • Endpoint detection and response

  • Incident response and business continuity plans

  • Network and infrastructure segmentation

  • Remote desktop protocols

  • Patching

  • Security monitoring

Additionally, this will drive scrutiny from Directors and Officers Liability insurers. Section 180 of the Corporations Act 2001 (Cth), require directors to guard against key business risk. As a result, directors already are exposed to claims for damages and regulatory investigations if they do not ensure that their companies have appropriate systems in place to prevent and respond to cyber incidents (particularly in circumstances where multiple incidents may have occurred).

The burden is more acute for directors of AFSL holders, and insureds that are AFSL holders can expect that they will certainly be more heavily scrutinized regarding their cyber security posture by D&O insurers moving forward.

What organisations can do: tackling ransomware

RI Advice experienced nine cyber-related incidents between 2014 and 2020, which included ransomware.

Ransomware is a type of malicious software (malware). When it gets into an employee’s device, it makes their computer or its files unusable. Cybercriminals use ransomware to deny access to files or devices. Cybercriminals then demand payment to regain access to data and restore systems functionality.

During COVID-19 and the shift to remote working, ransomware attacks have become more frequent, severe and sophisticated. Cybercriminals have been capitalising on the new digital world by luring potential victims through targeted phishing emails and setting traps through fake websites. Often, cybercriminals use published vulnerabilities to gain access to systems before patching can occur.

Zero-tolerance approach

In October 2021, the Australian government announced its new ‘Ransomware Action Plan’ which set out Australia’s “zero tolerance approach to ransomware”. Whilst the generally accepted position in Australia is that it is not illegal to pay a ransom demand, the government does not condone payments to cybercriminals.

The risks associated with paying a ransom payment transcend a purely technical response: it pays to have expert advice to guide decision making around this highly vexed issue.

Download now

Download our Ransomware Incident Response Guide 2022 prepared in partnership with Clyde & Co (opens a new window), for insights into proactive measures organisations can undertake.

Click the download button (located on the right for desktop users and at the bottom for mobile users) and fill out the form to access the report.

(opens a new window)
Ransomware Incident Response Plan: Guide for Australian organisations