The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles—and without such precedent, principles can be difficult to enforce.
However, the past month has served up two landmark cases that will help establish a new level of precedent for cybersecurity in Australia—one in the Federal Court and one in the ACT Civil and Administrative Tribunal. Both cases deserve utmost attention from senior management, boards and directors as our nation navigates a new era of cybersecurity uplift. These cases should not be dismissed as just technical ‘principles’.
After years of legal wrangling, on 5 May the Federal Court released its highly anticipated judgement into action brought by the Australian Securities and Investments Commission in 2020 against RI Advice Group. ASIC claimed RI Advice had inadequate cybersecurity controls in place, which the company failed to remedy despite being aware of the issues. This resulted in sensitive client information being compromised multiple times over a six-year period, a brute-force ransomware attack and one client losing $50,000.
It its judgement, the court found that RI Advice had contravened the Corporations Act ‘as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience’.
While the judgement’s level of detail was reasonably limited given a settlement had been reached, RI Advice was ordered to pay a contribution towards ASIC’s costs, totalling $750,000, and to undertake a comprehensive cybersecurity overhaul, to be monitored by the court, within a month of the judgement.
Importantly, in the judgement, Justice Helen Rofe highlighted the critical role of organisational cybersecurity, stating: ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
Ultimately, this judgement highlights that ASIC will be paying close attention to the cybersecurity practices of organisations that fall under its remit—and is prepared to take action. More broadly, it is a clear signal to all organisations right across the economy that the Corporations Act will be enforced as it relates to cybersecurity and it’s only a matter of time before more cybersecurity-related actions are brought before the courts.
The second case, a civil dispute between a vendor and a customer in the ACT Civil and Administrative Tribunal, is pertinent to all businesses, but small and medium-sized enterprises should pay careful attention. They are a prime target for cybercriminals and generally have lower cyber protections—the soft underbelly of Australia’s cybersecurity ecosystem.
The case involved a machine supply company (the applicant) and a diesel-fitting business (the respondent). Their relationship began when the respondent sought to purchase a machine from the applicant. A deal was struck and bank details for the $5,499 purchase exchanged.
Unfortunately, the respondent’s emails had been compromised by a cybercriminal. Within hours the criminal sent a fake email informing the buyer that the bank account details had changed, with the funds to be deposited in a different account. By the time both parties realised what had happened, the money was long gone.
This type of crime, known as business email compromise, or BEC, is on the rise. According to the Australian Cyber Security Centre, Australians reported more than 4,600 BECs equating to $81 million in thefts in 2020–21.
In this case, the applicant brought the matter to the tribunal to recover the $5,499 owing. The respondent argued that payment had been made in good faith and therefore there was no case to answer, despite the money being stolen by a cybercriminal and the applicant never receiving the funds.
Ultimately, the tribunal ruled in favour of the applicant, finding that ‘responsibility for correct payment rests with the respondent and it was incumbent upon the respondent to exercise care in ensuring payment was made. The money was paid into an account that did not belong [to] the applicant and it remains unpaid.’
As Australia races towards an increasingly digitised economy and more businesses, large and small, house valuable data on internet-facing systems—which is a good thing—unfortunately cases like these may become more prevalent. But they don’t have to.
While there’s no perfect solution to the cybersecurity puzzle and no silver bullet to prevent cybercrime, there are steps all organisations can and should be taking to bolster their cyber defences. There are also a range of incentives that small businesses in particular can take advantage of, like the instant write-off for cyber uplift and training announced in this year’s federal budget.
And while principles are essential, there are three key concepts upon which all organisational approaches to cybersecurity should rest: risk, resilience and recovery.
Know what the key risks are and manage them appropriately in a way that uniquely suits your organisation. There is no one-size-fits-all approach. Cyber risk cannot be eliminated but can be effectively managed.
Build up cyber resilience to deal with identified risks, but also ensure that people are central to resilience. Make cybersecurity intrinsic to your organisation’s culture.
And finally there’s recovery, because when things do go wrong you need to have a plan. Organisations with a clear continuity plan can recover more quickly, potentially reduce the impacts of a cyber incident, and get back to business.