ASIC v HSBC: Is “adequacy” enough to manage cybersecurity risk?

While Optus and Medibank come to mind when we think of cyber incidents, ASIC is increasingly enforcing its regulatory priority of licensee failures to have adequate cyber-security protections. Think RI Advice, Lanterne, and now HSBC.  As financial services’ use of digital and computer technology – including artificial intelligence – increases, so too must our vigilance against cyber-attack fatigue and our understanding of just how adequate systems must be to manage cybersecurity risk.

In the Courts

In 2022, the Federal Court declared that RI Advice[1] breached its AFSL obligations to have adequate risk management systems and to do all things necessary to ensure its services were provided efficiently, honestly and fairly. RI Advice admitted that it had failed to have adequate documentation, controls and risk management systems to manage cybersecurity risk across its authorised representative network. RI Advice had more than 100 representatives across the country. Nine cyber incidents occurred over a period of 6 years, including:

• hacking of a representative’s account resulting in one client making transfers amounting to $50,000;
• representative’s use of an email platform where information was stored in the cloud, with no anti-virus software and only one password used by all staff;
• hacking of a branch representative’s server, resulting in personal information of 220 clients being held for ransom, and, ultimately, not recoverable; and
• an unknown malicious agent accessing the server of one of the licensee’s institutional clients for several months, resulting in the unauthorised use of the personal information of customers of several dozen large client institutions.

The steps taken by RI Advice, which included internal reviews, external experts, training, newsletters, incident reporting and contractual protections with third-parties, were found to be too little and too late to properly manage its cybersecurity risk. In the first case of its kind in Australia, the Court ordered that RI Advice engage a further cybersecurity expert and pay 50% of ASIC’s costs. The cybersecurity risk posed by third-parties, including licensee representatives, is now a well-entrenched focus of ASIC’s attention.

In May of this year, the Court declared that licensee for hire, Lanterne[2], breached the obligation to have adequate resources (both human and technological) in a number of respects, including “failing to have a technology resourcing plan and an up-to-date disaster recovery plan, and relying on outdated back-up processes”.

Lanterne, a wholesale licensee, operated a “licensee for hire” model. It had more than 60 corporate authorised representatives, and under them, up to 205 authorised representatives, operating various businesses. Those businesses included managed investment schemes, corporate advisory service firms, digital asset funds and venture capital funds. Lanterne had only one full-time employee, being its CEO and sole director, Peter Cozens.

Lanterne Fund Services made various admissions, including that it:

• did not have a documented risk management system or any systems in place to identify, assess or mitigate risks;
• relied on its corporate authorised representatives to self-report any non-compliance with their obligations;
• did not have a documented review or audit process to determine whether its representatives were complying with the financial services laws;
• did not have enough appropriately qualified responsible managers;
• did not provide or offer training to its corporate authorised representatives or authorised representatives or keep any training records; and
• did not have sufficient human resources or technological resources.

Lanterne was subsequently ordered to pay a $1.25 million penalty for breaching five of its licensee obligations, including for failing to have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements.

In its filing against HSBC[3] last week, ASIC alleges that it breached its obligations to do all things necessary to provide its services efficiently, honestly and fairly, when it failed to adequately protect customers from scammers posing as HSBC staff and accessing their accounts. This has reportedly resulted in HSBC customers losing approximately $23 million. Between January 2020 and August 2024, HSBC received around 950 complaints of unauthorised transactions.^[4]

ASIC alleges these failures were “widespread and systematic”,^[5] and included that HSBC failed to have adequate systems and processes to:

• prevent and detect unauthorised payments;
• investigate and respond to customer complaints of unauthorised transactions as required under the ePayments Code;
• identify, track and report compliance with the ePayments Code; and
• reinstate access to customer accounts blocked after unauthorised transactions as required under the Banking Code.^[6]

While once it may have been prudent to proceed on the basis that adequate IT processes will help you meet your AFSL and ACL obligations to manage cybersecurity risk, ASIC’s claim under the “honestly, efficiently, fairly” obligation alone indicates that something more may be required.

Doing all the things

In RI Advice, the Court declared breaches of the obligations to have adequate risk management systems in relation to cybersecurity and to do all things necessary to ensure that the services were provided efficiently, honestly and fairly.[7] In Lanterne, the Court declared breaches of the obligations to have available adequate resources and to do all things necessary to ensure that the services were provided efficiently, honestly and fairly. In HSBC, ASIC is claiming a breach of the obligation to do all things necessary to ensure that the services were provided efficiently, honestly and fairly only.

The question then that is now before the Court in HSBC, is whether a licensee’s obligations in relation to cybersecurity require a higher standard of conduct, i.e. doing “all things necessary to ensure” rather than just having “adequate” systems and resources in place.

The “efficiently, honestly, fairly” – or the “do the right thing” – obligation, is ever evolving. In the recent case of Macquarie,[8] Macquarie failed to implement effective controls to monitor whether third party bulk transactions under the fee authority were actually for fees over a four year period. As a result, a financial adviser was able to fraudulently withdraw around $2.9 million from his customers’ accounts without being detected by Macquarie. The Court was not asked to consider the standard of conduct required by the obligation as Macquarie admitted the breach, but made the following useful comments:

1. The standard of honesty is to be considered having regard to commercial norms and morality, as opposed to the broader societal norms that generally inform the meaning of the standard of honesty in the criminal law. A licensee may fail to meet the standard of honesty even though its conduct could not be said to be criminally dishonest.
2. A licensee may breach or fail to comply with the obligation created by section 912A(1)(a) even if it has not breached any separate legal duty or obligation under the Corporations Act 2001 or otherwise.
3. The standard, or standards, imposed by section 912A(1)(a) do not require absolute perfection by the licensee in providing financial services.
4. The use of the word “ensure” tends to indicate that compliance with the obligation created by section 912A(1)(a) involves or requires a degree of forward looking and may require the licensee to take steps to prevent future lapses or failures.

In Westpac[9], the Full Court of the Federal Court found that the obligation may also be breached when something is unfair, and not necessarily dishonest.

How the Court interprets the standard required by the obligation will inform not just how “perfect” a licensee’s systems need to be to manage cybersecurity risk now and into the future, but also the standard required by this “do the right thing” obligation which, as a civil penalty provision, is being relied upon more and more by ASIC to regulate the conduct of licensees.

New legal obligations – Privacy and Cyber Security law reform

In addition to paying close attention to how the Courts interpret licensees’ obligations to manage cybersecurity risk, you will need to review and likely amend your policies and procedures in response to the new legislative reforms in relation to cybersecurity.

On the final sitting day this year, Parliament passed a raft of legislation imposing expanded and additional obligations on licensees in relation to cybersecurity, including the Privacy and Other Legislation Amendment Bill 2024 and the Cyber Security Bill 2024 – Parliament of Australia.

In summary, the Privacy Act 1988 is now amended to:

• create a statutory cause of action for serious invasions of privacy;
• clarify that “reasonable steps” to protect personal information in Australian Privacy Principle 11 includes technical and organisational measures;
• require entities to include information in privacy policies about automated decisions that significantly affect the rights or interests of an individual;
• introduce new offences targeting the release of personal data using a carriage service in a manner that would be menacing or harassing – known as ‘doxxing’; and
• expand the powers of the Office of the Australian Information Commissioner.

And, relevantly, the Cyber Security Act 2024:

• introduces an obligation to report following a ransomware payment;[10]
• covers the voluntary reporting of cybersecurity incidents to the National Cyber Security Coordinator, and the use and disclosure of reported information;
• sets out that the Cyber Incident Review Board may cause a review to be conducted on referral by an entity impacted by the incident (among others) provided that the incident meets certain criteria; and
• sets out regulatory powers, including monitoring and investigation, civil penalty orders, infringement notices, undertakings and injunctions.

The reach of civil penalties

In addition to the penalties introduced under the new laws, it will be interesting to see the Court’s view of ASIC’s claim that breaches of the e-Payments Code and the Banking Code substantiate the breach of a civil penalty provision.

Resources

See our recent publication on other legal risks of suffering a cyber incident, including breaches of privacy and confidentiality, and watch on demand HN Hub webinar Cyber – is it one of your Board’s “top 3” risks?

The Australian Cyber Security Centre has also published resources for Small Business Cyber Security.

If you have any questions or would like to know more about how you can protect your business, please contact our Melbourne or Sydney office, or you can contact the authors directly.

Authors: Ursula Noye (Senior Associate) and Jesse Vermiglio (Partner)

Would you like to know more?

[1] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (RI Advice).

[2] Australian Securities and Investments Commission v Lanterne Fund Services Pty Limited [2024] FCA 353 (Lanterne).

[3] Australian Securities and Investments Commission v HSBC Bank Australia Limited (HSBC), Concise Statement and Originating Process filed 13 December 2024.

[4] 24-280MR ASIC sues HSBC Australia alleging failures to adequately protect customers from scams | ASIC

[5] Ibid.

[6] HSBC Originating Process.

[7] In RI Advice, the Court found that the adequacy of risk management systems in relation to cybersecurity must be assessed by people with technical expertise in cybersecurity (at [46]).

[8] Australian Securities and Investments Commission v Macquarie Bank Limited [2024] FCA 416 (Macquarie).

[9] Australian Securities and Investments Commission v Westpac Securities Administration Ltd (2019) 373 ALR 455; [2019] FCAFC 187.

[10] Though it has not yet been set, the Explanatory Memorandum provides that the obligation to report following a ransomware payment will apply to entities with a turnover threshold of at least AUD$3 million, which aligns with the small business exemption threshold in the Privacy Act 1988 (Cth).