Lawyers ‘must be at the forefront’ on cyber risks in 2023
A landmark case earlier this year redefined obligations for businesses in how they manage cyber security risk. Here, one lawyer speaks to how firms can advise in the current landscape and what can be expected in the coming year.
In May this year, the Federal Court made a ruling against the Australian Financial Services Licence (AFSL) holder RI Advice, which was found to have breached the Corporations Act by not having adequately addressed its cyber risks after several security breaches.
This was the first case of its kind in Australia where statutory obligations for AFSL holders were identified under the Corporations Act in relation to cyber security.
The decision has changed the threshold for what is considered best practice in cyber security for businesses, along with conferring a greater level of responsibility for boards in ensuring that adequate safeguards and risk mitigation strategies are in place, explained several partners, senior associates, and lawyers from DLA Piper in an article reflecting on the case.
Cyber security is being reimagined; it is no longer just an “IT issue”, but instead is being seen as an ever-changing, all-encompassing corporate and risk management issue, the group conferred.
Implications for businesses
While previously, the key obligations of companies in respect of cyber security and information security were found in the Privacy Act 1988 (Cth), this decision means that businesses now have clearly defined obligations under the Corporations Act in respect of cyber security and their businesses’ IT systems and networks, explained James Makowiak, senior associate in DLA Piper’s litigation and regulatory practice.
“Although no penalties were handed out by ASIC in this case, the Federal Court could have ordered a more severe penalty,” he noted. “The next AFSL holder to find themselves in a similar position to RI Advice may not be able to escape a penalty.”
Courts and regulators in other jurisdictions might take inspiration from this case in imposing a penalty on a business in another context, Mr Makowiak went on, this makes it essential for businesses to immediately adopt a proactive approach to implementing strong cyber security infrastructure and obtain advice from experts if they’re unsure of what that involves.
Mr Makowiak noted that law firms advising AFSL holders must be aware of the newly defined obligations and of the increasing expectations on businesses to manage cyber risks; businesses should be proactive in getting ahead of the curve.
A proactive and robust approach will safeguard against statutory, regulatory, and legal liability, financial loss, and loss of customer confidence and reputation.
It is important to ensure cyber security measures and policies are appropriately robust and properly documented, he submitted. This is especially pertinent, seeing that regulators are increasing their focus on cyber security matters.
Regulators are more determined to ensure appropriate steps are taken to reduce the risks to consumers and businesses, Mr Makowiak said, with ASIC having signalled its intention to make cyber risk and operational resilience a key priority.
Implications for firms
“Cyber risk is not only something that affects lawyers’ clients, but all law firms themselves — big and small,” Mr Makowiak stated.
“Lawyers regularly advise their clients on matters of risk but should also take care they are ‘practising what they preach’ by taking adequate measures to protect against cyber threats.
“The legal profession has already come a long way in terms of improving its security, but the threat will be ongoing as cyber attacks become increasingly sophisticated from both state and non-state actors.
“The legal industry — as one which people look to for advice — needs to be at the forefront of security, given responsibilities in information management.”
What will 2023 hold?
“Cyber security risks will only increase into 2023,” Mr Makowiak illuminated. “We can be confident [that] major data breaches will continue to occur.
“The federal government is progressing its reform agenda, but now with greater haste.”
“Companies are adopting more measures such as two-factor authentication, particularly in financial services”, and as time goes on, “we could see larger penalties for business [that] don’t act sufficiently to manage the risks,” he said.