Close Menu
ABL Logo
Link to the Link to the Link to the

Determining what’s “reasonable” in cyber risk mitigation is easy in hindsight

Corporate and M&A
Lock on keyboard

In an article published in today’s edition of The Australian, partner Jonathan Wenig argues that a decision handed down by the Federal Court this month – the first of its kind in Australia – offers emphasis but little definition into just how much mitigation will be considered reasonable by our regulators.

ASIC took action against RI Advice Group following a series of nine cyber incidents, the most significant of which involved an unknown malicious agent gaining unauthorised access to an authorised representative’s file server, undetected, from December 2017 to April 2018. In the Federal Court, Justice Rofe accepted ASIC’s submission that the firm, which is regulated under the Australian Financial Services Licensing regime, had failed to do all it could/should to ensure its financial services were provided “efficiently, honestly and fairly”.

“While the landmark decision reinforces the multi-layered risks for businesses that fail to adopt appropriate cyber resilience measures, what’s ‘reasonable’ is being assessed in relation to a generalised yardstick that fails to take account of the real-world complexity (and diversity) of sound sector appropriate, company appropriate decision-making. Let alone the real-world, real-time ingenuity of the cyber bad guys to stay a step ahead,” Jonathan writes.

“There’s a marked parallel between the regulatory framework for AFSL holders and the legislative framework that underpins director duties in law. Both sets of duties are defined in overarching, generalised terms, leaving licensees and directors to discern the specifics around what is an appropriate response to cyber and a host of other risks.

“There’s something in the generalised nature of the RI Advice decision that adds further question marks to the confused debate around corporate responsibility in relation to climate change mitigation and climate reporting. The bottom line is that both cyber and climate risk are relevant to everyone but to very different degrees, and the regulatory choice in both instances is whether to be prescriptive or impose a ‘reasonable person in the circumstances’ test.

“The law does the latter. And while that allows for context, in relation to something like cyber it runs the risk of ending up looking like strict liability – because you only judge whether something was reasonable in the circumstances based on whether it worked - this is where ASIC’s litigate now, ask questions later, approach could be refined.”

To read Jonathan’s article in full, click here.

Jonathan’s article was prepared with the assistance of Michelle Lau.

Read next