Australian Securities and Investments Commission v RI Advice Group Pty Ltd

Federal Court of Australia|2021-10-05|Before: Rofe J

By 20 October 2021 ASIC file and serve a Further Amended Statement of Claim incorporating the particulars from the further and better particulars document dated 23 December 2020. Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

Introduction 1 By way of interlocutory application dated 28 July 2021, RI Advice Group Pty Ltd (RI Advice) seeks orders pursuant to rule 16.21(1) of the Federal Court Rules 2011 (Cth) (the Rules) that parts of ASIC's further amended statement of claim dated 31 May 2021 (FASOC) be struck out, on the grounds that they are evasive or ambiguous, are likely to cause prejudice, embarrassment or delay in the proceeding and/or fail to disclose a reasonable cause of action. The parts of the FASOC that RI Advice seeks to be struck out are: (a) Paragraphs 13 to 15, 21 to 22, 25 to 26, 31 to 32, 36 to 37, 41 to 42, 49 to 50, 59 to 60, 65 to 66, 91 to 93, 98 to 99, 105 to 106A, 108 to 110, 120 to 121; and (b) Schedules A, B, D, E and F. 2 The application was made after the proceeding had been set down for trial, and after ASIC had filed and served its expert and lay evidence and the tender documents it intends to rely on at trial. 3 For the reasons that I set out below, I consider that it is appropriate to dismiss the application. I consider that RI Advice is able to understand the case put against it with the benefit of ASIC's expert evidence and the explanation and clarification given in ASIC's oral submissions made at the hearing. 4 However, I will make orders that ASIC file and serve a second further amended statement of claim which incorporates into the document the extensive further and better particulars provided on 23 December 2020. In the course of that consolidation, I direct ASIC to amend the further and better particulars to remove the sources of confusion discussed below.

Background 5 This proceeding was commenced by ASIC on 21 August 2020 by way of originating application and a six-page concise statement. 6 In this proceeding ASIC seeks declarations, pecuniary penalties and various compliance orders against RI Advice for alleged contraventions of s 912A(1) of the Corporations Act 2001 (Cth) (the Act). RI Advice describes ASIC's case as a 'novel' claim as it relates to the cybersecurity obligations of a financial services provider required under s 912A(1) of the Act. ASIC relies solely on s 912A(1) of the Act. 7 RI Advice is, and was for the relevant period, the holder of Australian Financial Services Licence number 000238429 (Licence). 8 RI Advice provides financial services advice to retail customers through a network of authorised representatives (ARs). The ARs are scattered all over Australia, including in regional centres. Some ARs have one to seven advisers, others are sole traders who may operate from home. 9 Between 2014 and May 2020, various RI Advice ARs experienced a total of ten cybersecurity incidents. 10 ASIC alleges that by not having adequate cybersecurity documents and controls in place, and not identifying the cause of each of the cybersecurity incidents and using that information to mitigate future risk of cyber-attack, RI Advice contravened s 912A(1)(a), (b), (c), (d) and (h) of the Act. 11 On 18 September 2020 the previous docket judge, O'Callaghan J, ordered that there be separate hearings for the questions of liability and penalty. 12 On 9 October 2020, ASIC served copies of all documents obtained by it during the investigation that resulted in this proceeding. 13 On 26 October 2020, ASIC filed a statement of claim of some 113 or so pages and Schedules A to G. 14 On 3 November 2020, ASIC filed an Amended Statement of Claim (ASOC) which added a new paragraph (106A) and made minor cross-referencing amendments to three paragraphs. 15 On 18 November 2020, RI Advice's solicitors wrote to ASIC noting that the ASOC may have been prepared with reference to an expert report, and requesting a copy of the expert report and 'any other documents relied upon by ASIC in describing what it says are "Minimum Cybersecurity Requirements" and "13 Cybersecurity Domains", as soon as possible'. 16 On 22 November 2020, in response to RI Advice's request, ASIC noted that it was 'premature for any expert evidence to be filed and served at this stage of the proceedings'. ASIC continued '[n]evertheless, the documents relied upon in preparing Schedule A to the statement of claim are the following'. A list of six international standards from Australia, UK and the US followed. Five were said to be publicly available and copies of those standards were provided to RI Advice. 17 On 23 December 2020, ASIC provided further and better particulars of the ASOC (the ASIC Particulars). The ASIC Particulars were in response to a request from RI Advice by way of letter dated 27 November 2020. The ASIC Particulars became significant during the hearing and are discussed in detail below. 18 On or about 10 February 2021, ASIC provided RI Advice with copies of nine documents referred to in the ASOC, following a request from RI Advice. 19 On 12 February 2021, RI Advice filed its Defence. As to paragraph 13, and the other related paragraphs the subject of this application, RI Advice pleaded that the paragraphs are 'ambiguous and likely to cause delay in the proceeding'. 20 At a case management hearing before O'Callaghan J on 19 February 2021, the trial on the question of liability was provisionally set down for 29 November 2021 with an estimate of three weeks. 21 On 30 April 2021, ASIC filed and served the expert report of Mr Shane Bell (the Bell Report), the affidavit of Michelle Burton and a list of more than 1100 documents which it proposed to tender at trial. 22 On 4 May 2021, ASIC filed and served a supplementary affidavit of Ms Burton and copies of all documents referred to in ASIC's tender list which had not previously been provided to RI Advice (142 documents). 23 On 7 May 2021, ASIC wrote to RI Advice noting that it was considering the need to make some 'minor amendments' to the ASOC, principally to ensure conformance with the Bell Report. Any changes were said to be 'largely in the nature of identification of documents and the provision of further amended particulars'. 24 On 14 May 2021, O'Callaghan J made orders relisting the liability trial to commence on 4 April 2022 with an estimate of three weeks. Orders were also made to provide for a process for dealing with ASIC's proposed further amended statement of claim. According to the orders, RI Advice had an opportunity to object to the proposed further amended statement of claim, and in the event of an objection, ASIC would have to bring an application for leave to amend the ASOC. 25 RI Advice consented to the filing of the proposed further amended statement of claim. In a letter sent to the solicitors for ASIC on 30 May 2021, RI Advice's solicitors, Gilbert + Tobin, stated: Otherwise, without agreeing to the correctness of the amendments or the allegations in the Draft FASOC we do not oppose the amendments subject to noting that: (a) Your proposed amendments do not address our concerns as raised at the hearings on 19 February and 14 May 2021; and (b) Neither do the proposed amendments respond to the matters raised in correspondence most recently in our letter of 12 May 2021. Accordingly, we reserve all our clients' rights with respect to this Statement of Claim. 26 On 31 May 2021, ASIC filed the FASOC. The FASOC comprised of some 134 pages of pleading and Schedules A to G (a further 94 pages). 27 On 21 June 2021, RI Advice filed its Defence to the FASOC. The Defence only responded to the amendments introduced in the FASOC, and RI Advice maintained its objections to the paragraphs of the FASOC that are the subject of this strike out application.

Principles 28 The principles guiding the approach of the Court on applications of the present kind are well established and did not appear to be in dispute. 29 The Court has a discretion whether to strike out a pleading pursuant to rule 16.21(1) of the Rules. The power to strike out a pleading should be exercised sparingly and only in a plain and obvious case. 30 The decision whether to strike out a pleading is a case specific enquiry. The application of the principles will differ depending on the case and on the pleading. 31 The approach of the Court in a strike out application is informed by the overarching purpose contained in s 37M of the Federal Court of Australia Act 1976 (Cth). 32 In modern times courts have often taken a less strict approach to the application of such principles, and have preferred to use pre-trial disclosure of evidence, exchange of submissions and interventionist case management techniques to address some of the difficulties associated with the pleadings: Gall v Domino's Pizza Enterprises Limited (No 2) [2021] FCA 345 per Murphy J at [19]. 33 Any application to strike out pleadings must also be considered in the contemporary context of judicial case management. Martin CJ observed the following in Barclay Mowlem Construction Ltd v Dampier Port Authority [2006] WASC 281 at [5]-[8]: In my view, the contemporary role of pleadings has to be viewed in the context of contemporary case management techniques and pre-trial directions. … Those processes leave very little opportunity for surprise or ambush at trial and, it is my view, that pleadings today can be approached in that context and therefore in a rather more robust manner, than was historically the case; confident in the knowledge that other systems of pre-trial case management will exist and be implemented to aid in defining the issues and apprising the parties to the proceedings of the case that has to be met. In my view, it follows that provided a pleading fulfils its basic functions of identifying the issues, disclosing an arguable cause of action or defence, as the case may be, and apprising the parties of the case that has to be met, the court ought properly be reluctant to allow the time and resources of the parties and the limited resources of the court to be spent extensively debating the application of technical pleadings rules that evolved in and derive from a very different case management environment. Most pleadings in complex cases, and this is a complex case, can be criticised from the perspective of technical pleading rules that evolved in a very different case management environment. In my view, the advent of contemporary case management techniques and the pre-trial directions, to which I have referred, should result in the court adopting an approach to pleading disputes to the effect that only where the criticisms of a pleading significantly impact upon the proper preparation of the case and its presentation at trial should those criticisms be seriously entertained. These passages have been cited with approval in numerous cases, including in Thompson v STX Pan Ocean Co Ltd [2012] FCAFC 15 at [13] per Greenwood, McKerracher and Reeves JJ; Sherrin Hire Pty Ltd v Sherrin Rentals [2015] FCA 1107 at [44] per Edelman J and Granite Transformations Pty Ltd v Apex Distributions Pty Ltd [2018] FCA 725 at [5] per O'Callaghan J. 34 The application was heard on 6 September 2021. Due to the exigencies of the COVID-19 pandemic, the matter proceeded online using Microsoft Teams. 35 RI Advice relied on two affidavits of Christina Maree McCudden, a partner at Gilbert & Tobin, dated 28 July 2021 and 2 September 2021 in support of its application. 36 ASIC relied on the affidavit of Andrew John Christopher, a partner at Webb Henderson, dated 20 August 2021. 37 Both parties filed written submissions prior to the hearing. 38 RI Advice submitted that the FASOC manifested three principle defects which render ASIC's case not reasonably comprehensible or capable of facilitating a fair and efficient trial. These defects were described in RI Advice's submissions as: (a) The vague, imprecise, jargonistic and convoluted manner in which the 'Minimum Cybersecurity Requirements' are expressed in paragraphs 13-15 and Schedule A of the FASOC, when those requirements are said by ASIC to constitute the standard against which RI Advice's conduct falls to be assessed. This unsatisfactory manner of pleading has the result that the foundation stone of ASIC's case is not reasonably comprehensible. (b) ASIC's failure to state by way of material facts or even particulars why it alleges that RI Advice had to meet the 'Minimum Cybersecurity Requirements'. This is a critical missing link in ASIC's pleaded case. (c) The rolled-up allegations of contraventions of s 912A in paragraphs 60, 92, 93, 106, 106A, 110 and 121, which do not reveal whether ASIC alleges that a failure by RI Advice to meet all or some unstated combination of the 'Minimum Cybersecurity Requirements' constitutes a contravention of each paragraph of the statutory provision.

The FASOC 39 It is useful to commence with a summary of the broad architecture of the FASOC, so that RI Advice's complaints can be viewed in the context of the entire document. As noted above, the FASOC is a lengthy document with seven schedules: Schedule A, entitled 'Minimum Cybersecurity Requirements-Details of 13 Cybersecurity Domains' (22 pages); Schedule B, entitled 'Gaps in May 2018 Cybersecurity Documentation and Controls Against Minimum Cybersecurity Requirements' (9 pages); Schedule C, entitled 'IOOF Developed Documentation' (5 pages); Schedule D, entitled 'Gaps in March 2019 Cybersecurity Documentation and Controls Against Minimum Cybersecurity Requirements' (12 pages); Schedule E, entitled 'Gaps in November 2019 Cybersecurity Documentation and Controls Against Minimum Cybersecurity Requirements' (20 pages); Schedule F, entitled 'Gaps in May 2020 Cybersecurity Documentation and Controls Against Minimum Cybersecurity Requirements' (24 pages); and Schedule G, a glossary of defined terms used in the FASOC which notes the paragraph of the FASOC in which the defined term is first used (10 pages). 40 ASIC described the FASOC as being in two component parts: the first part (paragraphs 13 and 14) sets out the cybersecurity requirements that ASIC alleges RI Advice ought to have had in place and why RI Advice did not meet those requirements; and the second part (paragraphs 15 and following) sets out what ASIC alleges RI Advice ought to have done in response to the cybersecurity incidents and what it failed to do. 41 At FASOC paragraphs 2(d) and (e) and 3 to 5, ASIC alleges that by reason of certain identified features of RI Advice, RI Advice and each of its ARs were potential targets for cyber-related attacks and cybercrime by malicious actors targeting confidential and sensitive personal information and documents in relation to retail clients. 42 FASOC paragraph 12 provides that at all material times, as the holder of the Licence, RI Advice was required: (a) Pursuant to s 912A(1)(a) of the Act, to do all things necessary to ensure that the financial services covered by the Licence were provided efficiently, honestly and fairly; (b) Pursuant to s 912A(1)(b) of the Act, to comply with the conditions on the Licence (including clause 2 of the Licence); (c) Pursuant to s 912A(1)(c) of the Act, to comply with the financial services laws (which included s 912A(1)(a), (b), (d) and (h)); (d) Pursuant to s 912A(1)(d) of the Act, to have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by the Licence and to carry out supervisory arrangements; and (e) Pursuant to s 912A(1)(h) of the Act, to have adequate risk management systems.

Cybersecurity Requirements 43 FASOC paragraph 13 provides that by reason of the matters pleaded in earlier paragraphs, including paragraph 12, at all material times RI Advice was required to: (a) Identify the risks that it and its ARs faced in the course of providing financial services on RI Advice's behalf, including in relation to cybersecurity and resilience; and (b) Have strategies, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in respect of cybersecurity and cyber resilience (Cybersecurity Documentation and Controls) in place that were adequate to manage the risk in respect of cybersecurity and cyber resilience for itself and across its AR network (Minimum Security Requirements). 44 The particulars to FASOC paragraph 13(b) provide that details of the Cyber Security Documentation and Controls that RI Advice should have had in place in order to meet the Minimum Cybersecurity Requirements are provided in FASOC paragraphs 14 and 15. 45 FASOC paragraph 14 provides that further to FASOC paragraph 13, at all relevant times, the Cybersecurity Documentation and Controls that RI Advice should have had in place to meet the Minimum Cybersecurity Requirements should have addressed each of 13 Cybersecurity Domains which are listed in the paragraph (Cybersecurity Domains). 46 The particulars to FASOC paragraph 14 provide that the details of the Cybersecurity Documentation and Controls that RI Advice should have had in place for each of the 13 Cybersecurity Domains in order to meet the Minimum Cybersecurity Requirements are provided in Schedule A. 47 Each of the defined terms used in FASOC paragraphs 13, 14 and 15 are further defined in the glossary in Schedule G: The term 'Minimum Cybersecurity Requirements' first used in FASOC paragraph 13(b) is defined as: Cybersecurity Documentation and Controls that were adequate to manage risk in respect of cybersecurity and cyber resilience for RI Advice and across its RA network, comprising the Cybersecurity Documentation and Controls referred to in paragraph 14, in particular in Schedule A, and in paragraph 15. The term 'Cybersecurity Documentation and Controls' first used in FASOC paragraph 13(b) is defined as: Strategies, frameworks, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in respect of cybersecurity and cyber resilience. The term 'Cybersecurity' first used in FASOC paragraph 13(a) is defined as: The ability to protect and defend the use of cyberspace from attacks. The term 'Cyber resilience' first used in FASOC paragraph 13(a) is defined as: The ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source. The term 'Cybersecurity Domains', first used in FASOC paragraph 14 is defined as: Subset areas of a cybersecurity framework which contain further granular cybersecurity controls. Examples of cybersecurity domains include 'Access management' and 'risk assessments and risk management'. 48 The details of the Minimum Cybersecurity Requirements are set out in Schedule A to the FASOC. Schedule A of the FASOC sets out for each of the 13 Cybersecurity Domains the documents ASIC alleges would be expected to exist to satisfy the obligation to have adequate resources to provide the financial services covered by the Licence. 49 For each Cybersecurity Domain in Schedule A there are three categories or hierarchy layers into which the expected documents are aligned: first, the strategic layer - strategies, frameworks and policies; second, the tactical layer - plans, procedures, standards and guidelines; and third, the operational layer - systems, resources and controls. 50 Schedule A has four columns. The first column sets out the Cybersecurity Domain under consideration, the second column sets out the three categories that the expected documents fall within. The third column lists the expected documents, and the fourth column provides a description of the expected documents. There are 68 expected documents listed in Schedule A. 51 To take an example in Schedule A, in the 'Governance & Business Environment' Cybersecurity Domain, in the category 'strategies, frameworks and policies' an expected document is 'ED 2.1 Risk Management Policy' which is described as: A set of top-level rules and statements that govern risk management across an organisation. Often supported by a risk management framework and risk management procedures.

Response to Cybersecurity Incidents 52 FASOC paragraph 15 deals with the response that ASIC alleges RI Advice should have had to the Cybersecurity Incidents. 53 Section C of the FASOC is entitled 'Cybersecurity Incidents between 2014 and May 2018'. Paragraphs 16 to 56 set out the details of seven Cybersecurity Incidents concerning RI Advice and its RAs that occurred between 2014 and May 2018. 54 Section D of the FASOC is entitled 'Inadequacy of Steps Taken by RI Advice up to 15 May 2018 and Inadequacy of Cybersecurity Systems in Place as at 15 May 2018'. Paragraph 57 sets out the Cybersecurity Documentation and Controls that RI Advice had at that time for management of risk in respect of cybersecurity and cyber resilience across its RA network (May 2018 Documentation and Controls). 55 FASOC paragraph 59(d) alleges that the May 2018 Documentation and Controls did not meet the Minimum Cybersecurity Requirements. The particulars to paragraph 59 refer to Schedule B, which sets out the gaps between the May 2018 Documentation and Controls and the expected documents listed in Schedule A that ASIC alleges RI Advice should have had in place to meet the Minimum Cybersecurity Requirements. 56 Paragraph 60 pleads that by reason of the matters pleaded in a number of the earlier paragraphs, as at 15 May 2018, RI Advice contravened ss 912(A)(1)(a), (b), (c), (d) and (h) of the Act. FASOC paragraphs 92, 93, 106, 106A, 110 and 121 follow the same form. 57 The ASIC Particulars provide further and better particulars for each sub-paragraph of 60 (and for each of the other paragraphs following the same form as paragraph 60).

The Submissions 58 Much of RI Advice's oral submissions were directed towards the 'Minimum Security Requirements', the source of the expected documents set out in Schedule A, and the basis on which ASIC alleged that those 68 expected documents are the minimum standard required to satisfy the obligation imposed by s 912A(1). 59 As noted above, RI Advice's submissions concerned three complaints.

RI Advice's first complaint 60 The focus of RI Advice's first complaint related to what it termed 'the crux' of ASIC's case as set out in FASOC paragraphs 13 to 15. In particular, RI Advice submitted that the 'Minimum Cybersecurity Requirements' are expressed in 'vague, imprecise, jargonistic and convoluted terms' which render the standards 'practically incomprehensible'. 61 RI Advice also had a number of further subsidiary complaints related to the Minimum Cybersecurity Requirements and the first complaint. These included: There is no identification of the 'risks' that the Minimum Cybersecurity Requirements are required to manage; It is not clear whether the risks and the Minimum Cybersecurity Requirements are the same for RI Advice and each of its ARs (which vary in size and composition); It is not clear if ASIC is alleging that RI Advice was required to satisfy each element of the Minimum Cybersecurity Requirements in order to comply with s 912A(1), and whether each AR in the network was also required to satisfy each element; The reference to 'mandated rules and processes' in the particulars to paragraph 14 is unclear given that it is not alleged that there are any legally mandated rules and processes in place in Australia; The FASOC does not identify what constitutes an acceptable level of cybersecurity risk for RI Advice; and The source of the 13 Cybersecurity Domains is unexplained. 62 In response to the first complaint, ASIC rejected the suggestion that the FASOC is expressed in 'jingoistic terms'. It contends that armed with the Bell Report, the FASOC will be readily comprehensible to any qualified cybersecurity expert retained by RI Advice. ASIC submitted that RI Advice had not led any evidence from such an expert of a failure to understand any of the technical terms used in the FASOC. 63 As to RI Advice's other complaints associated with the first complaint, ASIC submitted: the relevant risks are those set out in FASOC paragraph 13(b), which pleads that the Minimum Cybersecurity Requirements are required to adequately manage risk in respect of cybersecurity and cyber resilience; RI Advice is the only defendant, the obligation was on RI Advice to manage the risk for itself and across the AR network; it is clear from FASOC paragraph 14 that every missing expected document constitutes a contravention; the reference to 'mandated' in the particulars to FASOC paragraph 14 refers to the rules and processes mandated by an organisation's internal cybersecurity documents, not by any external legislation or standards; and Mr Bell explains the Cybersecurity Domains in the Bell Report.

RI Advice's second complaint 64 RI Advice's second complaint related to the source of the Minimum Cybersecurity Requirements. RI Advice noted that it is not alleged that the Minimum Cybersecurity Requirements are prescribed or mandated by any particular laws, regulations, or mandated codes. Rather, RI Advice submitted the Minimum Cybersecurity Requirements are 'cobbled together from various sources, none of which are said to be binding or mandatory'. 65 In response to the second complaint, ASIC submitted that the source of the obligation on RI Advice to maintain adequate cybersecurity documentation and controls is s 912A(1) of the Act. The obligation is imposed by reason of RI Advice's status as a financial services licensee under the terms of its Licence, and under s 912A(1) of the Act. The minimum documentation ASIC alleges is required to meet the obligation arising under the Licence and s 912A(1) of the Act is the Minimum Cybersecurity Requirements. 66 ASIC's expert witness Mr Bell provides an opinion as to what he considers is the minimum documentation required to satisfy the obligation arising under the Licence and under s 912A(1) of the Act. The Bell Report provides details of his qualifications, experience and study, and the reasons for his opinion as to why the documents set out in Schedule A are required to meet the minimum set of 'baseline requirements' in order to satisfy the obligations in s 912A(1) of the Act. 67 ASIC further submitted that the case law concerning s 912A(1)(a), for example, makes clear that to establish a breach of this provision does not require a contravention or breach of a separately existing legal duty or obligation, but that the provision itself is the source of the obligation. Accordingly, whether or not the pleaded Minimum Cybersecurity Requirements and the required Documentation and Controls referred to in Schedule A to the FASOC were required by s 912A(1), with the consequence that a failure to have them in place constituted a breach, is a question to be determined at trial.

RI Advice's third complaint 68 RI Advice's third complaint related to what it said are the rolled-up allegations of contravention. RI Advice's submissions discussed FASOC paragraph 60 which it said exemplified the defect which also infected FASOC paragraphs 92, 93, 106, 106A, 110 and 121. 69 Taking paragraph 60 as an example, RI Advice submitted: It is not clear if each Cybersecurity Incident constitutes a standalone contravention, or rather the incidents are regarded cumulatively as one contravention; It is unclear whether each incident (or the incidents collectively) constitutes a breach of each of the relevant statutory provisions (ss 912A(1)(a)-(d) and (h)) or only some of the provisions; The allegation that RI advice did not provide the financial services 'honestly', 'fairly' or 'efficiently' as required by s 912A(1)(a) is not particularised; The 'adequate resources' RI Advice is alleged to have failed to have in contravention of s 912A(1)(d) are not identified; The reference to the 'unacceptable risk' RI Advice allegedly exposed its clients to is not defined, and nor is it pleaded that RI Advice's alleged failures in respect of its 'Cybersecurity Documentation and Controls' exposed clients to 'unacceptable risk'; and The interaction between Schedule A and the alleged contraventions of s 912A(1) is not explained, meaning that some expressions in the FASOC are used in a way that confuses or obscures their manner. For example, s 912A(1)(h) refers to 'risk management systems', and two of the 13 Cybersecurity Domains referred to in Schedule A are 'Risk Assessments and Risk Management' and 'Supply Chain Risk Management'. 70 As to RI Advice's third complaint, ASIC submits that when paragraphs 60, 92, 93, 106A, 110 and 121 of the FASOC are read with the ASIC Particulars, there is no rolling-up of the allegations. In response to RI Advice's submissions on paragraph 60, ASIC submits: RI Advice's response to each Cybersecurity Incident is relied on as constituting a separate contravention, and the use of 'and/or' indicates that the conduct described in the relevant particulars is relied on both individually and cumulatively as constituting a relevant contravention; The ASIC Particulars set out the conduct relied on by ASIC in respect of alleged contraventions of each of ss 912A(1)(a)-(d) and (h), meaning the particulars relating to FASOC paragraph 60 are found throughout the ASIC Particulars; ASIC has already provided extensive particulars of the conduct relied upon in support of the alleged contravention of 912A(1)(a), in which the phrase 'efficiently, honestly and fairly' has been held to be 'compendious as a single, composite concept, rather than containing three discrete behavioural norms'; In respect of s 912(1)(d), the ASIC Particulars make clear that the relevant conduct relied upon is in respect of the inadequacy of the May 2018 Documentation and Controls; The 'risk' referred to in the allegation at paragraph 60(d) is the risk in respect of cybersecurity and cyber resilience referred to at paragraph 59(d) and in the definition of Minimum Cybersecurity Requirements. The particulars make it clear that ASIC alleges the unacceptable risk arose because the May 2018 Documentation and Controls did not meet the Minimum Cybersecurity Requirements - and whether or not that risk was an 'unacceptable risk' is a matter for trial; and The conduct relied on by ASIC in support of the alleged contravention of s 912A(1)(h) is set out in the ASIC Particulars, being that RI Advice's risk management systems in respect of cybersecurity and cyber resilience were inadequate because the May 2018 Documentation and Controls did not meet the Minimum Cybersecurity Requirements by way of the deficiencies identified in Schedule B.

RI Advice's first and second complaints 71 It is not in doubt that a contravention of the 'efficiently, honestly and fairly' standard of s 912A(1) of the Act does not require a contravention or breach of a separately existing legal duty or obligation, whether statutory, fiduciary, common law or otherwise. The statutory standard itself the source of the obligation: ASIC v AGM Markets Pty Ltd (in liquidation) (No 3) [2020] FCA 208 at [512] per Beach J. 72 ASIC's case as pleaded in the FASOC paragraphs 12 to 14 is that in order to meet its obligations under s 912A(1) of the Act, RI Advice had to have all of the expected documents set out in Schedule A. The 68 expected documents as set out in Schedule A are pleaded to be the baseline Cybersecurity Documentation and Controls necessary to adequately manage risk in respect of cybersecurity and cyber resilience for itself and across its AR network. The 68 expected documents set out in Schedule A are therefore the minimum required to satisfy the Minimum Cybersecurity Requirements. 73 As noted above, much of RI Advice's oral argument was directed towards the Minimum Cybersecurity Requirements, the source of the expected documents set out in Schedule A and the basis on which ASIC alleged that those 68 documents are the minimum standard required to satisfy the obligation imposed by s 912A(1) of the Act. The foundation for the 68 documents is the opinion of ASIC's expert, Mr Bell. 74 It became apparent during ASIC's oral submissions that Schedule A to the FASOC was 'precisely the same' as Appendix N (or more accurately, Figure 1 of Appendix N) to the Bell Report. 75 At 5.5.6 of the Bell Report, Mr Bell makes it clear that to his knowledge there is no single mandated industry benchmark or baseline for an AFS Licensee in relation to cybersecurity risk and resilience. ASIC confirmed at the hearing that it did not allege that the Minimum Cybersecurity Requirements were mandated by any particular laws, regulations or industry standards. 76 The expected documents in Schedule A (or Appendix N, figure 1 of the Bell Report) comprise a suite of formalised operational documents and controls that in Mr Bell's opinion, based on his training, study and expertise, are the minimum set of 'baseline requirements' for an AFS licence holder, such as RI Advice, to have had in place in order to maintain reasonable and adequate cybersecurity governance and risk management practices in respect of cybersecurity and cyber resilience. 77 Rather than being 'cobbled together' from various industry standards, the 68 expected documents set out in Schedule A are the suite of documents that, in Mr Bell's expert opinion, constitute the minimum set of baseline requirements that an AFS licence holder should have in place to satisfy the obligation under s 912A(1) of the Act. 78 In sections 5, 7, 8, 9 and 10 of the Bell Report, Mr Bell sets out his process of reasoning to arrive at the suite of expected documentation he sets out in figure 1 of Appendix N. 79 Mr Bell defines the term 'Cybersecurity Domain' in the glossary at the start of the Bell Report. Mr Bell explains each of the 13 Cybersecurity Domains used in Schedule A of the FASOC at paragraph 5.5.13 and Appendix N of the Bell report. 80 Mr Bell explains the categories used in Schedule A of the FASOC in figure 1 of Appendix N to the Bell Report. The three categories are said by Mr Bell to indicate the hierarchy layer to which the document is aligned (strategic, tactical and operational). The strategic layer comprises the strategies, frameworks and policies; the tactical layer comprises the plans, procedures, standards and guidelines; and the operational layer comprises the systems, resources and controls. 81 Each of the FASOC Schedules the subject of RI Advice's strike out application appears to be sourced from the Appendices to the Bell Report: FASOC Schedule A corresponds to Figure 1 of Appendix N as discussed above; FASOC Schedule B appears to correspond to Figure 2 of Appendix N to the Bell Report. Figure 2 of Appendix N is described as outlining the documentation and material which RI Advice held in relation to Mr Bell's 'baseline requirements' as set out in the first part of Appendix A for the period prior to and as at 15 May 2018; While RI Advice does not seek to strike out Schedule C, for completeness I note that FASOC Schedule C appears to be derived from Figure 1 of Appendix P to the Bell Report. Figure 1 of Appendix P summarises the documentation held by RI Advice at various times that Mr Bell considered applicable to his 'baseline requirements'; FASOC Schedule D appears to correspond to Figure 1 of Appendix X to the Bell Report, entitled 'Comparison against baseline requirements (post-breach period as at 12 and 13 March 2019)'; FASOC Schedule E appears to correspond to Figure 1 of Appendix O to the Bell Report, entitled 'Comparison against baseline requirements (post-breach period as of 1 November 2019)'; and FASOC Schedule F appears to correspond to Figure 1 of Appendix T to the Bell Report, entitled 'Comparison against baseline requirements (extended remediation period as of 1 May 2020)'. 82 Needless confusion could have been avoided if these matters had been made plain to RI Advice in November 2020, rather than the introduction of the publicly available standards and the 'over-elevation' of their significance and role by reason of what was said by ASIC in their correspondence and the ASIC particulars provided on 23 December 2020. 83 At the time Schedule A first appeared with the filing of the statement of claim on 26 October 2020, RI Advice did not have the Bell Report. RI Advice suspected that an expert report might lie behind Schedule A and, on 18 November 2020, its solicitors asked for a copy of any report and any other documents relied upon by ASIC in describing the Minimum Cybersecurity Requirements and the 13 Cybersecurity Domains. 84 In response, ASIC, which I infer (by reason of the precise similarity of Schedule A and figure 1 of Appendix N) had the Bell Report, or at least an advanced draft of figure 1 of Appendix N, said that it was premature to file and serve expert evidence at that stage of the proceeding. Instead of noting that an expert opinion lay behind the 'expected documents' in Schedule A, ASIC listed six standards from around the globe, five of which were said to be publicly available, which it said were the documents relied upon in preparing Schedule A. 85 On 27 November 2020, RI Advice sought further and better particulars, including as to paragraphs 13(b) and 14 of the ASOC, in particular: state by reason of what acts, facts, matters, circumstances and or things ASIC alleges that the defendant "should have" had each of the Cybersecurity Documentation and Controls specified in Schedule A … in place in each of the 13 Cybersecurity Domains at all material times … in order to meet the Minimum Cybersecurity Requirements; and insofar as it is alleged that the asserted obligation/requirement referred to [above] arose by reason of a requirement or standard, identify the same for all material times. 86 ASIC responded by providing the ASIC Particulars in a letter dated 23 December 2020. Relevantly, the ASIC Particulars provide: To the extent that the request for particulars seeks clarifications for the source of an obligation, these are provided in ASIC's response to request for particulars below. … Particulars to paragraph 13(b) of the ASOC … RI Advice should have had those Cybersecurity Documentation and Controls in place by reason of: … The parts of the following Cybersecurity industry standards identified in Attachment A to this letter (Attachment A): i. Australian Signals Directorate, Australian Cyber Security Centre, 'Essential Eight Maturity Model' (ASD Essential Eight); ii. Australian Securities and Investment Commission, 'Report 429 Cyber resilience: Health Check', dated March 2015 (Report 429) iii. British Standards Institution, BS EN ISO/IEC 27001: 2017 'Information Technology - Security Techniques - Information Security Management Systems - Requirements' (ISO 27001:2017), published October 2013, Annexure A (ISO A); iv. National Institute of Standards and Technology, 'Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, dated 12 February 2014 and Version 1.1m dated 16 April 2018 (NIST CSF); and v. National Institute of Standards and Technology, Computer Security Incident Handling Guide, Special Publication 800-61, Revision 2, dated August 2012 (NIST Incident Handling Guide) (Cybersecurity Industry Standards) [italics emphasis added] 87 The further and better particulars provided for FASOC paragraphs 14(b) to (d), 15(a) and (b), 21(a) and (b), 25(a) and (b), 31(a) and (b), 36(a) and (b), 41(a) and (b), 49(a) and (b), 59, 65(a) and (b), 91, 98(a) and (b), 105, 108(a) and (b) and 120, each make express reference to 'the parts of the Cybersecurity Industry Standards identified in Attachment A', in the context of the source of the obligation that RI Advice should have had each of the Cybersecurity Documentation and Controls in place in order to satisfy the obligation alleged to be imposed by s 912A(1) of the Act. 88 Attachment A to the ASIC Particulars followed a similar form to Schedule A except that the fourth column was headed 'Industry Standard' rather than 'Description'. For each expected document a selection of extracts from one or more of the Cybersecurity Industry Standards was provided. For the example I gave above, the new column gave the impression that the obligation to have expected document ED2.1 arose by reason of NIST CSF:ID.RA-1 and ID-RM-1. 89 The confusion introduced by the ASIC Particulars and Attachment A was amply illustrated in oral submissions by RI Advice's senior counsel who followed through two examples of the chain of references to industry standards introduced via the fourth column of Attachment A. It is sufficient to set out one of these examples here: Cybersecurity Domain: Governance & Business Environment Category: Plans, Procedures and Guidelines Expected Document: ED 1.4, Evaluation and Prioritisation Process 'Industry Standard': NIST CSF: ID.BE-4, ID.BE-5, ID.RA-4. 90 NIST CSF is found in Appendix E to the Bell Report. It was one of the documents provided to RI Advice on 22 November 2020. Going to the first reference, 'subcategory' ID.BE-4, reveals a three column table with 'informative references' provided for each subcategory. The relevant informative references for this first reference are: • ISO/TEC 27001:2013 A.11.2.2, A.11.2.13,A.12.1.3 • NIST SP 800-53 Rev.4 CP-8, PE-9, PE-1, PM-8, SA-14 91 Each of these 'informative references' is itself a reference to yet another section of another Cybersecurity Industry Standard which I do not propose to follow further down the chain. 92 Each of the expected documents in Attachment A has at least one Cybersecurity Industry Standard reference. Many have several references within the one standard, others have multiple references in more than one standard. The same tracing through exercise as the example above could be carried out for each reference. 93 Why RI Advice should have had the Cybersecurity Documentation and Controls in place by reason of these Cybersecurity Industry Standards is not apparent from the references to the standards. It is also not ASIC's pleaded case that the obligation to have the expected documents of Schedule A was mandated by any industry standards. 94 Even after service of the Bell Report in April 2021, ASIC did not clarify that the Bell Report, and in particular Mr Bell's expert opinion was the source of the expected documents in Schedule A, and the expected documents were not derived by reason of industry standards alone. In its submissions for the case management conference on 14 May 2021, ASIC continued to refer to the 'six publicly available standards relied upon by ASIC in preparing Schedule A'. 95 Consistent with its obligations both as a model litigant and pursuant to s 37M of the Federal Court Act 1976 (Cth), ASIC should have told RI Advice the source of the expected documents in Schedule A was an expert opinion when RI Advice asked in November 2020, even if it did not provide a copy of the Bell Report at that time. To instead point RI Advice to the publicly available standards in correspondence, the ASIC Particulars and Attachment A has caused needless confusion and wasted time and resources. 96 The Bell Report makes clear at 5.5.6 that there are no mandated industry standards of minimum cybersecurity documentation. 97 The expected documents in Schedule A (Figure 1 of Appendix N) comprise the documents that in Mr Bell's opinion, a financial services provider such as RI Advice, should have in place in order to maintain reasonable and adequate cybersecurity governance and risk management practices in respect of cybersecurity and cyber resilience for the purposes of meeting its obligations under s 912A(1) of the Act. 98 It is apparent from the Bell Report that the only role of the industry standards is as a background input to Mr Bell's opinion that the appropriate cybersecurity documents and controls that should be adopted are those set out in Schedule A. ASIC confirmed that the industry standards are not part of ASIC's case, other than in the sense that Mr Bell refers to them in the course of his reasoning set out in the Bell Report. 99 The confusion as to the source of the expected documents in Schedule A and the Minimum Cybersecurity Requirements, introduced by the reference to the industry standards in correspondence and the ASIC Particulars, has been removed by ASIC's confirmation that Schedule A is precisely identical to figure 1 of Appendix N to the Bell Report. 100 It is apparent that the statements in the ASIC Particulars that RI Advice's obligation to have the Cybersecurity Documentation and Controls in place was 'by reason of' the industry standards do not align with ASIC's s 912A(1) case as clarified at the hearing. 101 The ASIC Particulars need to be amended to reflect that the source of the Minimum Cybersecurity Requirements, being the expected documents set out in Schedule A, is not the industry standards but the expert opinion of Mr Bell, as articulated in the Bell Report. 102 Whilst I am dealing with the ASIC Particulars, I note that the further particulars to various paragraphs of the FASOC are scattered throughout the document in a manner which makes it difficult to follow through all the further particulars to a particular paragraph of the FASOC. For example, the further particulars to FASOC paragraph 60 are found on pages 9, 12, 15, 18, 19, 22 and 24 of the ASIC Particulars. This does not assist in the ease of understanding ASIC's case. 103 The ASIC Particulars should be incorporated into the FASOC so that there is one source of ASIC's pleaded case, with the particulars to each FASOC paragraph located with that paragraph.

RI Advice's third complaint 104 I accept ASIC's submissions summarised above in relation to the third complaint: the rolled-up nature of the pleading in paragraphs 60, 92, 93, 106A, 110 and 121. 105 The allegations are no longer rolled-up, when FASOC paragraph 60 (or the other paragraphs) is read with their further and better particulars as set out in the ASIC Particulars. As I noted above, the ASIC Particulars are difficult to navigate and should be incorporated into the FASOC to facilitate understanding of how the ASIC case is put. 106 Once the ASIC Particulars are incorporated into the FASOC and the particulars are joined to the FASOC paragraph to which they belong, the matters and incidents relied upon in relation to the contravention of each subsection of s 912A(1) should be apparent.

Conclusion 107 Armed with the Bell Report, and the further explanation and clarification of the FASOC and ASIC Particulars provided during ASIC's oral submissions, I consider that the FASOC adequately sets out the case that RI Advice needs to meet. 108 FASOC Schedules A, B, C, D, E and F are known to originate from the Appendices to the Bell Report. The methodology and reasoning employed by Mr Bell in putting together the Appendices behind the Schedules is set out in the Bell Report, together with an explanation of the terms used by him in his report. Many of these terms, such as 'Cybersecurity Resilience' and 'Cybersecurity Domain' are used in the FASOC. 109 RI Advice did not rely on any evidence from a technical expert as to an inability to understand the terminology used in the FASOC. In the absence of such evidence and with a glossary of terms provided in the Bell Report and the FASOC (Schedule G), I do not agree that the language used in the FASOC can be described as 'practically incomprehensible', or so ambiguous as to warrant being struck out. 110 For the reasons set out above, I do not consider that the paragraphs and Schedules of the FASOC the subject of RI Advice's application are ambiguous, or likely to cause prejudice, embarrassment or delay in the proceeding, or that they fail to disclose a reasonable cause of action. 111 For these reasons I dismiss RI Advice's strike out application. I certify that the preceding one hundred and eleven (111) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Rofe.

Federal Court Act 1976(Cth)

At a glance

Court

Decision date

Before

Source

Judgment (14 paragraphs)

Parties

Legislation Cited (4)

Cases Cited (6)

Cited By (1)