)
RI Advice will repay $750,000 in legal fees to the corporate watchdog after the Federal Court determined that the firm breached its license obligations by failing to have adequate systems in place to manage cybersecurity risks.
The judgment is a first in Australian legal history, and comes after a number of cyber incidents occurred to authorised representatives of RI Advice, formerly an ANZ Bank (ASX: ANZ) subsidiary until October 2018 when IOOF (now Insignia Financial) took control.
In total, nine cybersecurity incidents occurred at RI Advice authorised representatives' practices between June 2014 and May 2020.
In one of the incidents, an unknown malicious agent obtained, through a brute force attack, access to an authorised representative’s file server. The agent had access for more than a year, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
Another saw an email account hacked, causing five clients to receive a fraudulent email urging the transfer of funds. One client made transfers totalling approximately $50,000.
A third incident saw a cybercriminal use an employee's email address to send phishing emails to more than 150 clients and other contacts on the practice's database.
Inquiries and reports made on behalf of RI Advice following the cybersecurity incidents revealed that the respective authorised representatives did not have computer systems with up-to-date antivirus software installed.
In addition, the computer systems did not filter or quarantine suspicious emails and no backup systems were in place. Poor password practices were rife at firms, including the sharing of passwords between employees, the use of default passwords, and other security details being held in easily accessible places.
“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” Australian Securities and Investment Commission (ASIC) deputy chair Sarah Court said.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
In addition to a declaration of contravention and the repayment of ASIC's legal fees, the Federal Court ordered RI Advice engage a cybersecurity expert to identify and implement further measures necessary to manage risks across the company’s authorised representative network.
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” Justice Helen Rofe said.
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
Her Honour further stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct.
Get our daily business news
Sign up to our free email news updates.
)
)
)
)
)
