Former ANZ subsidiary breached obligations over cybersecurity failures

Former ANZ subsidiary breached obligations over cybersecurity failures

RI Advice will repay $750,000 in legal fees to the corporate watchdog after the Federal Court determined that the firm breached its license obligations by failing to have adequate systems in place to manage cybersecurity risks.

The judgment is a first in Australian legal history, and comes after a number of cyber incidents occurred to authorised representatives of RI Advice, formerly an ANZ Bank (ASX: ANZ) subsidiary until October 2018 when IOOF (now Insignia Financial) took control.

In total, nine cybersecurity incidents occurred at RI Advice authorised representatives' practices between June 2014 and May 2020.

In one of the incidents, an unknown malicious agent obtained, through a brute force attack, access to an authorised representative’s file server. The agent had access for more than a year, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Another saw an email account hacked, causing five clients to receive a fraudulent email urging the transfer of funds. One client made transfers totalling approximately $50,000.

A third incident saw a cybercriminal use an employee's email address to send phishing emails to more than 150 clients and other contacts on the practice's database.

Inquiries and reports made on behalf of RI Advice following the cybersecurity incidents revealed that the respective authorised representatives did not have computer systems with up-to-date antivirus software installed.

In addition, the computer systems did not filter or quarantine suspicious emails and no backup systems were in place. Poor password practices were rife at firms, including the sharing of passwords between employees, the use of default passwords, and other security details being held in easily accessible places.

“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” Australian Securities and Investment Commission (ASIC) deputy chair Sarah Court said.

“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

In addition to a declaration of contravention and the repayment of ASIC's legal fees, the Federal Court ordered RI Advice engage a cybersecurity expert to identify and implement further measures necessary to manage risks across the company’s authorised representative network.

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” Justice Helen Rofe said.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Her Honour further stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct. 

Enjoyed this article?

Don't miss out on the knowledge and insights to be gained from our daily news and features.

Subscribe today to unlock unlimited access to in-depth business coverage, expert analysis, and exclusive content across all devices.

Support independent journalism and stay informed with stories that matter to you.

Subscribe now and get 50% off your first year!

AI-driven Evitat platform creates pathway to a more sustainable building and renovation industry
Partner Content
Evitat, an AI-driven data platform, is empowering design and build professionals in the...
Evitat
Advertisement

Related Stories

ANZ is embroiled in allegations it manipulated government bond sales – what exactly does that mean?

ANZ is embroiled in allegations it manipulated government bond sales – what exactly does that mean?

ANZ is being investigated by the Australian Securities and Investme...

DG Institute to pay out almost $20m for misleading students, Grubisa banned from managing companies

DG Institute to pay out almost $20m for misleading students, Grubisa banned from managing companies

A Sydney real estate and wealth education provider has been ordered...

Better Beer investor Mighty Craft appoints voluntary administrators

Better Beer investor Mighty Craft appoints voluntary administrators

Another one bites the dust for Australia's heavily tax-burdened...

American Express to pay $8m fine over inappropriate targeting of co-branded David Jones credit cards

American Express to pay $8m fine over inappropriate targeting of co-branded David Jones credit cards

American Express Australia (Amex) has been ordered to pay an $8 mil...