Former ANZ subsidiary breached obligations over cybersecurity failures

Former ANZ subsidiary breached obligations over cybersecurity failures

RI Advice will repay $750,000 in legal fees to the corporate watchdog after the Federal Court determined that the firm breached its license obligations by failing to have adequate systems in place to manage cybersecurity risks.

The judgment is a first in Australian legal history, and comes after a number of cyber incidents occurred to authorised representatives of RI Advice, formerly an ANZ Bank (ASX: ANZ) subsidiary until October 2018 when IOOF (now Insignia Financial) took control.

In total, nine cybersecurity incidents occurred at RI Advice authorised representatives' practices between June 2014 and May 2020.

In one of the incidents, an unknown malicious agent obtained, through a brute force attack, access to an authorised representative’s file server. The agent had access for more than a year, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Another saw an email account hacked, causing five clients to receive a fraudulent email urging the transfer of funds. One client made transfers totalling approximately $50,000.

A third incident saw a cybercriminal use an employee's email address to send phishing emails to more than 150 clients and other contacts on the practice's database.

Inquiries and reports made on behalf of RI Advice following the cybersecurity incidents revealed that the respective authorised representatives did not have computer systems with up-to-date antivirus software installed.

In addition, the computer systems did not filter or quarantine suspicious emails and no backup systems were in place. Poor password practices were rife at firms, including the sharing of passwords between employees, the use of default passwords, and other security details being held in easily accessible places.

“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” Australian Securities and Investment Commission (ASIC) deputy chair Sarah Court said.

“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

In addition to a declaration of contravention and the repayment of ASIC's legal fees, the Federal Court ordered RI Advice engage a cybersecurity expert to identify and implement further measures necessary to manage risks across the company’s authorised representative network.

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” Justice Helen Rofe said.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Her Honour further stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct. 

Help us deliver quality journalism to you.
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support

Looking for a credit or charge card that’s built for your business? Try American Express
Partner Content
A good credit card should work for you, not against you, and let you and your business ...
American Express
Advertisement

Related Stories

Court throws out ASIC's $22m case against CBA as judge slams ‘form’ over ‘substance’

Court throws out ASIC's $22m case against CBA as judge slams ‘form’ over ‘substance’

The corporate watchdog has failed in its $22 million civil action a...

Watchdog sues Nuix alleging breaches of disclosure and directors' duties

Watchdog sues Nuix alleging breaches of disclosure and directors' duties

The Australian Securities and Investments Commission (ASIC) is taki...

AI is creeping into our courts. Should we be concerned?

AI is creeping into our courts. Should we be concerned?

Imagine finding yourself in court but rather than a human judge con...

LGP, MGC Pharma fined for alleged unlawful advertising of medicinal cannabis products

LGP, MGC Pharma fined for alleged unlawful advertising of medicinal cannabis products

Two listed medicinal cannabis companies have been hit with 51 ...