Former ANZ subsidiary breached obligations over cybersecurity failures

Former ANZ subsidiary breached obligations over cybersecurity failures

RI Advice will repay $750,000 in legal fees to the corporate watchdog after the Federal Court determined that the firm breached its license obligations by failing to have adequate systems in place to manage cybersecurity risks.

The judgment is a first in Australian legal history, and comes after a number of cyber incidents occurred to authorised representatives of RI Advice, formerly an ANZ Bank (ASX: ANZ) subsidiary until October 2018 when IOOF (now Insignia Financial) took control.

In total, nine cybersecurity incidents occurred at RI Advice authorised representatives' practices between June 2014 and May 2020.

In one of the incidents, an unknown malicious agent obtained, through a brute force attack, access to an authorised representative’s file server. The agent had access for more than a year, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Another saw an email account hacked, causing five clients to receive a fraudulent email urging the transfer of funds. One client made transfers totalling approximately $50,000.

A third incident saw a cybercriminal use an employee's email address to send phishing emails to more than 150 clients and other contacts on the practice's database.

Inquiries and reports made on behalf of RI Advice following the cybersecurity incidents revealed that the respective authorised representatives did not have computer systems with up-to-date antivirus software installed.

In addition, the computer systems did not filter or quarantine suspicious emails and no backup systems were in place. Poor password practices were rife at firms, including the sharing of passwords between employees, the use of default passwords, and other security details being held in easily accessible places.

“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” Australian Securities and Investment Commission (ASIC) deputy chair Sarah Court said.

“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

In addition to a declaration of contravention and the repayment of ASIC's legal fees, the Federal Court ordered RI Advice engage a cybersecurity expert to identify and implement further measures necessary to manage risks across the company’s authorised representative network.

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” Justice Helen Rofe said.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Her Honour further stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct. 

Help us deliver quality journalism to you.
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support

Crypto staking: a new way to earn passive income
Partner Content
You may be familiar with traditional ways of earning passive income such as trading sto...
Etoro
Advertisement

Related Stories

The Star “cleansing” continues with more management resignations

The Star “cleansing” continues with more management resignations

Evidence given today at a review into casino and resort operator Th...

Queensland casino boss to lead The Star after executive chairman John O’Neill's exit

Queensland casino boss to lead The Star after executive chairman John O’Neill's exit

An executive who has been running The Star Entertainment Group'...

Melbourne-founded LawAdvisor secures $7m in backing after raising the bar with new technology

Melbourne-founded LawAdvisor secures $7m in backing after raising the bar with new technology

Melbourne-founded Legal-tech startup LawAdvisor Ventures has raised...

Mildura Brewery, Australia Draught enter voluntary administration after Broo directors depart

Mildura Brewery, Australia Draught enter voluntary administration after Broo directors depart

With its founder and former CEO no longer on the board, land in Bal...