Court finds RI Advice failed to adequately manage cybersecurity risks
The Federal Court has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.
The first ruling of its kind in Australia, the finding came after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020.
In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
The finding followed an earlier ruling by the Federal Court in February in which RI Advice Group was ordered to pay a $6 million penalty for failing to take reasonable steps to ensure that its authorised representative, John Doyle, provided appropriate financial advice.
Australian Securities and Investments Commission (AISC), deputy chair, Sarah Court, said the cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access,” Court said.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
The corporate regulator said RI Advice had taken steps to address cybersecurity risk across its authorised representative network. In addition to the declaration of contravention, the court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice’s authorised representative network.
When handing down the judgment, Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating: “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
AUTHOR
Liam Cormican
Recommended for you
Sequoia Financial Group has declined by five financial advisers in the past week, four of whom have opened up a new AFSL, according to Wealth Data.
Insignia Financial chief executive Scott Hartley has detailed whether the firm will be selecting an exclusive bidder for the second phase of due diligence as it awaits revised bids from three private equity players.
Insignia Financial has reported a statutory net loss after tax of $17 million in its first half results, although the firm has noted cost optimisation means this is an improvement from a $50 million loss last year.
With alternative funds being described as “impossible” for fund managers to target towards advisers without the support of BDMs for education, Money Management explores the evolving nature of the distribution role.
