RI Advice cybersecurity case will be first of many
The Federal Court’s ruling that RI Advice failed to have adequate cybersecurity risk management systems is a sign of things to come, according to the Cyber Security Research Centre.
In May, RI Advice was found to have breached its Australian Financial Services license obligations on multiple occasions over a six-year period between June 2014 and May 2020 as it failed to have adequate risk management systems to manage cybersecurity risks. RI Advice was ordered to pay $750,000 in court costs but did not receive a fine as the breaches occurred before 2018
However, for breaches later than 2018, fines could be as much as $525 million following changes to legislation.
Speaking at the Stockbrokers and Investment Advisers Association (SIAA) conference, Cyber Security Research Centre chief executive, Rachael Falk, said the case “was a sign of things to come [as] all regulators were waking up to cybersecurity”.
She said she was disappointed to see that the case was settled as further cybersecurity legal precedent could help the industry in the long term.
As the cybersecurity failings stretched a period of six years, Falk asked what role management played or did not play.
“As you probably all know, there was an M&A transition when RI Advice became part of IOOF [in 2018]. But also where was the board and what was the board told? They may have absolutely been in the dark and that’s a whole other issue.”
Falk’s views were echoed by McGrathNicol partner, Shane Bell, who said the Federal Court’s ruling on cybersecurity failings had ‘drawn a line in the sand’.
“I think it’s drawing a bit of a line in the sand and that is that this is a significant issue that relates to Australian Financial Services licensee holding and Corporations Act requirements and that doing nothing isn’t good enough,” he said.
Bell was appointed by the court as an independent expert on the matter and could therefore only share general information about the case, noting it had sent a clear message to the industry on the need for adequate cybersecurity safeguards.
He said the case showed firms needed to conform to minimum cybersecurity standards by having a system management approach with a cybersecurity program that was managed on an ongoing basis to keep risk thresholds within acceptable levels.
AUTHOR
Liam Cormican
Recommended for you
As the year draws to a close, a new report has explored the key trends and areas of focus for financial advisers over the last 12 months.
Assured Support explores five tips to help financial advisers embed compliance into the heart of their business, with 2025 set to see further regulatory change.
David Sipina has been sentenced to three years under an intensive correction order for his role in the unlicensed Courtenay House financial services.
As AFSLs endeavour to meet their breach reporting obligations, a legal expert has emphasised why robust documentation will prove fruitful, particularly in the face of potential regulatory investigations.
