RI Advice flagged as cautionary cyber security tale

RI Advice cybersecurity ASIC Joe Longo cyber attack

23 May 2024
| By Laura Dew |
image
image image
expand image

ASIC has flagged the case of RI Advice as an example of the need for cyber security measures within a financial services firm. 

Appearing before a Senate Select Committee into Adopting Artificial Intelligence earlier this week, ASIC chair Joe Longo told the committee that it is imperative for firms to know where their data is held. 

Asked by a select committee member how ASIC could hold directors liable for harmful actions that were the result of AI-decision making, Longo said directors could not ignore what is happening in their businesses from a tech perspective. 

“It starts with curiosity and asking the right questions. What ASIC expects of directors is to be informing themselves of this topic, do they know where their data is? Is it in the hands of a third-party provider, is it in the cloud, how are you protecting that data?

“A cyber attack is almost inevitable, what is your response plan and how are you taking steps for that? What gives you confidence in those steps?

“We need more scientists on boards, those people who are data literate. This goes back to the fundamental question of you won’t understand what is happening unless you ask the right questions of the right people.”

As to how people could be held liable, Longo referenced the case from May 2022 related to advice licensee RI Advice

In this matter, the Federal Court found RI Advice had breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

A significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one instance, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Longo said: “We’ve run a couple of cases at ASIC, the most famous of which is that of AFSL RI Advice for basically having no systems in place for cyber security. 

“Do we need changes in the law to make it more specific or prescriptive in our existing director duties to deal with AI and cyber security? That’s a discussion for another day, but at the end of the day, the law and ASIC can intervene and go to court in some actionable circumstances. 

“In this area there is a role for enforcement and court-based outcomes, but it cannot be a complete solution. We need to be constantly encouraging businesses to take it seriously; it is the directors’ responsibility.”

While the RI Advice breach occurred before March 2019, therefore not incurring a penalty, future breaches by firms after this date would incur significant penalties of as much as $525 million.

Avoiding ‘fatalistic fears’

In a separate speech to the ASIC x UTS: AI Regulator Symposium in Sydney on 21 May, Longo detailed the role of government and regulators in shaping how AI is designed and deployed. 

“Like all technology, AI is the product of human ingenuity and can therefore, by definition, be understood. Moreover, it is the job of government and regulators to ensure that these systems are explainable and transparent.

“Fatalistic fears of sentient technology overrunning humanity are the stuff of nightmares – and science fiction. We should not let these existential anxieties – grimly enthralling though they are – distract us from the task at hand.

“Our job is to mitigate the known risks – and, in doing so, bend the trajectory away from the worst imagined outcomes, so that they never materialise.”

Longo said he is hopeful that AI can be deployed to bring about positive change, but a strong regulatory framework is needed to manage it safely. 

“Across Australia, a consensus is developing: we need a strong regulatory framework to steer the course of AI towards its safe and responsible development and use. A framework that enables technological innovation to flourish, so that it can deliver the promised economic benefits and productivity improvements. But not at the expense of consumers and investors.”

Read more about:

AUTHOR

Recommended for you

sub-bgsidebar subscription

Never miss the latest news and developments in wealth management industry

MARKET INSIGHTS

Completely agree Peter. The definition of 'significant change is circumstances relevant to the scope of the advice' is s...

3 weeks 5 days ago

This verdict highlights something deeply wrong and rotten at the heart of the FSCP. We are witnessing a heavy-handed, op...

1 month ago

Interesting. Would be good to know the details of the StrategyOne deal....

1 month ago

Insignia Financial has confirmed it is considering a preliminary non-binding proposal received from a US private equity giant to acquire the firm. ...

1 week 3 days ago

Six of the seven listed financial advice licensees have reported positive share price growth in 2024, with AMP and Insignia successfully reversing earlier losses. ...

6 days 2 hours ago

Specialist wealth platform provider Mason Stevens has become the latest target of an acquisition as it enters a binding agreement with a leading Sydney-based private equi...

5 days 6 hours ago