RI Advice flagged as cautionary cyber security tale

ASIC has flagged the case of RI Advice as an example of the need for cyber security measures within a financial services firm. 

Appearing before a Senate Select Committee into Adopting Artificial Intelligence earlier this week, ASIC chair Joe Longo told the committee that it is imperative for firms to know where their data is held. 

Asked by a select committee member how ASIC could hold directors liable for harmful actions that were the result of AI-decision making, Longo said directors could not ignore what is happening in their businesses from a tech perspective. 

“It starts with curiosity and asking the right questions. What ASIC expects of directors is to be informing themselves of this topic, do they know where their data is? Is it in the hands of a third-party provider, is it in the cloud, how are you protecting that data?

“A cyber attack is almost inevitable, what is your response plan and how are you taking steps for that? What gives you confidence in those steps?

VIEW ALL

View all

“We need more scientists on boards, those people who are data literate. This goes back to the fundamental question of you won’t understand what is happening unless you ask the right questions of the right people.”

As to how people could be held liable, Longo referenced the case from May 2022 related to advice licensee RI Advice. 

In this matter, the Federal Court found RI Advice had breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

A significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one instance, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.

Longo said: “We’ve run a couple of cases at ASIC, the most famous of which is that of AFSL RI Advice for basically having no systems in place for cyber security. 

“Do we need changes in the law to make it more specific or prescriptive in our existing director duties to deal with AI and cyber security? That’s a discussion for another day, but at the end of the day, the law and ASIC can intervene and go to court in some actionable circumstances. 

“In this area there is a role for enforcement and court-based outcomes, but it cannot be a complete solution. We need to be constantly encouraging businesses to take it seriously; it is the directors’ responsibility.”

While the RI Advice breach occurred before March 2019, therefore not incurring a penalty, future breaches by firms after this date would incur significant penalties of as much as $525 million.

Avoiding ‘fatalistic fears’

In a separate speech to the ASIC x UTS: AI Regulator Symposium in Sydney on 21 May, Longo detailed the role of government and regulators in shaping how AI is designed and deployed. 

“Like all technology, AI is the product of human ingenuity and can therefore, by definition, be understood. Moreover, it is the job of government and regulators to ensure that these systems are explainable and transparent.

“Fatalistic fears of sentient technology overrunning humanity are the stuff of nightmares – and science fiction. We should not let these existential anxieties – grimly enthralling though they are – distract us from the task at hand.

“Our job is to mitigate the known risks – and, in doing so, bend the trajectory away from the worst imagined outcomes, so that they never materialise.”

Longo said he is hopeful that AI can be deployed to bring about positive change, but a strong regulatory framework is needed to manage it safely. 

“Across Australia, a consensus is developing: we need a strong regulatory framework to steer the course of AI towards its safe and responsible development and use. A framework that enables technological innovation to flourish, so that it can deliver the promised economic benefits and productivity improvements. But not at the expense of consumers and investors.”