ASIC takes former ANZ-owned RI Advice to court over inadequate cybersecurity
The Australian Securities and Investments Commission (ASIC) is alleging RI Advice Group Pty Ltd, an Australian Financial Services (AFS) licence holder focused on retirement advice, failed to have adequate cybersecurity systems in place.
ASIC has commenced proceedings in the Federal Court of Australia against RI, following a number of alleged cyber breach incidents at certain authorised representatives of RI.
According to ASIC, incidents included an alleged cyber breach at Frontier Financial Group Pty Ltd from December 2017 to May 2018.
Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.
ASIC alleges that Frontier was subject to a brute force attack whereby a malicious user successfully gained remote access to Frontier’s server. ASIC alleges the actor spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
The financial watchdog alleges that RI, including its authorised representatives, failed to implement adequate policies, systems, and resources that are reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
With the proceedings being launched on Friday, ASIC is seeking declarations that RI contravened certain provisions of the Corporations Act, orders that RI pay a civil penalty, and compliance orders for RI to implement systems that are “reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented”.
A report from ASIC in December found that while awareness and management of cybersecurity risk were improving in Australia’s financial market, there was still room for improvement across the entire sector.
“Organisations are alert to cybersecurity threats to their business and have focused their resources and efforts on improving their cybersecurity governance, risk management, and response and recovery capabilities,” the watchdog wrote.