ASIC prosecutes financial services firm over lax cyber policy

The Federal Court has today ruled that RI Advice breached the Corporations Act with inadequate cyber security measures, the first Australian Financial Services licensee to be so prosecuted.

RI Advice was ordered to pay $750,000 towards the legal costs of the Australian Securities and Investments Commission (ASIC), which brought the proceedings.

Nine cybersecurity incidents occurred at practices of RI Advice’s authorised representatives (ARs) between June 2014 and May 2020. The firm was one of three ANZ Banking Group financial licensees which from October 2018 became part of IOOF, now Insignia.

Reforms introduced as a result of the Hayne royal commission mean that a failure to comply with certain AFS licensing obligations – including obligations relating to how cyber risks are addressed – may give rise to a civil penalty.

Justice Helen Rofe determined RI Advice breached licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity exposure.

RI Advice contravened the Corporations Act from May 2018 to August as a result of its “failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its AR network”.

That meant it had failed to do all things necessary to ensure its services were provided efficiently and fairly, and failed to have adequate risk management systems as required by the Act.

Since mid May 2018, the ARs have provided financial services to at least 60,000 retail clients.

In one of the cyber incidents, an unknown malicious agent obtained access to an AR’s file server for around five months through a brute force attack before being detected in April 2018, resulting in the potential compromise of confidential data of several thousand clients and other people.

The ARs electronically received, stored and accessed confidential and sensitive personal information in relation to their retail clients, including full names, addresses and dates of birth, and in some instances health information, phone numbers and email addresses, and copies of documents such as driver’s licences, passports and other financial information.

“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place,” ASIC Deputy Chair Sarah Court said.

After that event, RI Advice engaged KPMG to conduct a forensic investigation which recommended cybersecurity enhancements, and RI Advice engaged external cybersecurity organisation Security In Depth.

Information Security Procedures released in 2016 provide that ARs should password-protect documents sent via email which contained personal client information; avoid using personal email addresses like Gmail; use passwords for IT devices and implement a password policy; use up-to-date security software including anti-virus; assess software annually for currency and apply patches regularly; have an “acceptable use” policy for staff; back up data regularly, store backups securely, and test them regularly; and implement physical security requirements such as locking premises and having a clean desk policy.

RI Advice acknowledged it only sought confirmation from ARs that they had read and were aware of the Professional Standards at that time, and had no mechanism to determine requirements relating to cybersecurity were understood by its ARs and were being met.

ASIC is urging financial services firms to adopt an enhanced cybersecurity position to improve cyber resilience amid a heightened cyber-threat environment.

Justice Rofe ordered RI Advice to implement any further necessary measures to adequately manage cybersecurity risks across its network, and she made clear cybersecurity should be “front of mind” for all licensees.

“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” Justice Rofe said.

The RI Advice order should “serve to record the court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct,” she said.

The court orders were made by consent after ASIC and RI Advice, which has had up to 119 AR practices, agreed to resolve the proceedings. ASIC had originally said RI Advice lacked policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which were reasonably appropriate to manage cybersecurity.

Following are the nine RI Advice cyber incidents:

– In June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds. One client transferred $50,000

– A year later a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website

– In September 2016 a client received a fraudulent email requesting money, apparently from an employee of an AR Practice. That AR used an email platform where information was stored in the Cloud with no anti-virus software and there was only one password which everyone used to access information

– In January 2017 an AR practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible

– In May 2017 an AR practice’s server was hacked by brute force through a remote access port, resulting in files containing the personal information of some 220 clients being held for ransom and ultimately not recoverable

– Between December 2017 and April 2018 a malicious agent gained unauthorised access to an AR’s server for a period of several months, compromising the personal information of several thousand clients and instances of unauthorised use

– In May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to its bookkeeper requesting a bank transfer

– In August 2019 an unauthorised person used an AR practice’s employee’s email address to send phishing emails to over 150 clients

– In April 2020 an unauthorised person used the same email address to send further phishing emails to the AR’s contacts