AU Court Finds Licensee Failed to Manage Cybersecurity Risks


In an Australian first, the Federal Court has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

A statement from ASIC says the finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020.

It says that in one of the incidents, “…an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.”

ASIC Deputy Chair Sarah Court says these cyber-attacks “…were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”

Court says ASIC “strongly” encourages all entities to follow the advice of the Australian Cyber Security Centre “…and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

ASIC says that RI Advice has taken steps to address cybersecurity risk across its authorised representative network. In addition to the declaration of contravention, the Court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice’s authorised representative network.

…cybersecurity should be front of mind for all licensees…

ASIC says that when handing down judgment, Her Honour Justice Rofe made clear that cybersecurity should be front of mind for all licensees, stating: “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Justice Rofe also stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct.

RI Advice has been ordered to pay $750,000 towards ASIC’s costs. The orders were made by consent after ASIC and RI Advice agreed to resolve the proceedings.

As background ASIC says that since 13 March 2019, reforms introduced as a result of the Financial Services Royal Commission mean that a failure to comply with certain AFS licensing obligations, “…including obligations relating to how cyber risks are addressed, may give rise to a civil penalty. The majority of the cyber incidents in this case occurred before the reforms were introduced.”

It says that RI Advice provides financial services under a third-party business owner model whereby its authorised representatives provide financial services to retail clients. Since 15 May 2018, RI Advice has had between about 89 and 119 Authorised Representative Practices.

Until 1 October 2018, RI Advice was a wholly owned subsidiary of Australia and New Zealand Banking Group. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings, now known as Insignia Financial.

The regulator states that its resources include further information about cybersecurity and cyber resilience including: