Newspaper icon
The latest issue of Financial Standard now available as an e-newspaper

Federal Court rules against RI Advice in cybersecurity case

The Federal Court has found RI Advice breached its obligations as a licensee by failing to have adequate systems in place to manage cybersecurity risks, leading to several incidents that put client information at risk.

In what ASIC says is an Australian first, RI Advice was found to have breached its obligations to act efficiently and fairly when it failed to have appropriate systems in place.

This resulted in "a significant number of cyber incidents" occurring at authorised representatives between 2014 and 2020. During this period RI Advice was a subsidiary of ANZ before being acquired by IOOF in October 2017.

In one such incident, an unknown malicious agent was able to access an authorised representative's server for more than four months before being detected. This resulted in the potential compromise of thousands of clients' confidential and personal information, ASIC said.

RI Advice has since taken steps to address the risks across its network and will engage a cybersecurity expert to determine if any further measures are necessary.

Justice Rofe said cybersecurity should be front of mind for all licensees, adding: "Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services."

"It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level."

RI Advice has been ordered to pay $750,000 towards ASIC's costs.

"These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access," ASIC deputy chair Sarah Court said.

"ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment."

Read more: RI AdviceASICFederal CourtANZIOOFSarah Court