The Federal Court has ordered RI Advice to engage Security In Depth or another MSSP and pay $750,000 following multiple failures to prevent cyber incidents that the court said breached its obligations as a financial services licensee.
The landmark case is the first time a financial institution has been penalised for failure to comply with obligations relating to security management, which was a reform introduced on 13 March 2019 following the Financial Services Royal Commission.
The Australian Securities and Investments Commission (ASIC) first took RI Advice to court in 2020 for failing to secure its systems despite being alerted to two security incidents involving its authorised representatives in December 2016 and May 2017.
In one case a computer was infected with ransomware that encrypted the files on it. In another, a remote access hack of a network resulted in a data breach that affected 226 client groups.
RI Advice did not review its security controls or monitoring systems, and in December 2017 a hacker broke into a file server at the Frontier Financial Group (FFG), another of RI Advice’s authorised representatives.
During this time RI Advice was a wholly-owned subsidiary of ANZ bank but was acquired by financial services company Insignia Financial (formerly IOOF Holdings Limited ) in October 2018.
In July 2018 ANZ engaged KPMG to conduct a post-mortem of the hack, which found crypto-mining malware on one of FFG’s file servers and that a hacker had tried 2178 usernames, from ten different countries resulting in 27,814 unsuccessful login attempts that went undetected.
Security In Depth was engaged in September 2018 and provided a report synopsis of RI Advice's ‘Authorised Representatives Practices’ that, according to the Federal Court’s judgement “identified significant issues with managing and protecting client personal information.”
“These included, for example, poor password management, limited or poor use of multi-factor authentication, and limited or non-existent monitoring tools and services to detect if a malicious individual has gained access or still has access to internal systems, and no processes for managing a potential cybersecurity incident.”
Federal Court justice Helen Rofe ruled that RI Advice must undertake security training and implement all recommendations made by Security In Depth “(or such other cybersecurity expert as agreed between ASIC and RI Advice)” within a month and pay ASIC the $750,000 costs of court proceedings.
Rofe said in her judgement that “cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.
"It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level."
ASIC deputy chair Sarah Court said ‘these cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”
CRN has contacted Security In Depth for comment but had not heard back by time of publication.