Federal Court finds RI Advice failed to manage cybersecurity risks in landmark decision

In an Australian first, the Federal Court has found that financial services firm RI Advice breached its licence obligations by failing to implement adequate risk management systems to manage cybersecurity threats.

This was the first case brought by the Australian Securities and Investments Commission (ASIC) against any licensee and, subsequently, sets a new legal standard for how financial service providers should seek to execute cybersecurity management plans. The company has been ordered by the court to pay AU$750,000 toward ASIC’s costs, and to engage a cybersecurity expert within the next month to advise and assist RI Advice’s authorised representative network.

The decision comes after a significant number of cyber incidents affected authorised representatives of RI Advice between June 2014 and May 2020, leading ASIC to file against the company for breach of its licence obligations.

In a statement, ASIC detailed that one of the incidents involved an unknown malicious agent who obtained access to an authorised representative’s file server, through a brute force attack, from December 2017 to April 2018 before being detected. ASIC claimed that this resulted in the “potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.

In her judgment, federal court justice Helen Rofe said that cybersecurity risks pose a significant threat to the conduct of a business and its provision of financial services.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” said justice Rofe.

ASIC deputy chair Sarah Court said the cyber attacks allowed third parties to gain access to sensitive personal information.

“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment,” Court said.

Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.  

Related Coverage