weerapat1003 - stock.adobe.com

Australian regulator sues RI Advice for cyber security lapses

The Australian Securities and Investments Commission is suing RI Advice for cyber security breaches at the financial firm’s authorised representatives

The Australian Securities and Investments Commission (ASIC) is suing financial services firm RI Advice for alleged failure to have adequate cyber security systems.

The regulator said the action followed several alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group as trustee for The Frontier Trust from December 2017 to May 2018.

In a notice of filing, the ASIC said on about 3 January or 3 March 2017, RI became aware of a cyber security incident involving its then AR, Anthony Hilsley, who was a financial adviser and principal and director of Superannuation Advisory Service trading as Wise Financial Planning.

RI was informed that, in about late December 2016, Wise Financial Planning’s main reception computer was hacked by ransomware, which encrypted files and made them inaccessible.

On 30 May 2017, it also came to know that its Circular Quay’s local network was hacked through a remote access port, impacting about 226 client groups.

After becoming aware of each of the cyber security incidents, ASIC said RI should have, but failed to properly review the effectiveness of security controls relevant to these incidents across its AR network, including account lockout policies, password complexity and multi-factor authentication, among others.

It also failed to ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cyber security and cyber resilience, the ASIC noted.

From about 30 December 2017 till about 15 April 2018, an unknown malicious agent had also obtained and retained unauthorised remote access to the file server of Frontier Financial Group through an employee’s account.

The malicious agent spent more than 155 hours logged into the server, which contained sensitive client information including identification documents. The breach was undetected until 16 April 2018, more than three months later. Investigations later revealed that 8,104 individuals were potentially exposed to the breach.

Following the Frontier breach, forensic analyses by third-party experts identified significant cyber security gaps, including not having up-to-date antivirus software, no filtering or quarantining of emails and storing security details in text files on the server.

Commenting on the legal action by the ASIC, Julian Challingsworth, co-CEO of Pure Security, Australia’s largest ASX listed cyber security company, said it was a ground-breaking development.

“A regulator taking action of this nature is a first and sends a strong message about enforcement to Australian business. No longer can cyber security be regarded just an IT and compliance issue, it has now become a reputation and brand issue.”

“This action has elevated cyber security to requiring the full attention of the CEO, board and CFO [chief financial officer]. This may also be the precursor to the Australian government introducing director’s liabilities for cyber security,” he said.

Read more about cyber security in Australia

Read more on Regulatory compliance and standard requirements