Australia’s first cyber security case? ASIC v RI Advice

ASIC’s action against RI Advice Group might be Australia’s first cyber security case.

On 21 August 2020, ASIC announced it had commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI)[1], an Australian Financial Services (AFS) licence holder focused on retirement advice, for failing to have adequate cyber security systems.  ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty from December 2017 to May 2018.

Alleged cyber security breaches

ASIC alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server. The hackers were able to access sensitive client information including identification documents.

ASIC alleges the breaches were a result of RI’s failure to implement the policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.

IOOF, the current owner of RI and Frontier, contest the action, suggesting the no client data was compromised via the breaches. In a statement to the ASX, IOOF said that: “The allegations by ASIC are very general but appear to relate to a small number of cyber-attacks of a nature not uncommonly faced by Australian businesses, on a small number of authorised representatives of RI Advice, and in most instances, no client data would appear to have been compromised. Some of ASIC’s complaints relate back to events from 2016.”[2]

Action by ASIC

In its action, ASIC is seeking:

• declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
• orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
• compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.

ASIC report on cyber security

A report from ASIC in December found that while awareness and management of cybersecurity risk were improving in Australia’s financial market, there was still room for improvement across the entire sector.  “Organisations are alert to cybersecurity threats to their business and have focused their resources and efforts on improving their cybersecurity governance, risk management, and response and recovery capabilities,” the watchdog wrote.

Next Steps

The matter is listed for a further case management hearing on 14 May 2021 and has been tentatively listed for trial commencing 29 November 2021. (You can read our update on this case here)

It will be watched with interest by cyber security professionals as potentially setting a new standard for enforcement of actions in response to cyber security failures.

Further references:

Concise Statement

Originating Process

Background

ASIC’s regulatory resources include further information about cyber security and cyber resilience:

• Cyber resilience good practices
• REP 429 Cyber resilience: Health check
• REP 651 Cyber resilience of firms in Australia’s financial markets: 2018-19
• REP 555 Cyber resilience of firms in Australia’s financial markets

[1] RI was, until 1 October 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).

[2] ASIC commences proceedings against RI Advice | Money Management