New precedent for cybersecurity after legal judgement of RI Advice
The Federal Court has set a new precedent after finding that Australian Financial Services licensee, RI Advice, breached its license obligations when it failed to adequately manage its cybersecurity risks.
It's the first time a company has been found guilty of doing so, and RI Advice has been ordered to pay $750,000 to the Australian Securities and Investments Commission (ASIC).
The finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020.
In one of the incidents, an unknown malicious agent obtained unauthorised access to an authorised representative's file server from December 2017 to April 2018 before being detected through a brute force attack.
This resulted in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
ASIC Deputy Chair Sarah Court says those cyberattacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.
"It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access," she says.
'ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment."
When handing down judgement, Justice Rofe made clear that cybersecurity should be front of mind for all licensees.
"Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services," she said.
"It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level."
Justice Rofe further stated that the declarations ordered in the matter should serve to record the Federal Court's disapproval of the conduct and deter other Australian Financial Services licensees from engaging in similar conduct.
StickmanCyber CEO and founder Ajay Unni says businesses now know they can be held accountable by the government for negligence when it comes to cybersecurity.
"Businesses need to learn from RI Advice and prioritise the enhancement of their cybersecurity posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department," he says.
As a member of the 2020 NSW government's Cyber Security Task Force, Unni says with a rise in complexity and frequency of cyber threats, it isn't a question of if your business will fall prey to a cyberattack. It is more a question of when an attack will occur.
"The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies,to prevent cybersecurity incidents and help organisations protect themselves against various cyber threats," he says.
"The most effective of these mitigation strategies is the Essential Eight. I recommend that businesses implement these strategies at the bare minimum to make it harder for adversaries to compromise their systems."
RI Advice has since taken steps to address cybersecurity risk across its authorised representative network. In addition to the declaration of contravention, the Federal Court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice's authorised representative network.