Cybersecurity Risk Crystalised by Crucial Legal Ruling
(13 May 2022 – Australia) A new precedent has been set following the Australian Federal Court’s significant decision on financial services’ cyber-security obligations.
The Australian Financial Services (AFS) licensee, RI Advice, was found to have breached its licence obligations by the Federal Court after the judge ruled that the group did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber-security risks.
According to the Australian Securities & Investments Commission (ASIC) a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. This included an incident where “an unknown malicious agent” obtained through a brute force attack unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected.
This resulted in the potential compromise of confidential and sensitive personal information of thousands of clients and other persons. In addition to the licence breach, RI Advice has also been ordered to pay A$750,000 towards ASIC’s costs.
“Cyber security should be front of mind for all licensees. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level” stated Her Honour Justice Rofe in handing down her judgement.
“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access. ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment” commented ASIC Deputy Chair Sarah Court.