ASIC v RI Advice Group Pty Ltd: Landmark Case Signals Hefty Consequences for Failing to Manage Cybersecurity Risks
A recent ground-breaking decision from the Federal Court is a wake-up call for all financial service organisations to mitigate cyber risk – or face regulatory consequences.
For the first time ever in Australia, the Federal Court found that Australian Financial Services (AFS) licensee, RI Advice Group, breached its license obligations when it failed to have adequate risk management systems for cybersecurity risks.
RI Advice provides financial services under a third-party business owner model whereby its authorised representatives provide financial services to retail clients. Since 15 May 2018, RI Advice has had between about 89 and 119 Authorised Representative Practices. (source: ASIC)
The Court’s findings
Between 2014 and 2020, a significant number of cybersecurity incidents occurred at RI Advice Group’s authorised representatives. In one attack, a malicious agent forcefully accessed a representative’s file server, before being detected. This could have potentially compromised sensitive personal information for thousands of clients and people.
According to ASIC Deputy Chair, Sarah Court:
“These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
Her Honour Justice Rofe echoed a similar sentiment:
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
Source: ASIC
Court orders for RI Advice Group:
Take steps to address cybersecurity risks across its network of authorised representatives
Engage a cybersecurity expert to identity and implement further risk measures, if necessary
Pay $750,000 towards the plaintiff’s (ASIC’s) costs of the proceedings
Her Honour hopes that the Court’s decision will reflect its disapproval of inadequate risk management and deter other companies from engaging in similar conduct.
Click below to read more about the case.
Extending to other industries
Cyber risk will continue to be an area of regulatory focus for ASIC.
Although this case is for a financial organisation, a similar sentiment will spread across other industries and become the expected standard. This judgement is anticipated to embolden ASIC to pursue regulatory enforcement action against companies with poor cybersecurity risk management to drive behavioural change.
Cyber governance and resilience are key components of ASIC's 2021-25 Corporate Plan, and cyber risk is one of ASIC's highest priority issues. (source: Hall & Wilcox)
Let Certex help your business feel more secure
It is difficult for businesses to develop data and cyber controls entirely on their own, especially if they are just beginning to address these risks.
Certex has proudly supported clients with data and privacy security for many years. As experienced professionals, we help organisations benefit from a risk-based approach when improving their systems. Certex’s iSuite of risk management programs include iPrivacy and iCyber.
Click the buttons below to explore our data privacy and cyber security assessments, or contact us directly.