Financial services company RI Advice must pay $750,000 in costs to the Australian Securities and Investment Commission (ASIC) and have its hand held through a detailed security audit, after the Federal Court found poor cyber security practices were in breach of the Corporations Act.

ASIC took RI Advice to court in August 2020 for failing to uphold a “reasonable standard” of cyber security, citing numerous security breaches at the practices of its representatives.

In her judgement, Federal Court Judge Helen Rofe said RI Advice had contravened laws that require financial services companies to have “adequate risk management systems” in place.

“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level,” she said.

“RI Advice admits that prior to and as at 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cyber security across its [authorised representative] network.”

RI has been ordered to engage a cyber security firm to make sure its networks are up to scratch and provide a report to ASIC outlining what other measures it will undertake within a strict timeline.

Over a six-year period between 2014 and 2020, nine cyber security incidents happened at practices of RI Advice’s authorised representatives.

A majority of the incidents saw hackers compromise the email addresses of these representatives.

Attackers used the email addresses to send clients requests for money transfers and resulted in at least one transfer to the tune of $50,000.

There was also a pair of ransomware incidents; one through an email attachment, the other a brute-force attack on a remote access port.

In another incident, a bad actor lingered undetected on an RI Advice representative’s server for around four months, gathering information on thousands of clients.

Many of those clients subsequently reported identity theft and other compromise attempts.

Protect your networks

Inquiries into the incidents revealed financial services practices operating under the RI Advice banner lacked the most basic cyber security measures like up-to-date antivirus software, email filtering, no backup practice, and horrible password management (including sharing email credentials between staff).

ASIC Deputy Chair Sarah Court described the attacks as “significant events that allowed third parties to gain unauthorised access to sensitive personal information".

“It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access,” she added, urging all Australian organisations to follow the Australian Cyber Security Centre’s (ACSC) latest advice.

Until October 2018, RI Advice was a subsidiary of ANZ bank.

When it was bought by IOOF Holdings, now known as Insignia Financial, the new owners helped RI Advice address many of the cyber security problems with its network of financial advisors through a cyber resilience initiative across IOOF’s group of companies.

Ajay Unni, CEO and founder of StickmanCyber, said the Federal Court’s decision sets a new precedence of accountability for organisations who fail to adequately secure their networks.

"With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyberattack, it is more a question of when an attack will occur," he said.

"Businesses need to learn from RI Advice and prioritise the enhancement of their cyber security posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department."

The ACSC’s latest advice is for organisations to adopt “an enhanced cyber security posture” in the context of Russia’s invasion of Ukraine.