ASIC v RI Advice ruling sets new precedent for cybersecurity accountability

In an industry first, the Federal Court of Australia has determined that Australian financial services licensee RI Advice has breached its legal obligation to have adequate cybersecurity systems in place.

RI Advice experienced nine cyber-related incidents between 2014 and 2020 including the likes of ransomware, payment fraud, and business email compromise where RI Advice customers received fraud attempts from the company’s emails.

According to Ahmed Khanji, founder and CEO of Gridware, the cyber attacks occurred at the practices of RI Advice’s third-party Authorised Representatives (AR).

“It would appear that at least between June 2014 and May 2018, very little was done by the licensee to implement its own controls and force it’s ARs to adopt more secure practices,” said Khanji.

“Its AR practices clearly had no grasp of good information security practices. Some of the AR’s mentioned that they used ‘Cloud software’ and therefore did not require information security practices.”

It took six months before RI advice appointed KPMG to conduct a forensic investigation in the matter.

Despite RI Advice commissioning two independent risk assessments and a cyber resilience initiative in 2019, the Federal Court ruled that the practices were too slow to implement.

According to Ajay Unni, CEO and founder of StickmanCyber, the ruling sets a new precedent for cybersecurity accountability for business leaders.

"Businesses need to learn from RI Advice and prioritise the enhancement of their cybersecurity posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department,” said Unni.

The incidents could have been avoided should RI Advice have implemented multi-factor authentication and account lockouts he said.

“One of the incidents detailed by ASIC as part of their investigation was a brute force attack by a malicious actor that gave them access to the file server of an authorised representative, which went undetected between December 2017 to April 2018. According to ASIC, this incident resulted in the ‘potential compromise of confidential and sensitive personal information of several thousand clients and other persons’,” said Unni.

"Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, could have put a stop to the brute force attack that occurred.

“This attack could have also been prevented by implementing an account lockout after several unsuccessful login attempts.”

RI Advice is required to pay ASIC over $750,000 in damages.