Federal Court puts cyber security onus on financial services firms

The Federal Court has set a precedent with far-reaching consequences for the financial services industry, by holding an Australian financial services licensee legally responsible for its cyber security.

Deciding an action brought by the Australian Securities and Investments Commission, the court has agreed that RI Advice’s lack of cyber security risk management was a breach of its license obligations.

This was the first such case brought by ASIC against a licensee.

The court has ordered RI Advice to undertake security training within a month, by an organisation agreed between it and ASIC; implement the security measures that organisation recommends; and pay $750,000 towards ASIC’s costs.

The orders were made by consent after ASIC and RI Advice agreed to resolve the proceedings.

The commission first filed against the company in 2020, in response to security failings that resulted in repeated hacks.

One attack gave the attacker access to a file server from December 2017 to April 2018, resulting in the potential compromise of the data of thousands of clients.

Announcing the win, ASIC said similar incidents had occurred at RI Advice’s authorised representatives over nearly six years, from June 2014 to May 2020.

A forensic analysis by KPMG also found attackers setting up VPNs, peer-to-peer file sharing, and crypto-miners, along with a variety of hacking tools.

In her judgment, Federal Court Justice Helen Rofe stated: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.

"It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level."

ASIC deputy chair Sarah Court added: “These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.

"It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment."