Businesses have been warned to step up their cybersecurity after a financial services provider was found guilty of failing to address cyber threats and having inadequate cyber resilience risk management controls.
Court finds RI Advice Group contravened cybersecurity requirements
In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court ruled that RI Advice Group had contravened cybersecurity requirements under the Corporations Act 2001. The company was required to pay $750,000 in legal costs to the financial regulator, the Australian Securities & Investments Commission (ASIC).
The company will also have to take steps to ensure it complies with laws to provide adequate cybersecurity to fulfil its licence obligations to act efficiently and fairly.
The Federal Court found the company had breached its licence obligations by failing to have an adequate risk management system in the face of data security risks.
Companies have cybersecurity obligations under law
The judgement was an Australian first and demonstrates that businesses need to be aware of their cybersecurity obligations under the law.
ASIC is on the lookout for businesses that have not implemented adequate cyber risk mitigation processes, as under section 912A(1)(a) of the Corporations Act, financial services licensees are obliged to do all things necessary to ensure that the financial services covered by the licence are provided “efficiently, honestly and fairly”.
Businesses should be aware that they can’t just install a cybersecurity gadget and leave it at that. The law doesn’t specify what must be done to manage cyber risk, but it does require companies to respond to the ever-developing technology involved in cyber risk management.
Regulators taking action against companies which neglect cybersecurity obligations
This judgement demonstrates that ASIC and cybersecurity regulators are prepared to take action against businesses which are not actively keeping abreast of cybersecurity expectations. (Please see What a Federal Court ruling on cybersecurity means for AFS licencees, ASIC, 12 May 2022.)
The judgement said RI Advice, a subsidiary of ANZ Bank, was targeted several times in cyberattacks between June 2014 and May 2020. The hackers were able to send fraudulent emails to the firm’s clients, tricking one client into transferring $50,000.
On another occasion hackers managed to obtain the personal information of 220 clients. The personal details of several thousand clients were obtained in another hack, which resulted in financial losses.
Increase in cyberattacks aimed at industry
ASIC deputy chair Sarah Court said the cyberattacks were significant events that allowed outsiders to gain unauthorised access to sensitive private information held by the company.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access,” she said.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
Cybersecurity experts report a dramatic increase in ransomware attacks, as well as malware aimed at industry. Experts warn that even modern “smart” farm machinery can be at risk from malicious hackers.
Government advice on cyber resilience
ASIC provides guidance on its website and links to cybersecurity resources for both individuals and organisations. (Please see Cyber resilience.)
In addition, the Australian Cyber Security Centre has a website which publishes alerts on vulnerabilities and cyber incidents, along with information for individuals, companies and the government on ways to reduce the threat of cyberattacks.
For more information please see Companies warned of need for market disclosure following cyber attack.