Precedent set for financial firms to take responsibility for own cybersecurity

The Federal Court has set a precedent with far-reaching consequences for the financial services industry, by holding Australian financial services licensee RI Advice legally responsible for its cyber security, including a potential risk to it’s licence.

Deciding an action brought by the Australian Securities and Investments Commission, the court agreed that RI Advice’s lack of cyber security risk management was a breach of its license obligations.

ASIC first filed against the company in 2020, in response to security failings that resulted in repeated hacks.

One attack gave the attacker access to a file server resulting in the potential compromise of the data of thousands of clients.

A forensic analysis by KPMG also found attackers setting up VPNs, peer-to-peer file sharing, and crypto-miners, along with a variety of hacking tools.

The court has ordered RI Advice to undertake security training within a month, implement recommended security measures and pay $750,000 towards ASIC’s costs.

Announcing the win, ASIC said similar incidents had occurred at RI Advice’s authorised representatives from 2014 to 2020.

In her judgment, Federal Court Justice Helen Rofe stated that although it is impossible to reduce cyber security risk to zero, it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls.

ASIC deputy chair Sarah Court said the commission strongly encourages all entities to follow the advice of the Australian Cyber Security Centre, and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment.

- CyberBeat