iscover
ReporterShare this article on:
Powered by
MOMENTUM
MEDIA
The Federal Court of Australia has determined that Australian financial services licensee RI Advice has breached its legal obligation to have adequate cyber security systems in place.
In an industry first, the court ruled that RI Advice experienced nine cyber-related incidents between 2014 and 2020 including the likes of ransomware, payment fraud, and business email compromise where RI Advice customers received fraud attempts from the company’s emails.
According to an iTNews report, Ahmed Khanji, founder and CEO of Gridware, outlined that the cyber attacks occurred at the practices of RI Advice’s third-party authorised representatives (ARs).
“It would appear that at least between June 2014 and May 2018, very little was done by the licensee to implement its own controls and force it’s ARs to adopt more secure practices,” Khanji said.
“Its AR practices clearly had no grasp of good information security practices. Some of the ARs mentioned that they used ‘cloud software’ and therefore did not require information security practices.”
It took six months before RI Advice appointed KPMG to conduct a forensic investigation in the matter.
Despite RI Advice commissioning two independent risk assessments and a cyber resilience initiative in 2019, the Federal Court ruled that the practices were too slow to implement.
According to Ajay Unni, CEO and founder of StickmanCyber, the ruling sets a new precedent for cyber security accountability for business leaders.
“Businesses need to learn from RI Advice and prioritise the enhancement of their cyber security posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department.
“One of the incidents detailed by ASIC as part of their investigation was a brute force attack by a malicious actor that gave them access to the file server of an authorised representative, which went undetected between December 2017 to April 2018.”
According to ASIC, this incident resulted in the “potential compromise of confidential and sensitive personal information of several thousand clients and other persons”, Unni added.
The incidents could have been avoided, Unni further explained, should RI Advice have implemented multi-factor authentication and account lockouts.
“Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, could have put a stop to the brute force attack that occurred.
“This attack could have also been prevented by implementing an account lockout after several unsuccessful login attempts,” Unni concluded.
RI Advice is required to pay ASIC over $750,000 in damages.
[Related: UK launches free email security tool to bolster organisations’ defences]
Be the first to hear the latest developments in the cyber industry.
