iscover
ReporterShare this article on:
The Federal Court has set a precedent by holding an Australian financial services licensee legally responsible for its cyber security.
According to iTNews, the Federal Court decided on an action brought by the Australian Securities and Investments Commission, the court has agreed that RI Advice’s lack of cyber security risk management was a breach of its license obligations.
This was the first such case brought by the ASIC against a licensee.
The court has ordered RI Advice to undertake security training within a month, by an organisation agreed between it and ASIC; implement the security measures that the organisation recommends; and pay $750,000 towards ASIC’s costs.
The orders were made by consent after ASIC and RI Advice agreed to resolve the proceedings.
The commission first filed against the company in 2020, in response to security failings that resulted in repeated hacks.
One attack gave the attacker access to a file server from December 2017 to April 2018, resulting in the potential compromise of the data of thousands of clients.
Announcing the win, ASIC said similar incidents had occurred at RI Advice’s authorised representatives over nearly six years, from June 2014 to May 2020.
A forensic analysis by KPMG also found attackers setting up VPNs, peer-to-peer file sharing, and cryptominers, along with a variety of hacking tools.
In her judgment, Federal Court Justice Helen Rofe stated that the onus of reducing cyber security risk and management falls on financial services firms.
“Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.
“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level,” Justice Rofe said.
ASIC deputy chair Sarah Court added that all business entities should be actively defending and protecting data.
“These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.
“It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cyber security position to improve cyber resilience in light of the heightened cyber threat environment,” Court concluded.
[Related: Transport for NSW online AIS app hacked]
Be the first to hear the latest developments in the cyber industry.
