ASIC secures Court order against RI Advice
The Australian Securities and Investments Commission (ASIC) has secured a Court order finding RI Advice failed to adequately manage cybersecurity risks.
The Federal Court has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.
The finding comes after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. In one of the incidents, an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
RI Advice has taken steps to address cybersecurity risk across its authorised representative network. In addition to the declaration of contravention, the Court ordered RI Advice to engage a cybersecurity expert to identify and implement what, if any, further measures are necessary to adequately manage cybersecurity risks across RI Advice’s authorised representative network.
Her Honour Justice Rofe stated that the declarations ordered in the matter should serve to record the Court’s disapproval of the conduct and should deter other Australian Financial Services licensees from engaging in similar conduct.
RI Advice has been ordered to pay $750,000 towards ASIC’s costs.
The orders were made by consent after ASIC and RI Advice agreed to resolve the proceedings.