The Australian Securities and Investments Commission (ASIC) announced today legal proceedings have commenced against RI Advice Group over its failure to take proper action to protect against cyber attacks.

In a notice of filing to the Federal Court, ASIC alleges a number of authorised representatives (ARs) with the IOOF-owned subsidiary had their IT systems compromised between 2016 and May 2018. Before October 1 2018, the advice group was an ANZ subsidiary. 

The corporate regulator says the lapses in IT security amounted to a breach by RI Advice Group, which as an Australian Financial Services Licence (AFSL) holder must have proper risk compliance systems in place in respect of cybersecurity and resilience.

It says RI Advice Group failed to follow up with adequate measures when it was made aware either on January 3 or March 3 in 2017 that Wise Financial Trading, which is run by AR Anthony Hilsley, had suffered a ransomware attack in late December 2016.

In one of the most serious incidents involving another AR, an unknown malicious agent obtained and retained unauthorised remote access to the file server of Frontier Financial Group (FFG).

The malicious agent spent more than 155 hours logged into the server, which contained sensitive client information including identification documents. FFG did not detect the breach until April 16 2018, more than three months after it had commenced.

“It is essential that an AFSL holder such as RI, which holds (including by its ARs) confidential and sensitive client information and documents, has in place adequate risk management systems, and resources (including technological and other resources), in respect of cybersecurity and cyber resilience,” the notice of filing said.

“The contraventions of the statutory provisions by reason of the matters referred to above have given rise to an unacceptable level of risk to RI, its ARs and their customers, of cybersecurity incidents and consequential effects.”

ASIC is seeking, among other things, declarations of contraventions of the Corporations Act and pecuniary penalty orders of at least 50,000 units as provided for under the Act.

A pecuniary penalty order of 50,000 units or above is about $11 million plus, an insurance lawyer told insuranceNEWS.com.au.

He says the court action taken by ASIC sends “a clear signal” to insurers and financial services providers the corporate regulator takes cyber security lapses very seriously.