IOOF-owned RI Advice Group has been hit with a lawsuit from the Australian Securities and Investments Commission (ASIC), which accuses it of failing to properly secure the business against cyber attacks.

ASIC announced the legal action last Friday, submitting a notice of filing to the Federal Court where it alleged the business did not follow up with the necessary actions after a number of breaches involving its authorised representatives (ARs) between 2016 and May 2018.

The regulator says the lapses in IT security amounted to a breach by RI Advice Group, which was owned by ANZ until IOOF took over the business on October 1 2018.

ASIC says as an Australian Financial Services Licence (AFSL) holder, RI Group is required to have proper risk compliance systems for potential cyber threats.

In one of the most serious incidents involving an AR, an unknown malicious agent obtained and retained unauthorised remote access to the file server of Frontier Financial Group (FFG).

The malicious agent spent more than 155 hours logged into the server, which contained sensitive client information including identification documents. FFG did not detect the breach until April 16 2018, more than three months after it had commenced.

“It is essential that an AFSL holder such as RI, which holds (including by its ARs) confidential and sensitive client information and documents, has in place adequate risk management systems, and resources (including technological and other resources), in respect of cybersecurity and cyber resilience,” the notice of filing says.

“The contraventions of the statutory provisions by reason of the matters referred to above have given rise to an unacceptable level of risk to RI, its ARs and their customers, of cybersecurity incidents and consequential effects.”