ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security
August 22, 2020 |
Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”). It has been filed in the Federal Court Victorian Registry.
RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).
According to the Concise Statement :
- on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
- on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6].
ASIC alleges that in relation to each of those incidents RI should have but failed to:
(a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.
- between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information. That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent. There was a notification to the Australian Information Commissioner. An investigation revealed that 8,104 individuals were exposed to the breach.
ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate with
– minimal and inadequate documentation for the management of cybersecurity and cyber resilience
– no documentation of the roles and responsibilities as to the management of cybersecurity risk and cyber resilience
-cybersecurity documents were not tailored to RI and its authorised representatives requirements.
-not adopting and implementing adequate and tailored cybersecurity documentation and controls in governance and business environment, risk assessment and risk management, asset management, supply chain risk management, access management, personnel security training and awareness, data security, secure system development life cycle and change management, baseline operational security, security continuous monitoring, vulnerability management, incident response and communication, and continuity and recovering planning.
- on 29 May 2018 RI became aware of unauthorised access affecting one of its authorised representatives involving an attempt to transfer funds to Turkey.
ASIC alleges that RI took inadequate steps to deal with the cyber incidents in paticular that:
-it should have have, in consultation with internal or external cybersecurity experts, promptly adopted a cybersecurity framework to guide all of its cyber-related activities, undertaken a risk assessment across its entire network
-it should have sought technical security assurance across a number of its authorised representatives as a technical measure of the cybersecurity risks that exist in their organisations.
-it should have implemented reasonably sufficient and appropriate steps to adequately manage risk in respect of cybersecurity and cyber resilience.
- on 23 August 2019 RI became aware of a cyber incident with an authorised representative involving the compromising of a mailbox account.
ASIC alleges that RI failed to:
(a) properly review the effectiveness of cybersecurity controls relevant to this incident across its AR network, including cyber training and awareness, multi-factor authentication including of email accounts, incident response and email filtering controls; and
(b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience. Accordingly, the steps taken by RI in relation to cybersecurity as a consequence of the Empowered incident were inadequate.
- On 15 April 2020 RI became aware of a cybersecurity incident which involved an authorised representatives use of an email account as a consequence of a phishing attack which resulted in access to thousands of email addresses and contact details as well as then thousand emails.
ASIC alleges that as at 1 May 2020 the RI cybersecurity and cyber resilience systems remained inadequate because:
-steps taken by RI in relation to cybersecurity in the period from 1 November 2019 to 1 May 2020 were neither initiated nor completed in a sufficiently timely manner, and were not sufficiently broad.
-RI’s risk management systems and resources with respect to cybersecurity and cyber resilience remained inadequate
-RI had obtained up-to-date cyber resilience assessments for only 3 of RI’s authorised representatives practices,
-only 34 RI practices had attested to the implementation of all elements within RI’s recently revised Cyber Security Support Guide,
-RI did not expect to have implemented its strategy for the management of cybersecurity risk and resilience until the end of 2020.
-RI had still not adopted and implemented adequate and tailored cybersecurity documentation and controls
-much of RI’s cybersecurity documentation remained IOOF-developed documents which suffered from deficiencies
ASIC is seeking declaratory relief and pecuniary penalties as a consequence of a breach of sections 912A(1)(a),(b),(c), (d) and (h) of the Corporations Act 2001 which relevantly provides:
(1) A financial services licensee must:
(a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and
(b) comply with the conditions on the licence; and
(c) comply with the financial services laws; and
(d) subject to subsection (4)–have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
(h) subject to subsection (5)–have adequate risk management systems; and
The press release provides:
ASIC has today commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.
ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier) from December 2017 to May 2018.
RI was, until 1 October 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).
ASIC alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
ASIC alleges that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
ASIC is seeking:
-
- declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
- orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
- compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.
This will be a very interesting and important case. Many of the issues raised in the proceeding deal with obligations to maintain proper data security under APP 11 of the Privacy Act 1988. That is the provenance of the Australian Information Commissioner. ASIC has had an interest in corporations maintaining proper cyber resilience. In April 2015 I posted on its report (Report 429) on cyber resilience.
This is one of the first cases where the Court will need to review what are adequate cyber security controls and what should RI have done when confronted with cyber attacks. It is an issue the Australian Information Commissioner should have dealt with under civil penalty prosecutions powers. There have been no shortage of cases where it could have commenced proceedings. Unfortunately it is a very timid regulator. Accordingly the Australian Competition and Consumer Commission and ASIC are using their powers to raise privacy and data protection issues and litigate, as is happening in this case. The consideration and findings may influence privacy law development.