On Thursday, 5 May, AFS licensee RI Advice was found to have breached its licence obligations by the Court, who ruled that the group did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
“Brute force attacks consist of attackers submitting many passwords or passphrases with the hope of eventually guessing correctly. Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, could have put a stop to the brute force attack that occurred,” CEO and founder of cyber security provider, StickmanCyber, Ajay Unni, said.
“For example, an attacker may need an authentication code from an certified app or a SMS code and their password, this makes it more difficult for cyber criminals to access your files or account. This attack could have also been prevented by implementing an account lockout after several unsuccessful login attempts.”
Mr Unni suggested that some ways to block attacks can include enabling CAPTCHA to render bots ineffective and engage with an information security team to regularly monitor server logs.
Though RI Advice has taken steps to address cyber security risks, the Court has ordered that the advice group engage a cyber security expert to identify any further measures that may be necessary to implement.
“With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyber attack, it is more a question of when an attack will occur,” Mr Unni said.
“Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.”
He continued: “Businesses need to learn from RI Advice and prioritise the enhancement of their cyber security posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department.”
In addition to the licence breach, RI Advice has also been ordered to pay $750,000 towards ASIC’s costs.
ASIC’s approach to this – that the victim of the crime was the guilty party – is quite astonishing.
ASIC initially wanted a fine for in excess of $100M and all that got was an award of costs. So who has really won.