In a statement, the regulator said the action followed a number of alleged cyber breaches within the group’s authorised representatives, including one incident at Melbourne-based investment advice firm Frontier Financial Group that occurred from December 2017 to May 2018.
ASIC said Frontier was subject to a “brute force” attack, during which a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
At the time, RI Advice was owned by ANZ.
ASIC alleges that RI failed to implement adequate policies, systems and resources to manage cyber security risk.
The regulator is seeking declarations by the court that RI contravened provisions of the Corporations Act, as well as orders that the dealer group implement adequate systems to deal with cyber security risk in future, and pay an appropriate civil penalty for the breaches.
So we are at the point where a gov’t department will sue you because you were hacked by criminals. What about every other business in Aus that has been hacked? Surely there are better use of public funds than this case.
My advice to everyone, GET OUT OF THE ADVICE INDUSTRY it’s laced with rules that strip the adviser of any rights or recourse and is a race to the bottom. ASIC is run by a pack of leprosy-ridden parasites who are on a witch hunt for money and headlines. Make sure the last person turns the lights off too!
Lol the bigger story here is the Cyber security risk one of the Ex ANZ, IOOF Groups takes by using para planning in the Phillipines and Vietnam and it’s not even mentioned in their FSG
Ask yourself, does your office have 2 factor authentication, password management systems and are you password protecting encrypted documents which contain any client data. That is the minimum requirement for ASIC.
or I could turn off the internet. I believe the words “reasonable and appropriate” are to be used as well when it comes to cyber security. In that RI advice would be expected to have all you said.
What a pathetically low blow from the regulator. After they have been repeatedly shown up to be pathetic litigators, they are now looking for an easy victory to wave in the air. Securing an IT system is absolutely impossible, multi nationals with 100 million dollar IT budgets still get compromised and yet RI advice must dragged over the coals. The regulator is honestly just throwing mud now and hoping it will stick. What a circus this has all become.
Sounds like sour grapes for ASIC because they lost to IOOF. If the breach occurred under ANZ’s watch then go after ANZ. Nobody wants to be cyber attacked but unfortunately its a serious threat at the moment and we all have to be on our guard but can ASIC really blame the dealership?
This is what happens when the bully is smacked down in the playground by someone stronger (ASIC vs Westpac: Shiraz case), the next day they will target the weakest kid in the playground to remind everyone, and themselves how menacing they can be.
It is impossible for a dealership to manage the IT security of its hundreds of self employed practices. So, ASIC will get an easy, cheap win, over something that is impossible to manage. Just because something is written into the Corps Act, does not make it feasible in the real world.
Absolutely
Well said Anonymous
The Australian government can’t stop a cyber attack but ASIC expects a licensee to do so.
They’re not saying “stop a cyber attack”. ASIC are saying at least take reasonable preventative measures.
Sounds like a waste of resources by ASIC….criminals force their way illegally into a computer system and you go after one of the victims of said crime. When this happens to a Government agency it’s “oops sorry”. Government starting to play hard ball on certain nations that do this and steal corporate secrets. I’d argue client data is a corporate secret and they should go after the criminals not the company that has been attacked.
No system is ever going to be “adequate” as it is a continuously evolving game of whack-a-mole when ever there is an update or you install any form of software.
I bet ASIC’s systems are just as or maybe even more out of date and vulnerable to a determined actor.
I’m just waiting for some of the Hacker groups to hack ASIC now.
Licensees need to take reasonable measures. Not too much to ask.
..yet adviser still whinge about having to invest in activities related to cyber security!
Why not litigate?
Why not not litigate?
You would imagine they would have the best cybersecurity systems in the industry off the back of what happened. ASIC searching for yet another headline scalp from a 3 year old story.
ASIC is right. These dealer groups charge the earth, and line their pockets Instead of investing in the businesses.
Rubbish Colin. This has nothing to do with licensee fees. If a cybercriminals wants to hack a financial planning office’s database (or the ATO’s, or a University’s, or a Govt Dept) they will. It is about the level of commericiality someone goes to. Small businesses (and their licensees) aren’t the CIA, FBI etc. To what lengths is it reasonable for a licensee to protect data? The Federal Court will decide this. If the regulator wins this case self-licensed advisers better be ready to spend lots on cyber-protection.
but the minister wants ASIC to be allowed to log into real time Xplan data.,..?
hows that gunna stack up…? I think your right Brett.
look after your AFSL Dave