In an Australian first, ASIC confirmed on Thursday that the Federal Court found that RI Advice did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
According to the corporate regulator, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
“These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access,” ASIC deputy chair Sarah Court said.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cyber security position to improve cyber resilience in light of the heightened cyber threat environment.”
Though the group has taken steps to address cyber security risks, the Court has ordered that RI Advice engage a cyber security expert to identify any further measures that may be necessary to implement.
When handing the judgement, Justice Rofe said: “Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services.
“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.”
RI Advice has been ordered to pay $750,000 towards ASIC’s costs.
The news comes after RI Advice was hit with a $6 million penalty in February for failing to take reasonable steps to ensure that its authorised representative, John Doyle, provided appropriate financial advice, acted in his clients’ best interests, and put clients’ interests ahead of his own.
Additionally, Mr Doyle, a former financial adviser, was ordered to pay an $80,000 penalty after he inappropriately advised clients to invest and stay invested, in complex structured financial products.
Isn’t that like fining you for/after a burglar breaks into your home via brute force, because you didn’t have military level security?
Why are ASIC’s costs $750,000? Seems like they’ve stolen more from the victims after the initial theft.
Disgraceful Asic
Surely there are plenty of other industries & business with personal information that have been compromised at some stage. Why is ASIC only targeting the FP industry?
There are plenty of horror stories in this space, and advises hold so much information on clients, trust, reputation and potentially business valuations are at risk.
Given the circumstances I’d like to know why is the the former head of RI and his team, given the baggage they still carry, were able to continue their employment within IOOF/Insignia?
Their insurance will pick up the bill and we will all pay more…
another AFSL will go to the wall and all of its advisers. Some needs to take a look at ASIC and ask are they using the fine system to eliminate AFSL’s..?
I think RI advice, with IOOF’s pockets, are fine. The problem is their reaction to this is hamfisted, and the steps they have introduced (while not intended) prohibit email communication to clients…