Court finds financial advisory firm failed to prevent series of cyberattacks

No more heads in the sand: ANZ Bank subsidiary “took too long to implement” adequate controls after years of breaches.

gavel / abstract binary lines  >  court judgment / fine / penalty / settlement

Australian financial advisory RI Advice has failed to prevent a series of cybersecurity breaches resulting in a breach of its financial-services license obligations “to act efficiently and fairly”, the Federal Court found.

Business regulator the Australian Securities and Investments Commission (ASIC) took action against RI Advice—a Sydney-based retirement investment advice firm owned by ANZ Bank that had around a dozen employees—in August 2020 after revelations the company was breached on multiple occasions between June 2014 and May 2020.

One of those incidents enabled what ASIC called “an unknown malicious agent” to brute-force their way onto the company’s authorised representative (AR) network, then access an authorised representative’s file server for five months before being detected.

Servers on the network included a broad range of personal information including personal particulars, contact information, copies of identity documents like passports and driver’s licenses, and in some cases health information.

The attacks were “significant events that allowed third parties to gain unauthorised access to sensitive personal information,” ASIC deputy chair Sarah Court said, calling it “imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access”.

In ruling that the firm had contravened ss912A(1)(a) and (h) of the Corporations Act between 15 May 2018 and 5 August 2021, Justice Helen Rofe pointed out that its principals had admitted the company did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cybersecurity across its AR network.

Although on 15 May 2018 the firm obtained a formal 11-point cyber resilience plan to prevent recurrence of the earlier breaches, it took over three years to implement these practices across its AR network “to a good level”.

“Whilst the measures it assessed and developed… to improve cybersecurity and cyber resilience for the ARs were designed so as to meet RI Advice’s understanding of its obligations, it took too long to implement and ensure such measures were in place across its AR Practices,” said Justice Rofe.

It had, therefore, violated requirements under its financial-services license that it do all things necessary to ensure the financial services covered by its license were provided efficiently and fairly.

Financial services licensees should be aware of the risks of cybersecurity, with the court calling cybersecurity risk “a significant risk connected with the conduct of the business and provision of financial services”.

As a financial-services provider RI Advice’s principals should have known the company’s systems were “potential targets for cyber related attacks and cybercrime by malicious actors targeting Personal Information,” stated the court’s ruling.

“That risk increased over time. It is not possible to reduce the cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” said the judge.

The financial advisory was ordered to engage security firm Security in Depth, or similar, and provide a written report explaining what specific measures needed to be taken to bring its systems to an acceptable level of cybersecurity risk management. It also has to pay $750,000 in proceedings’ costs to ASIC.

RI Advice must begin implementing those measures within 90 days and provide the court with written confirmation that they have been completed adequately.

What RI Advice’s ruling says about Australia’s cyber-attitude

The ruling, which ASIC called “an Australian first”, represents a significant precedent in a regulatory regime in which companies have generally avoided punishment for avoiding breaches, despite a formal Notifiable Data Breaches (NDB) scheme being in place for over four years.

Indeed, despite years in which regulators have pushed companies to be more transparent about data breaches, a recent study by ExtraHop found that 85% of Australian organisations suffered a ransomware incident over the past five years—but 72% tried to keep it quiet.

Fully 43% of Australian IT decision-makers have low confidence in their organisation’s ability to prevent or mitigate cybersecurity threats, the survey found, with ExtraHop CISO Jeff Costlow noting that immature cybersecurity cultures are creating problems for CISOs.

“Many regional security leaders are in disagreement with executives around disclosure, they’re getting increased budgets but it doesn’t feel like enough, and there is worry around legal obligations,” Costlow said.

To minimise their exposure, he advises, they should focus on their risk tolerance for their IP, data, and customer data and arm their teams with the tools and network intelligence that can help them defend their most critical assets.

Although the action against RI Advice have made an example of that company, statistics suggest that most companies are failing to improve their cybersecurity controls even after being breached: on average, ExtraHop noted, every Australian business identifying as a ransomware victim was infected or reinfected in four of the past five years.

With ASIC emboldened by its court success, repeated cyberattacks or infections may increasingly be taken as an abrogation of the legal responsibilities placed on company executives and boards.

“High levels of fear around the security implications of legacy environments, and the very real threat of multiple breaches a year, is a reminder of just how quickly cybersecurity postures can become outdated and vulnerable,” ExtraHop ANZ country manager Rohan Langdon said.

“Defenders need tools that can track attacker activity across cloud, on-premises, and remote environments so they can identify and stop an attack before it can compromise the business.”

Related:

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022