ASIC has alleged in the Federal Court that RI Advice Group has breached it’s obligations under its Financial Services Licence for failing to have adequate cybersecurity measures in place.
The key players:
RI – the defendant. Up until 1 October 2018, RI was a wholly owned subsidiary of ANZ, following 1 October 2018, RI became a wholly owned subsidiary of IOOF.
The ARs – Authorised Representatives of RI that provide financial services on RI’s behalf. RI had around 290 ARs between 2018 and 2020.
Background
RI holds an Australian financial services number and is a financial services licensee under the Corporations Act. This requires RI to establish and maintain compliance measures that ensure, as far as is reasonably practicable, that RI complies with the provisions of the financial services law.
This includes having technical and organisational measures – i.e. adequate systems, policies, procedures and controls – in place to appropriately manage risks relating to cybersecurity and cyber resilience across its AR network.
Incidents 1 and 2: Cybersecurity breach at Wise Financial Planning and RI Circular Quay
In late December 2016, RI was informed that AR Wise Financial Planning’s main reception computer was hacked by ransomware, which encrypted files and made them inaccessible.
In May 2017, RI became aware that AR RI Circular Quay’s local network was hacked through a remote access port, impacting about 226 client groups.
After becoming aware of each of these cybersecurity breaches, RI should have, but failed to, take steps to review its cybersecurity systems and controls relevant to the breaches and ensure that those controls were heightened in order to avoid continuing or repeated breaches.
The steps RI should have taken include reviewing the effectiveness of its account lockout policies for failed logins, password complexity, multi-factor authentication, cyber training and awareness, email filtering and incident response controls.
Incident 3: Cybersecurity breach at Frontier Financial Group (FFG)
From December 2017 until April 2018, an unknown malicious agent obtained and retained unauthorised remote access to the file server of AR FFG. The malicious agent spent over 155 hours logged on to the server and had access to emails with sensitive client information and identification documents.
FFG lodged a Notifiable Data Breach with the OAIC. At the time FFG lodged the breach, 27 clients had informed FFG that their personal information had been used for unauthoirsed purposes, such as to open bank accounts.
FFG’s investigation of the breach revealed that the personal information of 8,104 individuals had potentially been exposed due to the breach.
Up until RI became aware of the FFG breach, they did not have adequate cybersecurity protection measures in place. There was no documentation of the obligation of RI and its ARs to responsibly manage cybersecurity risks. Many of RI’s cybersecurity documents were standard ANZ documents that had not been tailored to RI and its specific cybersecurity needs.
Incident 4: Cybersecurity breach at RI Shepparton
In May 2018, RI became aware of a cybersecurity incident involving AR RI Shepparton. In this breach, an unknown party had obtained unauthorised access to transfer funds to a Turkish bank account. An investigation of the breach revealed the likely cause was a Trojan (a form of malicious software) installed on Sandra Miller’s (employee of RI Shepparton) laptop.
Cybersecurity reports following the FFG Breach
Vixtro report: Vixtro, a third-party IT service provider identified several deficiencies with FFG’s desktop and network security following the FFG breach.
CARRs: A third-party cybersecurity firm performed cyber assurance risk reviews (CARRs) on five ARs. Three ARs received a ‘poor’ cybersecurity rating as they had no discernible cybersecurity policies, processes or procedures and no structured cybersecurity governance program.
It was recommended that RI have CARRs performed on all its ARs, but RI failed to do so.
KPMG Report: KPMG provided a report outlining its conclusions and recommendations following the FFG breach. KPMG concluded that a malicious agent had installed various software on the FFG server which provided the agent with access to the entire contents of FFG’s file server.
KPMG recommended that FFG implement the Australian Cyber Security Centre’s essential eight cybersecurity strategies to mitigate cybersecurity risks.
Steps taken by RI following breaches
Following the breaches, RI should have, in consultation with internal or external cybersecurity experts, promptly adopted a cybersecurity framework to guide all of its cybersecurity related activities.
Furthermore, when RI changed ownership from ANZ to IOOF, it used standard IOOF cybersecurity documentation, and failed to tailor the IOOF documents and RI and its ARs’ requirements.
Incident 5: Cybersecurity breach at Empowered
In August 2019 RI became aware that an unauthorised party had compromised an Empowered (AR) staff member’s mailbox account.
RI failed to take adequate steps to review the effectiveness of cybersecurity controls and ensure those controls wee remediated across its AR network where necessary following the breach.
Incident 6: Cybersecurity breach at RI Shepparton
In April 2020, RI discovered that an unknown party had monitored an RI Shepparton email account for a period of time and had access to thousands of email addresses and contact details. Following this breach, RI failed to take steps to mitigate cybersecurity risk.
Take-outs
This case illustrates the importance of having adequate cybersecurity protections in place. A vast number of RI customers were exposed to serious privacy breaches, and had their sensitive information exposed, due to RI’s lack of privacy security measures. What is most alarming about this case is RI’s continued failure to adjust its cybersecurity protections following countless cybersecurity attacks. This will not only likely lead to increased damages against RI but will also severely damage its reputation as a reliable and trustworthy financial service provider.
This case also illustrates the importance of businesses implementing a privacy by design approach. In this case, RI used ANZ and then IOOF’s privacy documentation. This mean that its privacy policies and procedures were not tailored to the design of its business and left it vulnerable to privacy attacks. If RI had taken a privacy by design approach, its privacy practices would have been incorporated into the structure of its business and would have been tailored to its specific needs.