The Federal Court has ordered advice group RI Advice to engage a cyber-security expert to identify risks after a series of compromising incidents over six years from June 2014.
The court found the wealth advisory firm breached its licence obligations to act efficiently and fairly because it failed to install adequate systems to manage its cyber-security risks.
ASIC said the finding came after a “significant number” of cyber incidents at authorised representatives of RI Advice between June 2014 and May 2020 had potentially compromised thousands of clients.
RI Advice has also been ordered to pay $750,000 towards ASIC’s costs.
In one incident an unknown malicious agent used a brute force attack to access an authorised representative’s file server from December 2017 to April 2018 before being detected.
This had resulted in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons.
ASIC deputy chair Sarah Court said these cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information.
“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access,” she said.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
When handing down judgement, Justice Rofe said cyber security should be front of mind for all financial service licensees.
“Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” she said.
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
This finding comes as the recent cyber-security and fraud risks have increased since the pandemic, with the need to adopt new technology processes to better protect clients.
There are also fears that cyber security is a disaster waiting to happen for many small businesses and accountants and advisers need to take a “how-to help” approach to provide practical advice for clients.