ASIC takes action against RI Advice Group for cyber breaches at authorised representatives
ASIC claims that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
The Australian Securities & Investments Commission (ASIC) today launched proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd for failing to have adequate cyber security systems.
ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier) from December 2017 to May 2018.
The regulator alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
ASIC claims that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
In this action, ASIC is seeking:
- declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
- orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
- compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.
RI was, until October 1, 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On October 1, 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).
