Cyber News | ASIC has commenced proceedings against Financial Services Group
ASIC has commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.
ASIC noted the action followed a number of alleged cyber breach incidents from December 2017 to May 2018. This includes incidents at authorised representatives of RI, including an alleged cyber breach incident at Frontier Financial Group.
ASIC are alleging that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
In its notice of filing, the regulator says RI is required to establish and maintain compliance measures, as an AFSL holder.
Nevertheless, RI failed to secure its systems despite being alerted of the to two security incidents involving its authorised representatives.
A post-mortem by KPMG found someone had tried 2178 usernames, from ten different countries resulting in 27,814 unsuccessful login attempts that went undetected.
KPMG's forensic analysis also found crypto miner malware on the file server, as well as a virtual private network being set up, a peer-to-peer file sharing application, hacking tools and brute-force password cracking software.
FFG did not detect the hack until April 16, 2018 however, and only informed RI on May 15 that year of the breach.
It is alleged that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
ASIC is seeking:
• declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
• orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
• compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.
COMMENT: These proceedings serve as a timely reminder of the obligations, not only AFSL holders, but all organisations have with respect to cyber security and cyber resilience. In its Cyber Resilience Report (Report 429: Cyber Resilience – Health Check), ASIC clarified that the obligation on company directors and officers to discharge their duties with care and diligence extends to cyber security and resilience. Directors’ duties now include an obligation to ensure appropriate commitment to cyber resilience in an organisation’s corporate governance regime.
The proceedings serve as a further reminder that ASIC fully intend to enforce cyber security and resilience obligations. Obligations that apply to all organisations (not just AFSL holders). Organisations should be:
1. Identifying their risk and exposure;
2. Mitigating these risks and exposures; and
3. Implementing appropriate risk transfer (insurance) solutions