On the 10th of May, 2022, the Federal Court found RI Advice, a holder of an Australian Financial Services Licence, and a subsidiary of IOOF. This is a historical court case, with a company being prosecuted for poor cyber security practices for the first time. ASIC took RI Advice to court for:
- failing to implement appropriate cybersecurity controls and documents;
- failing to identify the cause of cybersecurity incidents; and
- its failure to use the information it had obtained about cyberattacks within its network of ARs to mitigate the risk of future attacks.
RI Advice had suffered a number of cyber security attacks between 2014 and 2020. These included a Business Email Compromise that saw a client transfer $50,000 to a hacker, hacking gaining access to their systems for 3 months which compromised the personal information of several thousand customers, and a brute force attack against their server that enabled the hacker to ransom the personal information of 220 clients.
RI Advice engaged multiple cyber security experts but did not implement some of their recommendations and admitted that their efforts were inefficiently and ineffectively implemented up to August 2021.
ASIC and RI Advice settled prior to court with Her Honour ordering that RI Advice:
- pay ASIC $750,000 in costs;
- engage (as its own expense) an independent cybersecurity firm to identify what further cybersecurity documentation and controls are necessary for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience; and
- provide written reports to ASIC identifying any further measures required to adequately manage cybersecurity risk, the agreed timeframe for the implementation of those measures and the outcome of that implementation within 30 days of the agreed timeframe.
What does the court ruling mean for Small Businesses
All Small and medium-sized owners and directors should be looking a lot more closely at their Cyber Security posture as a part of their responsibilities. ASIC used Sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), which only applies to Financial Services License Holders, but I think it puts all Directors on notice about their legislative requirements. What is so unusual in this is that it is a broad provision and is usually used in conjunction with other breaches. Read the full judgment here
The fact that ASIC pursued this prosecution could be a part of a strategic move to share the cyber risk with businesses. The Australian Cyber Security Centre has struggled with the breadth of small and medium-sized businesses and the national lack of understanding about increasing cyber resilience. As we see more cyberattacks from Nation States, it becomes more important to ensure that as many small businesses as possible have adequate levels of Cyber Resilience.
For more information on the legal aspects of this ruling, read the Lexology.com article.
Increasing Cyber Resilience for Small Business
For more information on the Essential 8 and SME Cyber Resilience, read our page on the ACSC Essential 8 and talk to Team Extreme about taking the steps for Essential 8+ for your Small Business.