With data stolen and likely sold to the black market, RI Advice’s breach of license obligations for cybersecurity has become a test case for the industry and one that chief executive Peter Ornsby isn’t afraid to shy away from.
Earlier this month the Federal Court found Australian financial services licensee RI Advice breached its license obligations by failing to have adequate risk management systems to manage its cybersecurity risks after a practice in its network was hit with a cyberattack.
ASIC described the Federal Court finding as an “Australian first” and RI Advice was ordered to pay $750,000 towards the regulator’s costs after both parties agreed to resolve the proceedings.
Ornsby tells Professional Planner it was obvious client data was stolen and compromised with it likely being sold on the black market.
“That had a detrimental effect on a number of clients. We’ve worked to try and remediate and provide support where we can.”
Ornsby says there were additional staff that were required to provide witness statements and called to the stand during the trial.
“We had staff in tears because of the stress of trying to do the right thing and being placed on the stand. No one wants that, everyone goes into work to try and do their best.”
Ornsby will be speaking at the Professional Planner Licensee Summit on 6-7 June where he will go into detail about what licensees can do to be better prepared to prevent cybersecurity breaches as well as highlighting the court process involved.
“We want people to engage and ask questions [at the summit]. We’re going to be covering quite a bit in the time we have. We want to take people through that story and what our learnings were.”
More than a test
Ornsby says this is a test case which aims to ensure licensees know what their responsibilities are and what the implications of failing to commit appropriate resources and investment can be.
“I hope that our industry continually learns how it can best protect the interests of the client and their personal information.”
In additional to the financial penalty, the court ordered RI Advice to engage a cybersecurity expert to identify and any further measures that might be necessary to adequately manage cybersecurity risks across the firm’s authorised representative network.
Although ASIC does not prescribe any technical standards, expert guidance or specific requirements for individual licence holders, it does expect licensees to address cyber risk as part of their AFSL obligations and encourages AFSLs to report cyber incidents to the Australian Cyber Security Centre.
“For many years we’ve taken cyber [security] seriously,” Ornsby says. “We’ve worked to create standards, guidelines and training for advisers across the network.”
A significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where an unknown malicious agent obtained unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected via a brute force attack.
“There was only one instance aside from the court case incident where client data was actually compromised,” Hornsby says. “We’ve recorded all those incidents formally as incidents which you should do so we can learn from those incidents.”
Many of the outcomes of those incidents formed the agenda of future training of the licensee group.
“Cybersecurity has always been a threat to our business and one that we’ve wanted where we have permitted to support the network and provide guidance to protect the interests of client safety.”
