On 21 August 2020, ASIC issued a media release against the RI Advice Group Pty Ltd (RI) for alleged failure to meets several of its licensing conditions due to inadequate cyber security systems in place. At the time RI was 100% owned by the ANZ Banking Group Ltd.
It is interesting that the cyber breaches occurred in several of its authorised representatives. I have provided considerable background as it provides a context for the outcomes ASIC is seeking.
s912A(1) Corporations Act details the general obligations all Licensees are required to meet. Sub-section (h) requires a licensee to have in place adequate risk management systems.
In summary the detailed allegations are:
- Failed to do all things necessary to ensure the financial services covered by the License was preformed efficiently, honestly and fairly.
- Failure to comply with the condition of its AFSL that it establish and maintain compliance measures to ensure reasonably practical that the licensee complies with financial services laws.
- Failure to comply with the financial services laws
- Failed to have available adequate resources (including financial, technical and human resources) to provide the financial services by the license and to carry out supervisory arrangements.
- Failed to have adequate risk management systems in place.
Penalties being sought
In addition to a finding of contraventions of the Corporation Act, ASIC is seeking a pecuniary penalty order being the greater of:
- 50,000 penalty units, being $10,600,000 or
- 10% of the annual turnover of the IOOF Group for the 12 months ended 1 May 2020.
Background to proceedings
In the statement of claim ASIC identified the following cyber breaches having occurred in its authorised representatives.
On or about 3 January or 3 March 2017 RI became aware of a cyber security breach informed by an adviser as having taken place in late December 2016.
On 30 May 2017, RI became aware of another cybersecurity incident that occurred on that day as a result of being informed by an authorised representative.
Another cyber security incident occurred between December 2017 and April 2018. The authorised representative was the subject of a “brutal force” attack and as a result a malicious user successfully gained remote access to the authorised representative’s server for 155 hours. On 15 May 2018, the authorised representative informed RI of the breach having been aware of the breach on 16 April 2018.
On 29 May 2018, RI became aware of cyber security incident on 23 May 2018 that arose as result of Trojan software installed on the laptop of an Authorised Representative.
ASIC is alleging that RI should have but failed to:
- properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and
incident response controls; and ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.
ASIC assessment of the cyber security documentation in place
Many cybersecurity documents were ANZ-developed documents specific to the ANZ organisation and its IT environment and were not tailored to RI and its ARs’ requirements. RI and its ARs had not implemented and operationalised these ANZ-developed documents as part of RI’s governance and management of cybersecurity resilience and risk management. RI did not adopt and implement adequate and tailored cybersecurity documentation and controls in each of the following cybersecurity domains: governance and business environment, risk assessment and risk management, asset management, supply chain risk management, access management, personnel security training and awareness, data security, secure system development life cycle and change management, baseline operational security, security continuous monitoring, vulnerability management, incident response and communication, and continuity and recovering planning.
How did RI respond to the cyber security matters
It commissioned experts to provide it with reports.
It received its first report on 7 August 2018. In that report deficiencies identified included 90% of desktops identified as not having up to date antivirus software, no filtering or quarantining of emails, no offsite backups having been performed and passwords and other security details found in text files on the server desktop.
During September 2018 RI commissioned another expert to perform a cyber assurance risk review on five authorised representatives. Between September and October 2018 this expert provided a cyber assurance review report on each representative. Three of the authorised representatives were rated “poor”, the remaining two “fair”. In a final report provided to RI during October 2018 there was a recommendation that a cyber assurance risk review be undertaken on all authorised representative organisations.
On 24 October 2018 RI receive an expert report on an assessment of the breach noted in point 3 above authorised representative cyber breach.
What ASIC expected RI should have been done
RI should have, in consultation with internal or external cybersecurity experts, promptly adopted a cybersecurity framework to guide all of its cyber related activities, undertaken a risk assessment across its entire network of ARs, and then sought technical security assurance across a number of its ARs as a technical measure of the cybersecurity risks that exist in their organisations. Armed with this information, it should then have analysed the results to determine the current cybersecurity risks applicable to its network of ARs, and then developed and implemented a cybersecurity remediation plan and supporting initiatives that were tailored to its AR network.
After the takeover of RI by IOOF 1 October 2018
Following the change of ownership of RI from ANZ to IOOF, RI replaced ANZ-developed documentation relating to cybersecurity with IOOF developed documentation which often pre-dated IOOF’s acquisition of RI. Like the ANZ documents, the IOOF documents were not tailored to RI and its ARs’ requirements, and RI and its Ars did not implement and operationalise them as part of RI’s own governance and management of cybersecurity resilience and risk management. RI’s risk management systems and resources with respect to cybersecurity and cyber resilience remained inadequate, including as of 12 March 2019.
On 23 August 2019, an authorised representative informed RI of a cybersecurity incident. RI was informed of a further cybersecurity incident by another authorised representative on 15 April 2020.
ASIC view post IOOF takeover
The view as to what should have been done post that time is what has been noted above. Additionally, the steps taken by RI in relation to cybersecurity in the period from 1 November 2019 to 1 May 2020 were neither initiated nor completed in a sufficiently timely manner and were not sufficiently broad. RI’s risk management systems and resources with respect to cybersecurity and cyber resilience remained inadequate, including as at 1 May 2020.
Consider ASIC’s view on cybersecurity requirements by a Licensee.
The court application does not indicate if ASIC became aware of the cybersecurity breaches through self-reporting by RI.