ASIC has today commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.
ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier) from December 2017 to May 2018.
RI was, until 1 October 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).
ASIC alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.
ASIC alleges that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
ASIC is seeking:
- declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
- orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
- compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.
ASIC’s regulatory resources include further information about cyber security and cyber resilience:
- Cyber resilience good practices
- REP 429 Cyber resilience: Health check
- REP 651 Cyber resilience of firms in Australia’s financial markets: 2018–19
- REP 555 Cyber resilience of firms in Australia’s financial markets
The matter has been listed for its first case management hearing on 18 September 2020 at 10:15am.
Editor's note 2:
On 18 September 2020, the Court listed the matter for a further case management hearing on 11 December 2020.
Editor's note 3:
The Court has vacated the case management hearing listed for 11 December 2020 and it is now listed on 19 February 2021 at 9:30am.
Editor's note 4:
On 19 February 2021, the Court listed the matter for a further case management hearing on 14 May 2021 and has tentatively listed the matter for trial commencing 29 November 2021.
Editor's note 5:
On 14 May 2021, the Court vacated the tentative trial date and listed the matter for trial commencing 4 April 2022 with an estimate of 3 weeks. The Court listed a further case management hearing on 10 December 2021.
Editor's note 6:
An interlocutory hearing has been scheduled for 6 September 2021.
Editor's note 7:
The Court has reserved its judgement with respect to RI Advice’s interlocutory application.
Editor's note 8:
On 5 October 2021, the Court dismissed RI Advice’s interlocutory application. The next case management hearing is listed on 10 December 2021.
Editor's note 9:
The 10 December 2021 case management hearing was vacated and has been relisted for 3 February 2022 at 9:30am.
Editor's note 10:
On 3 February 2022, the matter was listed for mediation on 3 March 2022 and then a trial commencing 4 April 2022 (with an estimate of three weeks).
Editor's note 11:
On 17 February 2022, the matter was relisted for mediation on 24 March 2022 and then a trial commencing 4 April 2022 (with an estimate of three weeks).
Editor's note 12:
The trial has been re-listed to commence on 11 April 2022.
Editor's note 13:
The trial listed for 11 April 2022 has been vacated.