Given the cyber threat landscape, it was a matter of time before legal precedents were put in place to increase the effectiveness of data protection. Naturally, the most valuable type of data in any organisation is those pertaining to finances. If cybercriminals get their hands on sensitive financial details such as account names, logins and passwords, businesses and individuals can be held to ransom for vast sums of money. They can also have money redirected or stolen directly from their accounts.
In a landmark legal decision, legislation has been passed by the Federal Court that will hold Australian financial service licensees legally responsible for their cyber security defence.
The Federal Court came to this conclusion after an action was brought by the Australian Securities and Investments Commission against retirement investment firm RI Advice. It decided that RI Advice had breached its license obligations and ruled that the group did not act ‘efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.’
The court has also ordered RI Advice to undertake security training within a month by an independent security organisation, implement the security measures that the organisation recommends and pay $750,000 towards ASIC’s costs. This case was brought against RI Advice after nearly six years of cyber breaches including access to a file server.
Announcing the win, ASIC said similar incidents had occurred at RI Advice’s authorised representatives over nearly six years, from June 2014 to May 2020. According to ASIC, this included an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.
On the bench, Federal Court Justice Helen Rofe said the responsibility of cyber risk management should belong to the firms in possession of the data.
“Cyber security risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level,” Justice Rofe said.
ASIC deputy chair Sarah Court also commented on the necessity of businesses making an active effort to defend and protect client information.
“These cyber attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.”
This means more investment into cyber security for financial firms and business entities, and that’s good news for everyone. We all have our financial details stored with banks, accountants, employers, institutions, brokers, advisors or investors. This ruling will highlight the importance of inputting stronger cyber security measures and prompt organisations to take action sooner than later. While customer data protection is always an ethical and moral obligation, is now definitely a legal one.
Become cyber security compliant
Evologic offers Managed IT Services in Geelong to a range of major organisations. We develop technology roadmaps and generate end-to-end cyber security and risk management solutions. To ensure the data within your organisation is properly protected, contact us for a cyber security audit.