Company fined for inadequate Cyber Security risk management

May 13, 2022 | Security

On the 10th of May, 2022, the Federal Court found RI Advice, a holder of an Australian Financial Services Licence, and a subsidiary of IOOF.  This is a historical court case, with a company being prosecuted for poor cyber security practices for the first time.  ASIC took RI Advice to court for:

  • failing to implement appropriate cybersecurity controls and documents;
  • failing to identify the cause of cybersecurity incidents; and
  • its failure to use the information it had obtained about cyberattacks within its network of ARs to mitigate the risk of future attacks.

RI Advice had suffered a number of cyber security attacks between 2014 and 2020.  These included a Business Email Compromise that saw a client transfer $50,000 to a hacker, hacking gaining access to their systems for 3 months which compromised the personal information of several thousand customers, and a brute force attack against their server that enabled the hacker to ransom the personal information of 220 clients.

RI Advice engaged multiple cyber security experts but did not implement some of their recommendations and admitted that their efforts were inefficiently and ineffectively implemented up to August 2021.

ASIC and RI Advice settled prior to court with Her Honour ordering that RI Advice:

  • pay ASIC $750,000 in costs;
  • engage (as its own expense) an independent cybersecurity firm to identify what further cybersecurity documentation and controls are necessary for RI Advice to adequately manage risk in respect of cybersecurity and cyber resilience; and
  • provide written reports to ASIC identifying any further measures required to adequately manage cybersecurity risk, the agreed timeframe for the implementation of those measures and the outcome of that implementation within 30 days of the agreed timeframe.

 

What does the court ruling mean for Small Businesses

All Small and medium-sized owners and directors should be looking a lot more closely at their Cyber Security posture as a part of their responsibilities.  ASIC used Sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth), which only applies to Financial Services License Holders, but I think it puts all Directors on notice about their legislative requirements.  What is so unusual in this is that it is a broad provision and is usually used in conjunction with other breaches.  Read the full judgment here

The fact that ASIC pursued this prosecution could be a part of a strategic move to share the cyber risk with businesses.  The Australian Cyber Security Centre has struggled with the breadth of small and medium-sized businesses and the national lack of understanding about increasing cyber resilience.  As we see more cyberattacks from Nation States, it becomes more important to ensure that as many small businesses as possible have adequate levels of Cyber Resilience.

For more information on the legal aspects of this ruling, read the Lexology.com article.

Increasing Cyber Resilience for Small Business

For more information on the Essential 8 and SME Cyber Resilience, read our page on the ACSC Essential 8 and talk to Team Extreme about taking the steps for Essential 8+ for your Small Business.

Services & Products We Offer

IT Support Services

The basic network administration to keep your IT systems running smoothly. Our proactive maintenance and ticketing system can make the job of your in house IT person a lot simpler.

Cyber Security

Coupled with our experience in Server management, database and web design, we provide services around Policy and Procedures for security, auditing, and responding to security threats.

Online Marketing

We understand online strategy. We aren’t like most online consultants, we actually build and make money from our online businesses.

IT Managed Services

We implemented a Remote Management and Monitoring service and married that with a ticketing software application, allowing us to integrate and automate a lot of the routine IT support tasks.

MS Power BI And Digital Dashboards

Microsoft Power BI has a significant advantage in visualizing data that we have in our business, making it easy to create a digital dashboard and display it for all of our team to see.

One Page IT Plan

The One Page IT Plan is Australia’s first comprehensive planning tool for SMEs looking to use technology to build a sustainable competitive advantage.

Get Started

Need IT Support?

We’re dedicated to providing proactive IT solutions for your business. Fill up the form and we’ll reach out to you soon!

5 + 8 =