Businesses ‘must learn’ from landmark RI Advice court decision

On Thursday (5 May), Australian Financial Services (AFS) licensee RI Advice was found to have breached its licence obligations by the Federal Court, after the judge ruled that the group did not act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber-security risks.

According to the Australian Securities & Investments Commission (ASIC) – which brought the case against RI Advice – a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent” obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected.

This resulted in the potential compromise of confidential and sensitive personal information of thousands of clients and other persons.

When handing down judgement, her honour Justice Rofe emphasised that cyber security should be front of mind for all licensees.

She stated: “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services.

“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Speaking last week, ASIC deputy chair Sarah Court commented: “These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”

In addition to the licence breach, RI Advice has also been ordered to pay $750,000 towards ASIC’s costs.

How can you stop a brute force attack?

Chief executive and founder of cyber-security provider StickmanCyber, Ajay Unni, explained that “brute force attacks” consist of attackers submitting many passwords or passphrases with the hope of eventually guessing correctly.

“Implementing multi-factor authentication such as two-factor authentication, which needs another factor other than username and password to enable access, could have put a stop to the brute force attack that occurred,” he said. 

“For example, an attacker may need an authentication code from an certified app or a SMS code and their password, this makes it more difficult for cyber criminals to access your files or account. This attack could have also been prevented by implementing an account lockout after several unsuccessful login attempts.”
Mr Unni suggested that some ways to block attacks can include enabling CAPTCHA to render bots ineffective and engage with an information security team to regularly monitor server logs.

Though RI Advice has taken steps to address cyber-security risks, the court has ordered that the advice group engage a cyber-security expert to identify any further measures that may be necessary to implement.
“With a rise in complexity and frequency of cyber threats, it isn’t a question of if your business will fall prey to a cyber attack, it is more a question of when an attack will occur,” Mr Unni said.

“Businesses, regardless of their size, type, and industry, need to enhance their cyber resilience.

“Businesses need to learn from RI Advice and prioritise the enhancement of their cyber security posture by treating it as a business function, as opposed to a business issue that is relegated to the IT department.”

The time to prepare is now

Brokers and the broader financial services sector are increasingly being urged to embed cyber-security measures and a crisis management team well before an attack occurs.
Major General (Ret’d) Dr Marcus Thompson, former head of the Department of Defence’s Information Warfare Division, has recently said that brokers and the broader financial services sector are particularly vulnerable to cyber-criminal activity because they have access to their clients’ sensitive financial information and digital systems that connect to financial institutions and other trading mechanisms.

He is currently speaking at the Better Business Summit roadshow to alert brokers to the lurking threats of cyber attacks and pushed them to implement defence mechanisms before they fall prey to cyber criminals.

“The time to be thinking about a response is well before a response is required,” Dr Thompson said.

“Once an incident occurs, it’s too late to be thinking about that.”

Dr Thompson’s warnings have followed multiple incidents of malicious cyber attacks in the financial services sector, with studies revealing last year that the industry suffered the highest number of data breaches between January and July 2021.

Home buyers have also been targeted by scammers and lost hundreds of thousands of dollars.

These sustained attacks and scams (which have escalated during the COVID-19 crisis) led Connective to urge brokers to bolster their cyber-security posture to protect their businesses but lamented that this issue had dropped down their list of priorities.

The 3-pronged defence system

Noting that some businesses have employed measures with more vigour than others, Dr Thompson advised brokers to implement three types of cyber-security protection.

The first is self-defence, which would involve providing education to increase awareness among employees and embedding a culture of caution.

“Don’t be the person who clicks on the links in the phishing email or posts information on social media that a professional cybercriminal could use to target your brokerage in a socially engineered phishing attack,” he said.

The second is passive defence, where system administrators assess how well businesses are complying with the mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), which aim to prevent adversaries from compromising systems.

Known as the “essential eight”, these strategies include:

• Application control
• Patch applications
• Configure Microsoft Office macro settings
• User application hardening
• Restrict administrative privileges
• Patch operating systems
• Multifactor authentication
• Regular backups

The third is active strategy where professional cyber-security officers sit inside systems and actively detect, contain, and resolve threats to a business’ system.

Dr Thompson will delve further into the legislative environment at the summit, and present a conceptual framework for the consideration of cyber security, and answer brokers’ questions around their technical support during his session.

The Better Business Summit 2022 will continue in the following locations:

Adelaide, 12 May 2022 at the Adelaide Convention Centre
Perth, 19 May 2022 at Crown Towers
Melbourne, 2 June 2022 at Crown Towers