2022 will be remembered as a watershed year on many fronts, not least as the year when the pervasiveness, complexity, and disruptive power of cybercrime rose to prominence. But, while for many people, the Medibank and Optus incidents are – deservedly – the events that will stay in the memory the longest, for financial advisers, 2022 should be seen as the year where the cyber risk landscape saw four major developments unfold:
- ASIC concluded its cases against RI Advice and set out its expectations for how advisers should protect their client’s data from cyber crime and privacy breaches
- the Medibank and Optus incidents heightened regulator focus on cyber crime, and made clients more alert to the risks and devastating consequences of their data being compromised
- courtesy of a report by the Actuaries Institute, the spotlight was shone on evolving challenges in the cyber insurance market, and
- the passing of legislation locking in a massive increase in penalties and stricter reporting requirements for customer data breaches (criminal or otherwise).
These developments will continue to have major ramifications for advisers and the way they serve their clients, protect their data and manage the sustainability of their practice. In this article, we will examine these developments in more detail, and explore the practical steps advisers can take to better secure their clients’ data.
ASIC v RI Advice, what all advisers must learn
In what is believed to be the first legal judgement relating to the cyber security obligations of financial firms, the Federal Court of Australia ruled against RI Advice in May 2022[1], finding they had breached the law by failing to protect against nine cyberattacks that put confidential client data at risk.
In the view of Justice Helen Rofe, RI Advice (owned by ANZ at the time most of the incidents occurred) had breached its licence obligations and contravened the Corporations Act, failing to provide services “efficiently and fairly”[2].
While the court ordered the defendant to pay $750,000 to cover ASIC’s legal costs, it opted not to impose a penalty against RI Advice (a penalty in the millions would have been permitted under existing rules).
Instead, it ruled that RI Advice engage a specialist cyber security firm to conduct a review of the firm’s risk management protocols relating to cyber security and cyber resilience, and report their findings back to the regulator within 30 days.
There are a few key lessons the case provides for financial advisers.
Firstly, the regulator takes this seriously, and the financial penalties can be business-cripplingly harsh (and as we will explain below, they have recently been made even harsher).
Secondly, the actual details of the nine incidents should provide a real wake-up call about just how much damage can be done by cyber criminals. These incidents, which took place over a seven-year period from 2014, included payment fraud, business email compromise, and a ransomware attack where one practice had its files encrypted and made inaccessible. But perhaps the most disturbing incident was a brute force attack by a malicious actor that gave them access to the file server of an authorised representative, and which went undetected between December 2017 to April 2018[3].
Thirdly, and perhaps most importantly, while this case put RI Advice under the spotlight, the reality is that no practice and no business is immune from attack, and putting in place processes and controls to mitigate the risks is no longer a ‘nice to have’. As one cyber security expert told a gathering of licensees, most advice practices can be hacked within half an hour[4].
To continue reading and receive CPD points, view the original article on AdviserVoice's website.
[1] https://www.afr.com/companies/financial-services/insignia-wealth-firm-failed-to-fend-off-cybercrime-court-finds-20220505-p5aite
[2] Ibid.
[3] https://www.digitalnationaus.com.au/news/asic-v-ri-advice-ruling-sets-new-precedent-for-cybersecurity-accountability-579864
[4] https://www.professionalplanner.com.au/2022/06/most-practices-can-be-hacked-in-30-mins-cybersecurity-expert/
