Lessons from RI Advice

  • Post category:Learn More

Australian Competition and Consumer Commission v RI Advice Group Pty Ltdwas a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC are willing to pursue not just companies that breach their duty of care but the directors and officers involved.

RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:

·       Computer systems which did not have up-to-date antivirus software installed and operating

·       No filtering or quarantining of emails

·       No backup systems or back-ups being performed; and

·       Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

RI Advice took steps to manage their cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement.

RI Advice was ordered to pay $750,000 towards ASIC’s costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Note: The material and contents provided in this publication are informative in nature only.  It is not intended to be advice and you should not act specifically on the basis of this information alone.  If expert assistance is required, professional advice should be obtained.