Buyer beware: Unprecedented legal decision over cybersecurity failures raises due diligence concerns

Tuesday, 10 May 2022

The landmark Federal Court ruling over a financial services firm’s inadequate cybersecurity measures sounds major warning bells about cyber risk management strategy. 

In an Australian first, financial planner RI Advice was last week found to have breached the law by failing to protect confidential client information from a spate of cyber attacks over a seven-year period.¹ RI Advice now faces hefty costs and serious reputational damage, the court ordering it to not only pay $750,000 to cover ASIC’s legal costs but also engage cybersecurity experts to commandeer its risk management strategies and provide written progress reports to regulators at regular intervals.

Giving this case added weight is the fact RI Advice was purchased as part of a large transaction during the time of the cyber attacks. The court heard that nine incidents occurred at RI Advice when hackers infiltrated the servers of authorised RI Advice representatives between June 2014 and May 2020. On October 1, 2018, RI Advice became a wholly owned subsidiary of Insignia Financial (formerly known as IOOF) – the purchase taking place well after the hacks had begun and only a few months after one of the more serious incidents that placed sensitive data of several thousand clients at risk. This occurred when an unknown malicious agent accessed an RI Advice file server between December 2017 to April 2018.²

Methods used by the threat actors ranged from hacked web servers, ransomware, brute force, phishing emails and unauthorised access. The court heard these continued data breaches had gone unaddressed – systems remaining unpatched and no backups put in place. Even after phishing attacks, emails were not filtered and passwords still shared. Backups were non-existent and endpoint security was not installed or not up to date. After the IOOF takeover, there were moves to install stronger security measures. But these “…took too long to implement…”, the court heard – clearly demonstrating a risk for mergers and acquisitions.

Handing down the ruling, Justice Helen Rofe concluded RI Advice breached its licence obligations, contravened the Corporations Act, failed to have adequate risk management systems and failed to do all things necessary to ensure its financial services were provided “…efficiently and fairly”.

The ruling sends a clear message to corporate Australia that cybersecurity regulators are now actively enforcing minimum security expectations. Organisations must take seriously the need to implement cybersecurity programs and keep them up to date. The stark reality is, this landmark case is only the beginning as it is now the ideal springboard for all regulators, not just ASIC, to pursue the many similar cases they have waiting in the wings.

The case also plainly demonstrates the significant expense saved by onboarding cybersecurity programs and addressing risks before as well as when they arise. RI Advice could potentially have avoided legal action and major financial consequences had it put adequate cybersecurity programs in place and adopted remediation strategies following the attacks on its servers.

Significant reputational damage aside (within hours of the ruling Insignia shares fell 1.03 per cent to $3.36), consider the expense now faced by RI Advice.³ Meeting the court order’s lengthy list of requirements will potentially run into millions of dollars – money that could have been saved by having appropriate risk management in place and addressing issues as they arose.

Those running or acquiring corporations across Australia, no matter their size or industry, are on notice: if cybersecurity is continually swept under the carpet, dismissed as being too expensive to implement or merely paid lip service, the consequences are now very real and possibly dire.