The Australian Securities and Investments Commission (ASIC) has announced plans to hit a financial services company with legal action for inadequate cyber security policies that resulted in repeated hacks, and failing to protect the data of its customers.
ASIC has launched legal action against RI Advice Group Pty Ltd, a member of the Australian Financial Services for failing to protect its network with a number of inadequate cybersecurity policies leading to two separate breaches. Up until 2018, RI was a subsidiary of the Australia and New Zealand Banking Group (ANZ) where it, along with four other groups were sold by ANZ for $975 million, later becoming a member of the IOOF Group.
ASIC says that in one data breach, a hacker was able to stay inside the network for a total of 155 hours, containing the personal information of its clients without the company’s IT system being alerted.
The financial watchdog says two separate hacks, one in December of 2017 and another in May of 2018 were not enough to convince RI to implement high-level cybersecurity measures to protect the data of their clients. ASIC is now forcing that to happen with legal action.
According to a report from ZDNet’s Asha Barbaschow, “a post-mortem by KPMG found someone had tried 2178 usernames from ten different countries resulting in 27,814 unsuccessful login attempts that went undetected.”
Barbaschow added that “the financial watchog alleges that RI, including its authorised representatives, failed to implement adequate policies, systems, and resources that are reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.”
ASIC has taken RI to the Federal Court of Australia where it will push for official declarations that RI was in breach of the Corporations Act, aiming for civil penalties and an assurance that RI adds a number of cyber security policies that are “reasonably appropriate to adequately manage risk in respect to cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.”
ASIC concluded its filing by stating that “RI’s risk management systems and resources with respect to cybersecurity and cyber resilience were still inadequate as at 1 May, 2020,” adding that “the steps taken by RI in relation to cybersecurity in the period of 1 November to 1 May, 2020 were neither initiated nor completed in a sufficiently timely manner and were not sufficiently broad.”
“RI had still not adopted and implemented adequate and tailored cybersecurity documentation and controls in each of the cybersecurity domains referred to above,” ASIC said.
As a reminder, an Information Security Management System like ISO 27001 requires your organisation to adopt high-level thinking in terms of information security internally, to protect your staff and your customers.
We’ve seen cyber attacks on organisations become more prevalent, and more severe in terms of their aftermath, with hackers often choosing small to medium sized businesses (SMEs) specifically for their campaigns. This is due to the fact that hackers realise SMEs often don’t have the resources or pay enough attention to the risks in operating online, and housing data of their customers and staff.