ASIC alleges inadequate cyber security systems following cyber breach – commences proceedings


Friday 21 August 2020

ASIC has today commenced proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems.

In a statement, ASIC’s action follows a number of alleged cyber breach incidents at certain authorised representatives (ARs) of RI, including an alleged cyber breach incident at Frontier Financial Group Pty Ltd as trustee for The Frontier Trust (Frontier) from December 2017 to May 2018.

RI was, until 1 October 2018, a wholly owned subsidiary of Australia and New Zealand Banking Group Limited. On 1 October 2018, RI became a wholly owned subsidiary of IOOF Holdings Limited (IOOF).

ASIC alleges that Frontier was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents.

ASIC alleges that RI failed to have implemented (including by its ARs) adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.

ASIC is seeking:

  • declarations that RI contravened provisions of the Corporations Act, specifically sections 912A(1)(a), (b), (c), (d) and (h) and (5A);
  • orders that RI pay a civil penalty in an appropriate amount to be determined by the Court; and
  • compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.

In October 2019, ASIC took civil penalty action against RI Advice and former Melbourne financial adviser, John Doyle. ASIC then alleged that RI Advice failed to take reasonable steps to ensure that Mr Doyle provided appropriate advice, acted in clients’ best interests and put his clients’ interests ahead of his own, as required by law. Mr Doyle was an authorised representative of RI Advice between May 2013 and June 2016.

ASIC also took action against Mr Doyle, alleging that he gave inappropriate “cookie cutter” advice to retail clients to invest in complex structured financial products called Macquarie Flexi 100 Trust and Instreet Masti 36 and 38, without taking into account their financial goals or risk tolerance.

ASIC claimed the impacted clients were, in some cases, preparing for retirement.  ASIC alleged that Mr Doyle received upfront and ongoing commissions for each of his clients’ investments in the structured products.

Orders were made on 27 March 2020 setting down a timetable for the progression of the matter, including that a hearing of liability issues take place on a date after 1 December 2020.