The Federal Court has issued a landmark decision regarding inadequate cybersecurity measures within a corporation.
In this case, RI Advice was held to be in breach of the Corporations Act 2011 (Cth) for failing to implement appropriate cybersecurity measures. RI Advice is a financial planning company that has been subject to nine cyber attacks between June 2014 and May 2020. Hackers used web-based attacks, ransomware, phishing emails, and unauthorised access to breach RI Advice and obtain confidential client information. Evidence was presented to the court that these breaches were not addressed nor patched, and even phishing emails were not filtered. Moreover, backups were not a common practice and endpoint security was not up to date. During the period of these nine hacks, RI Advice was acquired by Insignia Financial, yet the security measures continued to be non-existent.
Based on this evidence, the Federal Court concluded that RI Advice breached its licence obligations to its clients, contravened s 912A of the Corporations Act, failed to implement adequate cybersecurity risk management, and failed to act in an efficient and fair manner when handling sensitive information. The judge recognised that reducing cybersecurity risk to zero was not possible but noted that RI Advice did not even reduce cybersecurity risk to an acceptable level.
This decision highlights that all Australian corporations must now take cybersecurity management seriously in the course of business. Organisations need to take a proactive approach to mitigate cybersecurity risks or face severe legal and financial ramifications. This case may just be the first of many as other regulatory bodies crackdown on poor cybersecurity practices.
RI Advice was charged with a $750,000 penalty and was instructed to hire cybersecurity experts to revamp its cybersecurity risk management structure.
For the full reading of the case, see here.