Following the regulator’s decision last month to prosecute RI Advice for failing to implement adequate cyber security policies, which led to a “brute force attack” on one of its practices, OnPlatinum ICT director Robbie Bennetts said virtually all licensees could be open to the same type of legal action.
“The more we look into it, it is fairly threatening,” Mr Bennetts said.
“I asked a number of our experts in this area what percentage of financial advisers they think would have problems. It was interesting that they all stated 100 per cent would have a problem, and as a matter of fact they suggested a large amount of them would already have somebody inside their systems but they would not be aware of it.”
The incident ASIC alleges to form part of its case against RI Advice took place at RI-aligned practice Frontier Financial Group, which was subject to ongoing breaches of client data over a six month period in 2017 and 2018.
If successful, the case could see a civil penalty of up to $12 million levied against the former ANZ-owned dealer group.
Mr Bennetts said such occurrences were common when it came to cyber security breaches, where ‘attackers’ could lie dormant within the business’s system for long periods of time before accessing client funds.
“This has been a major problem as an example in the legal profession, where they are hacked, they may not know, the bad guys sit there for six to 12 months and then suddenly change the banking details of a settlement,” he said.
“There hasn’t been a lot of publicity around this however it has been a real problem for some legal firms, because the money has come out of trust accounts and the law requires that money is returned within 24 hours.”
Mr Bennetts said the directors of a licensee could be liable if they were found by ASIC to not have taken enough care around security protocols used by their authorised representatives.
“This begs the question – do you understand where all representatives' client data, not necessarily in financial planning software, is stored and backed up? Do you know how users sign into devices, what security they have on their phone systems and if they have replaced a photocopier in the last few years?” he said.
“These are just a few of the questions you would expect ASIC to ask.”