Insignia wealth firm failed to fend off cybercrime, court finds

Instead, it ruled that RI Advice engage investigators Security in Depth to conduct a review of the firm’s risk management protocols relating to “cybersecurity and cyber resilience” and provide a written report to the regulator within 30 days.

“These cyberattacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information,” said ASIC deputy chairwoman Sarah Court.

“It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.”

A spokeswoman for Insignia said the company had already implemented a “cyber resilience initiative” covering the RI Advice business and about 300 financial advice practices operating under its licence around the country.

“RI Advice has implemented a broad range of measures to manage any potential cyber risks going forward,” the spokeswoman said.

“The court’s judgment relates to historic cybersecurity incidents which occurred prior to that time. This matter has been resolved.”

ANZ, which owned RI Advice during the period in which a number of the cyberattacks took place, declined to comment.

Circular Quay incident

According to court documents, RI Advice sustained nine cybersecurity incidents over a seven-year period from 2014 to 2020. Among them was a ransomware attack in late December 2016 against RI Advice-aligned firm Wise Financial Planning, which hacked an office computer and “encrypted files and made them inaccessible”.

A separate cybersecurity incident occurred in May 2017 involving fellow RI Advice member RetireInvest Circular Quay, after which “[RI Advice] should have, but failed to properly review the effectiveness of cybersecurity controls … across its network”, ASIC’s statement of claim alleged.

Subsequent incidents involving RI Advice members Frontier Financial Group and RI Shepparton occurred in late 2017 and mid-2018, resulting in Security in Depth slapping a “poor” rating on the business.

The court documents also allege RI Advice’s cybersecurity processes were complicated by the transition of the company from ANZ to IOOF’s ownership.

In a separate matter stemming from the…