ASIC is coming after you for weak cyber security!

Background

RI Advice is an Australian financial services firm.

Founded in Melbourne in 1979, RI Advice’s team of financial advisors help clients plan for a more secure financial future.

However, RI Advice’s commitment to security didn’t extend to securing itself from the ever increasing threat of cyber-crime.

Over a period of six years, between 2014 and 2020, RI Advice and its authorised representatives faced no fewer than nine cyber security incidents. It appears that in most cases, cyber-criminals launched Business Email Compromise attacks against RI Advice. These attacks saw its email systems hacked as a prelude to defrauding the organisation and its clients.

Once the cyber-criminals had gained access to RI Advice’s email systems, they used legitimate email addresses to send clients requests for money transfers.

In one instance, this resulted in a fraudulent transfer valued at $50,000.

What is Business Email Compromise?

Business Email Compromise, or BEC, is now the most widely reported form of cyber-crime in Australia.

Last financial year, over 4,600 instances of BEC were reported to the Australian Cyber Security Centre, far outweighing reports of other cyber-attacks, such as ransomware.

Of increasing concern is the amount being lost by Australian organisations in BEC attacks. The average amount lost in a successful BEC attack now stands at $50,600 – a whopping 54% increase on the previous year.

BEC attacks can take a number of guises. Cyber-criminals often hack into email accounts belonging to an organisation’s CEO or CFO. Using those email accounts, they send instructions to Accounts Payable staff to process payments to a bank account controlled by the criminals.

Sometimes, as appears to have happened with RI Advice, the hackers use the compromised email accounts to send instructions to clients to transfer funds to a bank account controlled by the criminals.

In other cases, the attackers hack into a supplier’s email account and manipulate the banking information in invoices. When the supplier’s customer pays the invoice, they inadvertently transfer the payment to a bank account controlled by the criminals.

BEC attacks not only result in stolen funds. The criminals may also infect targeted computer systems with malware, compromise sensitive corporate information and undermine an organisation’s reputation. The consequences of BEC can be devastating and long-lasting.

Given these risks, boards have a responsibility to shareholders, customers, and other stakeholders, to implement systems that help mitigate cyber-threats such as BEC.

For any board that is not yet taking the threat of cyber-crime seriously, ASIC now has you firmly in its sights!

Does ASIC have you in its sights?

Governance standards around cyber security are increasingly on the radar of the Australian government and regulators.

Of course, all directors and officeholders have an obligation to act in good faith in the best interests of their company in accordance with the Corporations Act. It is now widely accepted that cyber security risks are an increasingly important set of risks that all organisations need to oversee and manage.

The Australian Securities and Investments Commission, or ASIC, is the primary corporate regulator.

It has the power to launch legal proceedings against company directors and officeholders for a breach of duties. Now, for the first time, ASIC has exercised those powers in relation to a company for failing to have adequate cyber risk management systems in place.

ASIC launched legal proceedings against RI Advice in August 2020 on the grounds that it had inadequate cyber risk management systems in place, as required for financial services firms.

In a precedent-setting move, the Federal Court has now ruled in ASIC’s favour!

Federal Court Judge Helen Rofe ruled against “RI Advice,” claiming:

“It is not possible to reduce cyber security risk to zero, but it is possible to materially reduce cyber security risk through adequate cyber security documentation and controls to an acceptable level.\

“RI Advice admits that prior to and as at 15 May 2018, it did not have documentation, controls and risk management systems that were adequate to manage risk in respect of cyber security across its [authorised representative] network.”

As punishment, the court ordered RI Advice to pay ASIC $750,000 due to its failure to implement a reasonable standard of cyber security. RI Advice has also been ordered to engage a cyber security firm to make sure its networks are up to scratch and provide a report to ASIC outlining what other measures it will undertake within a strict timeline.

Key Take-Away

If boards take away just one lesson from this case it should be this:

As instances of cyber-attacks, such as BEC, increase exponentially, boards must be able to demonstrate to shareholders, customers, regulators, courts and other stakeholders, that they are adopting reasonable cyber risk mitigation standards.

And with BEC impacting more Australian organisations than ever before, it’s not reasonable to process payments without first ensuring that you are protected from BEC attacks.

Australian organisations are particularly vulnerable to BEC due to a gap in payment verifications, whereby Australian banks can’t match a beneficiary Account Name with either the BSB or Account Number.

Knowing this, boards must have systems in place to plug the verification gap in order to enhance their resilience against BEC attacks.

We now know that failing to do this could see ASIC haul an organisation before the courts!

How Eftsure can help

Protecting your organisation from BEC is now easier than ever, thanks to Eftsure’s unique fraudtech solution.

Our proprietary database aggregates verified banking data from over 80% of active Australian organisations. Whenever your Accounts Payable team processes outgoing EFT payments, the beneficiary details are matched against the records in the Eftsure database.

Mismatched payment records are flagged, giving you a chance to stop fraudulent or incorrect payments before it’s too late!

With Eftsure sitting on top of your accounting processes, your organisation can demonstrate that you have the systems in place to mitigate the growing risk of BEC.

Contact us today for a full demonstration.