20 191mr 2020 10 26 Vid 556 Asic V Ri Soc Filed

NOTICE OF FILING
This document was lodged electronically in the FEDERAL COURT OF AUSTRALIA (FCA) on
26/10/2020 9:59:15 PM AEDT and has been accepted for filing under the Court’s Rules. Details of
filing follow and important additional information about these are set out below.
Details of Filing
Document Lodged: Statement of Claim - Form 17 - Rule 8.06(1)(a)

File Number: VID556/2020
File Title: AUSTRALIAN SECURITIES AND INVESTMENTS COMMISSION v RI
ADVICE GROUP PTY LTD (ACN 001 774 125)
Registry: VICTORIA REGISTRY - FEDERAL COURT OF AUSTRALIA
Dated: 26/10/2020 9:59:19 PM AEDT Registrar
Important Information
As required by the Court’s Rules, this Notice has been inserted as the first page of the document which
has been accepted for electronic filing. It is now taken to be part of that document for the purposes of
the proceeding in the Court and contains important information for all parties to that proceeding. It
must be included in the document served on each of those parties.
The date and time of lodgment also shown above are the date and time that the document was received
by the Court. Under the Court’s Rules the date of filing of the document is the day it was lodged (if
that is a business day for the Registry which accepts it and the document was received by 4.30 pm local
time at that Registry) or otherwise the next working day for that Registry.
No. VID 556 of 2020
Form 17
Rule 8.05(1)(a)
Statement of Claim
(Filed pursuant to orders made by O’Callaghan J on 18 September 2020)
Federal Court of Australia
District Registry: Victoria
Division: General
Australian Securities and Investments Commission

Plaintiff
RI Advice Group Pty Ltd (ACN 001 774 125)

Defendant
TABLE OF CONTENTS
A. THE PARTIES AND THE AUTHORISED REPRESENTATIVES .............................................................................. 3
B. OBLIGATIONS TO IMPLEMENT ADEQUATE CYBERSECURITY SYSTEMS .......................................................... 5
C. CYBERSECURITY INCIDENTS BETWEEN 2014 AND MAY 2018 ........................................................................ 9
C.1 LIFEWISE CYBERSECURITY INCIDENT – JULY 2014 ...................................................................................11
C.2 RI ADVICE CORPORATE CYBERSECURITY INCIDENT – MAY 2015 .............................................................15
C.3 FIREFLY CYBERSECURITY INCIDENT – JUNE 2015 .....................................................................................18
C.4 TOOWOOMBA JEM WEALTH CYBERSECURITY INCIDENT – SEPTEMBER 2016 .........................................21
C.5 WISE CYBERSECURITY INCIDENT – DECEMBER 2016 ...............................................................................25
C.6 RI CIRCULAR QUAY CYBERSECURITY INCIDENT – MAY 2017....................................................................29
C.7 FFG DATA BREACH – DECEMBER 2017 TO APRIL 2018 ............................................................................36
D. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 15 MAY 2018 AND INADEQUACY OF CYBERSECURITY
SYSTEMS IN PLACE AS AT 15 MAY 2018 ................................................................................................................38
D.1 INADEQUACY OF MAY 2018 CYBERSECURITY DOCUMENTATION AND CONTROLS ..................................38
D.2 CONTRAVENTIONS IN RESPECT OF CONDUCT UP TO AND AS AT 15 MAY 2018.......................................42
E. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 12 AND 13 MARCH 2019 AND INADEQUACY OF
CYBERSECURITY SYSTEMS IN PLACE AS AT 12 AND 13 MARCH 2019 ....................................................................43
Filed on behalf of (name & role of party) The Plaintiff

Prepared by (name of person/lawyer) Andrew Christopher
Law firm (if applicable) Webb Henderson
Tel +61 2 8214 3510 Fax N/A
Email Andrew.Christopher@webbhenderson.com Ref
Address for service Webb Henderson, Level 18, 420 George St, Sydney NSW 2000
(include state and postcode) Andrew.Christopher@webbhenderson.com
[Form approved 01/08/2011]
2
E.1 FIRST RI SHEPPARTON CYBERSECURITY INCIDENT – MAY 2018 ..............................................................43

E.2 RI ADVICE’S RECEIPT OF REPORTS IN RELATION TO FFG DATA BREACH ..................................................48
E.3 RI ADVICE’S CYBER SECURITY RISK REVIEWS OF RI ADVICE PRACTICES – LATE 2018 ...............................50
E.4 KPMG REPORT IN RELATION TO THE FFG DATA BREACH ........................................................................56
E.5 INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 12 AND 13 MARCH 2019 ........................................59
E.6 INADEQUACY OF MARCH 2019 CYBERSECURITY DOCUMENTATION AND CONTROLS .............................65
E.7 CONTRAVENTIONS IN RESPECT OF CONDUCT UP TO, OR AS AT, 12 AND 13 MARCH 2019 ......................68
F. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 NOVEMBER 2019 AND INADEQUACY OF
CYBERSECURITY SYSTEMS IN PLACE AS AT 1 NOVEMBER 2019 .............................................................................71
F.1 EMPOWERED CYBERSECURITY INCIDENT – AUGUST 2019 ......................................................................71
F.2 INADEQUACY OF STEPS TAKEN BY RI ADVICE IN RESPECT OF FFG DATA BREACH ...................................72
F.3 INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 NOVEMBER 2019 ................................................75
F.4 INADEQUACY OF NOVEMBER 2019 CYBERSECURITY DOCUMENTATION AND CONTROLS .......................82
F.5 CONTRAVENTIONS IN RESPECT OF CONDUCT UP TO, OR AS AT, 1 NOVEMBER 2019 ..............................88
G. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 MAY 2020 AND INADEQUACY OF CYBERSECURITY
SYSTEMS IN PLACE AS AT 1 MAY 2020 ..................................................................................................................89
G.1 INADEQUACY OF STEPS TAKEN BY RI ADVICE IN RESPECT OF EMPOWERED CYBERSECURITY INCIDENT .89
G.2 CONTRAVENTIONS IN RESPECT OF EMPOWERED CYBERSECURITY INCIDENT .........................................94
G.3 SECOND RI SHEPPARTON CYBERSECURITY INCIDENT – APRIL 2020 ........................................................95
G.4 INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 MAY 2020 ...........................................................99
G.5 INADEQUACY OF MAY 2020 CYBERSECURITY DOCUMENTATION AND CONTROLS ................................106
G.6 CONTRAVENTIONS IN RESPECT OF CONDUCT UP TO, OR AS AT, 1 MAY 2020 .......................................112
H. RELIEF .......................................................................................................................................................113
SCHEDULE A .......................................................................................................................................................121
MINIMUM CYBERSECURITY REQUIREMENTS – DETAILS OF 13 CYBERSECURITY DOMAINS ................................121
SCHEDULE B .......................................................................................................................................................135
GAPS IN MAY 2018 CYBERSECURITY DOCUMENTATION AND CONTROLS AGAINST MINIMUM CYBERSECURITY
REQUIREMENTS .................................................................................................................................................135
SCHEDULE C .......................................................................................................................................................144
IOOF DEVELOPED DOCUMENTATION .................................................................................................................144
SCHEDULE D .......................................................................................................................................................149
GAPS IN MARCH 2019 CYBERSECURITY DOCUMENTATION AND CONTROLS AGAINST MINIMUM CYBERSECURITY
REQUIREMENTS .................................................................................................................................................149
SCHEDULE E ........................................................................................................................................................158
GAPS IN NOVEMBER 2019 CYBERSECURITY DOCUMENTATION AND CONTROLS AGAINST MINIMUM
CYBERSECURITY REQUIREMENTS .......................................................................................................................158
SCHEDULE F ........................................................................................................................................................175
GAPS IN MAY 2020 CYBERSECURITY DOCUMENTATION AND CONTROLS AGAINST MINIMUM CYBERSECURITY
REQUIREMENTS .................................................................................................................................................175
SCHEDULE G .......................................................................................................................................................193
GLOSSARY OF DEFINED TERMS ...........................................................................................................................193
3
A. THE PARTIES AND THE AUTHORISED REPRESENTATIVES
1 The plaintiff (ASIC) is:
(a) a body corporate under s 8(1)(a) of the Australian Securities and

Investments Commission Act 2001 (Cth) (the ASIC Act); and
(b) entitled to commence and maintain this proceeding in its corporate name
under s 8(1)(d) of the ASIC Act.
2 The first defendant (RI Advice):
(a) at all material times up to and including 30 September 2018 was a wholly-
owned subsidiary of Australia and New Zealand Banking Group Limited
(ANZ);
(b) was one of three ANZ aligned dealer groups (Aligned Dealer Groups)
which from 1 October 2018 became part of the IOOF Holdings Limited
(IOOF) group of companies;
(c) since 1 October 2018 has been a wholly-owned subsidiary of IOOF;
(d) is and at all material times was the holder of Australian Financial Services
Licence (AFSL) number 000238429 (Licence) and a financial services
licensee (within the meaning of s 761A of the Corporations Act 2001 (Cth)
(the Act)); and
(e) is and at all material times was carrying on a financial services business
(within the meaning of s 761A of the Act), including by providing financial
product advice (within the meaning of s 766B of the Act) to retail clients
(within the meaning of s 761G of the Act) (Retail Clients) through
authorised representatives (within the meaning of s 761A of the Act) (ARs)
who provided financial services on RI Advice’s behalf pursuant to s 916A
of the Act.
3 At all material times, in the course of providing financial services on RI Advice’s

behalf, RI Advice’s ARs received and stored and accessed, electronically,
4
confidential and sensitive personal information and documents in relation to

Retail Clients (Personal Information), including:
(a) personal details, including full names, addresses and dates of birth;
(b) contact information, including contact phone numbers and email

addresses;
(c) copies of identification documents, such as driver’s licenses, Medicare

cards and passports;
(d) tax file numbers; and
(e) bank account and credit card details and other financial information.
4 Since 15 May 2018, RI Advice’s ARs have provided financial services on RI

Advice’s behalf to approximately 60,000 Retail Clients.
Particulars
RI Advice website: “Become an adviser”

www.riadvice.com.au/become-an-adviser -
(accessed on 22 October 2020).
5 By reason of the matters pleaded in paragraphs 2(d) and (e), 3 and 4 above, at
all material times, RI Advice and each of its ARs were potential targets for cyber-
related attacks and cybercrime by malicious actors targeting Personal
Information.
6 As at 15 May 2018, RI Advice had 286 ARs, comprising:
(a) 192 individual ARs; and
(b) 94 corporate ARs.
7 As at 12 and 13 March 2019, RI Advice had 232 ARs, comprising:

5
8 As at 1 November 2019, RI Advice had 297 ARs, comprising:
9 As at 1 May 2020, RI Advice had 293 ARs, comprising:
10 At all material times, since 15 May 2018:
(a) RI Advice’s AR's have provided financial services on RI Advice’s behalf

organised in practice groups of one or more ARs (RI Advice Practices);
and
(b) there have been between about 89 and 110 RI Advice Practices.
Particulars
The RI Advice website contains a list of RI Advice Practices:

www.riadvice.com.au/find-an-adviser (accessed on 26 October
2020).
As at 10 August 2018, there were 110 RI Advice Practices: email

from Peter Ornsby, CEO of RI Advice, to Michael Connory, CEO of
Security in Depth, dated 10 August 2018 [RIF.0004.0004.3598].
As at 1 May 2020, RI Advice stated that there were 89 RI Advice

Practices: Letter from RI Advice to ASIC dated 1 May 2020
[FFG.1027.0001.0003].
B. OBLIGATIONS TO IMPLEMENT ADEQUATE CYBERSECURITY SYSTEMS
11 At all material times, RI Advice was required to establish and maintain

compliance measures that ensure, as far as is reasonably practicable, that RI
Advice complies with the provisions of the financial services laws.
6
Particulars
Clause 2 of the Licence.
12 At all material times, as the holder of the Licence, RI Advice was required:
(a) pursuant to s 912A(1)(a) of the Act, to do all things necessary to ensure

that the financial services covered by the Licence were provided efficiently,
honestly and fairly;
(b) pursuant to s 912A(1)(b) of the Act, to comply with the conditions on the
Licence (including clause 2 of the Licence);
(c) pursuant to s 912A(1)(c) of the Act, to comply with the financial services
laws (which included s 912A(1)(a), (b), (d) and (h) of the Act);
(d) pursuant to s 912A(1)(d) of the Act, to have available adequate resources

(including financial, technological, and human resources) to provide the
financial services covered by the Licence and to carry out supervisory
arrangements; and
(e) pursuant to s 912A(1)(h) of the Act, to have adequate risk management

systems.
13 By reason of the matters pleaded in paragraphs 2(d) and (e), 3 to 5, 11 and 12

above, at all material times, RI Advice was required to:
(a) identify the risks that it and its ARs faced in the course of providing
financial services on RI Advice’s behalf, including in relation to
cybersecurity and cyber resilience; and
Particulars
Cybersecurity is the ability to protect and defend the use of

cyberspace from attacks.
Cyber resilience is the ability to anticipate, withstand, recover from,

and adapt to adverse conditions, stresses, attacks or compromises
on systems that use or are enabled by cyber resources regardless
of the source.
7
(b) have strategies, frameworks, policies, plans, procedures, standards,

guidelines, systems, resources and controls in respect of cybersecurity
and cyber resilience (Cybersecurity Documentation and Controls) in
place that were adequate to manage risk in respect of cybersecurity and
cyber resilience for itself and across its AR network (Minimum
Cybersecurity Requirements).
Particulars
Details of the Cybersecurity Documentation and Controls that RI

Advice should have had in place in order to meet the Minimum
Cybersecurity Requirements are provided in paragraphs 14 and 15
below.
14 Further to paragraph 13 above, at all material times, the Cybersecurity

Documentation and Controls that RI Advice should have had in place in order to
meet the Minimum Cybersecurity Requirements should have adequately
addressed each of the following 13 cybersecurity domains:
1) Governance and business environment;
2) Risk assessments and risk management;
3) Asset management;
4) Supply chain risk management;
5) Access management;
6) Personnel security, training and awareness;
7) Data security;
8) Secure system development life cycle and change management;
9) Baseline operational security;
10) Security continuous monitoring;
11) Vulnerability management;

8
12) Incident response and communications; and
13) Continuity and recovery planning,
(13 Cybersecurity Domains).
Particulars
Details of the Cybersecurity Documentation and Controls that

RI Advice should have had in place for each of the 13 Cybersecurity
Domains in order to meet the Minimum Cybersecurity
Requirements are provided in Schedule A.
Cybersecurity domains refer to subset areas of a cybersecurity

framework which contain further granular cybersecurity controls.
Examples of cybersecurity domains include ‘Access management’
and ‘risk assessments and risk management’.
A cybersecurity framework is a defined structure specific to

cybersecurity which will generally comprise the mandated rules and
processes to help an organisation reduce its cybersecurity risk to an
acceptable level.
15 Further to paragraphs 13 and 14 above, at all material times, as part of the

Cybersecurity Documentation and Controls that RI Advice should have had in
place in order to meet the Minimum Cybersecurity Requirements, and in respect
of its responses to cybersecurity incidents that occurred at RI Advice or within its
AR network (Cybersecurity Incidents), RI Advice should have:
(a) identified the root cause of each Cybersecurity Incident;
(b) identified gaps or deficiencies within the Cybersecurity Documentation and

Controls relevant to the root cause of each Cybersecurity Incident; and
(c) incorporated the findings about the root cause and lessons learnt from
each Cybersecurity Incident into its ongoing identification and mitigation of
risk in respect of cybersecurity and cyber resilience across its AR network,
by:
9
(i) undertaking a cybersecurity and cyber resilience risk assessment

across its entire AR network of gaps or deficiencies in the relevant
Cybersecurity Documentation and Controls;
(ii) seeking technical security assurance across a number of its ARs,

as a technical measure of the cybersecurity risks that exist in their
organisations (Technical Security Assurance);
Particulars
RI Advice should have obtained Technical Security Assurance

across a number of its ARs from an information technology
specialist by using a methodology of the following nature:
(a) performing a technical controls review of the ARs’ desktop
computers, servers, network infrastructure and cloud-based
environment, and reporting at a technical level of detail;
(b) performing a vulnerability assessment across its entire
population of ARs identifying, quantifying, and prioritising
vulnerabilities identified in the ARs’ information assets or systems;
or (c) performing penetration testing of a targeted handful of ARs in
order to understand whether they are susceptible to the same
compromises that were the subject of each Cybersecurity Incident.
(iii) based on an analysis of this information, determining the current

cybersecurity risks applicable to its AR network; and
(iv) developing and implementing a cybersecurity remediation plan for

each Cybersecurity Incident which was tailored to the identified
cybersecurity risks applicable to its AR network, including promptly
reviewing and remediating any gaps or deficiencies in the relevant
Cybersecurity Documentation and Controls.
C. CYBERSECURITY INCIDENTS BETWEEN 2014 AND MAY 2018
16 At all material times since about 2014, RI Advice has recorded details regarding
the identification, management and close out of incidents concerning its ARs,
10
including Cybersecurity Incidents, in one or more Aligned Dealer Groups incident

registers (Aligned Dealer Group Incident Register), which:
(a) until about 30 September 2018, was maintained with the assistance of
ANZ; and
(b) since about 1 October 2018, has been maintained with the assistance of
IOOF.
Particulars
A register titled ‘ADG Incident register_Incident Data Report – All

time.xlsx’ (ADG Incident Register Incident Data Report)
containing a total of 706 incidents relating to RI Advice and its ARs
which are all denoted by an ‘INC’ identifier [FFG.1016.0001.0004].
A register titled ‘COR reporting system_ADG Case Records (d1.01)

181005b.xlsx’ (COR Reporting System ADG Case Records)
containing a total of 156 reportable events relating to RI Advice and
its ARs which are all denoted by a ‘RE’ identifier
[FFG.1016.0001.0005].
A register titled ‘IOOF COR Incident Master

Spreadsheet_20181001_IOOF_COR Incident Master
Spreadsheet.xlsx’ (IOOF COR Incident Master Spreadsheet)
containing a total of 42 IOOF COR incidents relating to RI Advice
and its ARs which are all denoted by a ‘IFR’ identifier, and a total of
182 pre-IOOF COR incidents attributable to RI Advice with various
forms of denotation [FFG.1016.0001.1389].
A register titled ‘20190521 ‐ RI Incident Data Report’ (RI Incident

Data Report) containing a total of 147 incidents attributable to
RI Advice and its ARs which are all denoted by an ‘INC’ identifier
[RIF.0003.0103.0524].
11
C.1 Lifewise Cybersecurity Incident – July 2014
17 At all material times since about 17 August 2013, Lifewise Financial Solutions Pty
Ltd as trustee for Lifewise Financial Solutions Trust (Lifewise) was and is:
(a) an AR of RI Advice;
(b) not an AR of any other financial services licensee;
(c) trading as Lifewise Financial Solutions; and
(d) engaged in providing financial services, on RI Advice’s behalf, to Retail

Clients.
18 At all material times since about 17 August 2013, Bradley Ewan Rogers (Rogers)
was and is:
(c) engaged in providing financial services, on RI Advice’s behalf, to Retail

Clients; and
(d) a principal of Lifewise and the sole director of Lifewise Financial Solutions
Pty Ltd.
19 On or about 7 or 9 July 2014, RI Advice became aware of a Cybersecurity

Incident involving Rogers and Lifewise that had occurred in about early July 2014
(Lifewise Cybersecurity Incident).
Particulars
The Lifewise Cybersecurity Incident was recorded in the ADG

Incident Register Incident Data Report with ‘logged’, ‘submitted’ and
‘report sent’ dates of 7 July 2014 and an incident number of INC-
194437 [FFG.1016.0001.0004] and in the Tab ‘Pre-IOOF COR
Incident Register’ of the IOOF COR Incident Master Spreadsheet
[FFG.1016.0001.1389].
12
The IOOF COR Incident Master Spreadsheet in the Tab ‘Pre-IOOF

COR Incident Register’ (row 13 column P) records that Peter
Ornsby, the CEO of RI Advice, was informed of the incident on or
about 9 July 2014.
20 By about 5 November 2014 at the latest, RI Advice:
(a) was aware, in respect of the Lifewise Cybersecurity Incident, that:
(i) an unknown third party had hacked Rogers’ Google email account;
(ii) five Lifewise Retail Clients had been sent a malicious email which
appeared to have been sent from Rogers’ Google email account
(Malicious Lifewise Emails);
(iii) the Malicious Lifewise Emails requested the five Lifewise Retail
Clients to transfer funds to an unknown external party;
(iv) on about 5 July 2014, one Lifewise Retail Client, who had been sent
one of the Malicious Lifewise Emails (Lifewise Cyber Fraud
Victim), transferred $60,000 to an unknown external party bank
account; and
(v) the Lifewise Cyber Fraud Victim had not as yet recovered $35,000
of the $60,000 that she had transferred; and
(b) had endorsed or allowed the Lifewise Cybersecurity Incident to be

recorded and closed out in the Aligned Dealer Group Incident Register;
and
(c) recorded that the remediation and follow up steps undertaken by Lifewise
and RI Advice in respect of the Lifewise Cybersecurity Incident, prior to the
incident being closed out in the Aligned Dealer Group Incident Register,
were limited to the following:
(i) Rogers had changed his email address and communicated this to
clients;
13
(ii) Lifewise had notified clients that they should notify Rogers if they
received any other suspicious emails;
(iii) the police had been notified;
(iv) Lifewise confirmed that no other clients of Lifewise had transferred

money;
(v) ANZ Group Investigations had prepared an investigation report; and
(vi) the Lifewise Cyber Fraud Victim was working with police and her
financial institution to attempt to recover the remaining defrauded
monies.
Particulars
The various reported matters and steps taken in respect of the

Lifewise Cybersecurity Incident referred to in sub-paragraphs (a) to
(c) above were recorded in the IOOF COR Incident Master
Spreadsheet [FFG.1016.0001.1389] and the Lifewise Cybersecurity
Incident was recorded as closed as at 5 November 2014 in the
ADG Incident Register Incident Data Report [FFG.1016.0001.0004].
21 By reason of the matters pleaded in paragraphs 13 to 15 and 17 to 20 above,

after becoming aware of the Lifewise Cybersecurity Incident and prior to
endorsing or allowing the closure of the Lifewise Cybersecurity Incident in the
Aligned Dealer Group Incident Register, RI Advice should have:
(a) identified the root cause of the Lifewise Cybersecurity Incident;

Controls relevant to the root cause of the Lifewise Cybersecurity Incident;
and
(c) incorporated the findings about the root cause and lessons learnt from the
Lifewise Cybersecurity Incident into its ongoing identification and
mitigation of risk in respect of cybersecurity and cyber resilience across its
AR network, by:
14

across its entire AR network, and seeking Technical Security
Assurance across a number of its ARs, of the effectiveness of the
following Cybersecurity Documentation and Controls relevant to the
Lifewise Cybersecurity Incident:
(A) Cyber training and awareness;
(B) Multi-factor authentication;
(C) Incident response; and
(D) Email filtering; and
Particulars
Details of the following relevant Cybersecurity Documentation and

Controls are provided in Schedule A:
(a) Cyber training and awareness [ED 6.1 to ED 6.7];
(b) Multi-factor authentication [ED 5.1, ED 5.3 and ED 5.6];
(c) Incident response [ED 12.1 to ED 12.5]; and
(d) Email filtering [ED 9.4 and ED 9.8].
(ii) based on an analysis of this information, determining the current

(iii) developing and implementing a cybersecurity remediation plan for

the Lifewise Cybersecurity Incident which was tailored to the
identified cybersecurity risks applicable to its AR network, including
promptly reviewing and remediating any gaps or deficiencies in its
22 RI Advice did not take the steps referred to in paragraph 21 above, adequately or
at all, by 15 May 2018 or at any relevant time.
15
Particulars
The only steps taken were those set out in paragraph 20(c) above,
which did not amount to taking the steps referred to in paragraph 21
above adequately or at all.
C.2 RI Advice Corporate Cybersecurity Incident – May 2015
23 On or about 8 May 2015, RI Advice became aware that it was possible for any
person to access internal corporate RI Advice documents located on RI Advice’s
internal intranet site (RI Intranet) via the Internet (RI Corporate Cybersecurity
Incident).
Particulars
The RI Corporate Cybersecurity Incident was recorded in the Tab

‘Pre-IOOF COR Incident Register’ of the IOOF COR Incident
Master Spreadsheet with ‘COR Date Entered’, ‘submitted’ and
‘report sent’ dates of 8 May 2015 (incident reference LE_1117650)
[FFG.1016.0001.1389].
24 By about 22 December 2016 at the latest, RI Advice:
(a) was aware, in respect of the RI Corporate Cybersecurity Incident, that:
(i) the RI Corporate Cybersecurity Incident had occurred since about

2012;
(ii) the RI Intranet contained commercially sensitive RI Advice

documents including relating to communications, templates and
processes; and
(iii) the documents located on the RI Intranet were publicly accessible

and searchable including through the use of a Google search
without the requirement for any password;
(b) had endorsed or allowed the RI Corporate Cybersecurity Incident to be

and
16
(c) recorded that the remediation and follow up steps undertaken by RI

Advice in respect of the RI Corporate Cybersecurity Incident, prior to the
(i) in about May 2015, RI Advice contacted an external organisation

which was asked to investigate and rectify the incident;
(ii) in about early 2016, RI Advice commenced a plan to transition the

RI Intranet to a new Intranet provider using a new secure site;
(iii) since about September or October 2016, RI Advice engaged

external parties to perform IT and security tests on the new secure
site;
(iv) since about 3 November 2016, RI Advice transitioned the RI

Intranet to the new secure site; and
(v) on or about 18 November 2016, RI Advice received a final security

test report in respect of the new secure site.
Particulars

RI Corporate Cybersecurity Incident referred to in sub-paragraphs
(a) to (c) above were recorded in the Tab ‘Pre-IOOF COR Incident
Register’ of the IOOF COR Incident Master Spreadsheet (incident
reference LE_1117650) [FFG.1016.0001.1389].
The IOOF COR Incident Master Spreadsheet

[FFG.1016.0001.1389] recorded that between about 1 May and
2 June 2015, RI Advice, through Jason Gapps in Marketing, had
requested and followed up with FuseFarm to investigate and rectify
the RI Corporate Cybersecurity Incident.
The IOOF COR Incident Master Spreadsheet recorded that the RI

Advice Event Working Group reported on 6 October 2016 that RI
17
Advice had engaged Felix Alvarez for the security review and EY
for the penetration test of the new secure site.
25 By reason of the matters pleaded in paragraphs 13 to 15, 23 and 24 above, after

becoming aware of the RI Corporate Cybersecurity Incident and prior to
endorsing or allowing the closure of the RI Corporate Cybersecurity Incident in
the Aligned Dealer Group Incident Register, RI Advice should have:
(a) identified the root cause of the RI Corporate Cybersecurity Incident;

Controls relevant to the root cause of the RI Corporate Cybersecurity
Incident; and
RI Corporate Cybersecurity Incident into its ongoing identification and
AR network, by:

RI Corporate Cybersecurity Incident:
(A) Multi-factor authentication;
(B) Incident response; and
(C) Technical security testing; and
Particulars

(a) Multi-factor authentication [ED 5.1, ED 5.3 and ED 5.6];
(b) Incident response [ED 12.1 to ED 12.5]; and

18
(c) Technical security testing [ED 11.3].


the RI Corporate Cybersecurity Incident which was tailored to the
Particulars
C.3 Firefly Cybersecurity Incident – June 2015
27 At all material times from about 12 August 2013 to about 9 May 2016, and since
about 9 January 2017, the Trustee for the Griffin Martin Investment Trust trading
as Firefly Wealth (Firefly Wealth) was and is:
(c) trading as Firefly Wealth; and

Clients.
28 At all material times from about 8 December 2012 to about 9 May 2016 and since
about 9 January 2017, Adele Martin (Martin) was and is:
19

Clients; and
(d) the organisational representative of Firefly Wealth.
29 On or about 17 June 2015, RI Advice became aware of a Cybersecurity Incident

involving Martin and Firefly Wealth that had occurred in June 2015 (Firefly
Cybersecurity Incident).
Particulars
The Firefly Cybersecurity Incident was recorded in the IOOF COR

Incident Master Spreadsheet (incident reference 4593) with a ‘COR
date entered’ of 17 June 2015 [FFG.1016.0001.1389].
30 By about 22 June 2015 at the latest, RI Advice:
(a) was aware, in respect of the Firefly Cybersecurity Incident, that:
(i) the website belonging to Innergi, a third party organisation

responsible for website and email newsletter content provided to
Firefly’s Retail Clients and advisers, was hacked between about 16
and 17 June 2015 and defaced by a threat actor purporting to be
ISIS; and
(ii) hackers had put a fake home page on top of the knowledge centre
website which meant that Retail Clients accessing the home page
could not get through to the knowledge centre on the website;
(b) had endorsed and allowed the Firefly Cybersecurity Incident to be

and
(c) recorded that the remediation and follow up steps undertaken by Firefly
and RI Advice in respect of the Firefly Cybersecurity Incident, prior to the
20
(i) Innergi had confirmed that the website did not hold client data and it
had been removed while they investigated the matter; its website
was held on a separate server domain to the client data; and its
other computer server which held client data including names and
email addresses had not been hacked;
(ii) Innergi had confirmed that it had uploaded additional security

software and, after testing, had confirmed that it had no malware,
spam or suspicious code, and the website had no vulnerabilities
and was fully functional by midday on 17 June 2015;
(iii) Innergi confirmed it was being acquired by IRESS and it was in the
process of moving to IRESS’s servers in due course; and
(iv) ANZ IT security had been notified of the incident.
Particulars

Firefly Cybersecurity Incident referred to in sub-paragraphs (a) to
(c) above were recorded in the IOOF COR Incident Master
Spreadsheet [FFG.1016.0001.1389].

after becoming aware of the Firefly Cybersecurity Incident and prior to endorsing
or allowing the closure of the Firefly Cybersecurity Incident in the Aligned Dealer
Group Incident Register, RI Advice should have:
(a) identified the root cause of the Firefly Cybersecurity Incident;

Controls relevant to the root cause of the Firefly Cybersecurity Incident;
and
Firefly Cybersecurity Incident into its ongoing identification and mitigation
of risk in respect of cybersecurity and cyber resilience across its AR
network, by:
21

Cybersecurity Documentation and Controls relevant to the
Firefly Cybersecurity Incident, comprising Third party risk
management controls;
Particulars
Details of the Third party risk management controls [ED 4.1 to

ED 4.3] are provided in Schedule A.


the Firefly Cybersecurity Incident which was tailored to the identified
reviewing and remediating any gaps or deficiencies in its
Particulars
C.4 Toowoomba JEM Wealth Cybersecurity Incident – September 2016
33 At all material times from about 17 October 2014 until about 3 May 2018,
Benjamin McHugh (McHugh) was:

22

Clients; and
(d) a principal of a financial advice business trading as Toowoomba JEM

Wealth (Toowoomba JEM Wealth).
34 On or about 6 September 2016, RI Advice became aware of a Cybersecurity

Incident involving McHugh (Toowoomba JEM Wealth Cybersecurity Incident).
Particulars
The Toowoomba JEM Wealth Cybersecurity Incident was recorded

in the ADG Incident Register Incident Data Report with a ‘COR date
entered’ of 6 September 2016 and incident number INC-373428
[FFG.1016.0001.0004] and in the Tab ‘Pre-IOOF COR Incident
Register’ of the IOOF COR Incident Master Spreadsheet with
incident reference RE_018405 [FFG.1016.0001.1389].
35 By about 31 October 2016 at the latest, RI Advice:
(a) was aware, in respect of the Toowoomba JEM Wealth Cybersecurity

Incident, that:
(i) a Toowoomba JEM Wealth Retail Client had informed Toowoomba

JEM Wealth that she had been sent a suspicious email that
requested money and which appeared to have been sent from
McHugh’s email account (Malicious McHugh Email);
(ii) McHugh did not send the Malicious McHugh Email; and
(iii) Toowoomba JEM Wealth used ‘Microsoft Outlook 360’ and all of its
information was stored ‘in the Cloud’; it had no anti-virus software
installed on its systems; and there was one password which
everyone in the practice used to access the information stored ‘in
the Cloud’;
(b) had endorsed or allowed the Toowoomba JEM Wealth Cybersecurity

Incident to be recorded and closed out in the Aligned Dealer Group
Incident Register; and
23
(c) recorded that the remediation and follow up steps undertaken by

Toowoomba JEM Wealth and RI Advice in respect of the Toowoomba
JEM Wealth Cybersecurity Incident, prior to the incident being closed out
in the Aligned Dealer Group Incident Register, were limited to the
following:
(i) ANZ Legal & Group Investigations had been notified of the incident,
and they advised that Toowoomba JEM Wealth should arrange for
an information technology person to check out their systems;
(ii) relevant financial product providers were to be contacted to flag all

transactions associated with McHugh’s advisor code and
Toowoomba JEM Wealth was requested to ensure that its data was
securely backed up;
(iii) Toowoomba JEM Wealth confirmed that it had installed anti-virus

software and that it had changed the password to access
documents stored in the Cloud;
(iv) all Toowoomba JEM Wealth staff continued to have access to the
same password;
(v) Toowoomba JEM Wealth had notified clients of the incident and it
had received no other inquiries from clients in response to the
incident; and
(vi) no further ‘targeted review’ was required.
Particulars

Toowoomba JEM Wealth Cybersecurity Incident referred to in sub-
paragraphs (a) to (c) above were recorded in the IOOF COR
Incident Master Spreadsheet [FFG.1016.0001.1389] and the
Toowoomba JEM Wealth Cybersecurity Incident was recorded as
closed as at 31 October 2016 in the ADG Incident Register Incident
Data Report [FFG.1016.0001.0004].
24

after becoming aware of the Toowoomba JEM Wealth Cybersecurity Incident and
prior to endorsing or allowing the closure of the Toowoomba JEM Wealth
Cybersecurity Incident in the Aligned Dealer Group Incident Register, RI Advice
should have:
(a) identified the root cause of the Toowoomba JEM Wealth Cybersecurity
Incident;

Controls relevant to the root cause of the Toowoomba JEM Wealth
Cybersecurity Incident; and
Toowoomba JEM Wealth Cybersecurity Incident into its ongoing
identification and mitigation of risk in respect of cybersecurity and cyber
resilience across its AR network, by:

Toowoomba JEM Wealth Cybersecurity Incident:
Particulars


25
(d) Email filtering [ED 9.4 and ED 9.8].


the Toowoomba JEM Wealth Cybersecurity Incident which was
tailored to the identified cybersecurity risks applicable to its AR
network, including promptly reviewing and remediating any gaps or
deficiencies in its Cybersecurity Documentation and Controls.
Particulars
C.5 Wise Cybersecurity Incident – December 2016
38 At all material times until about 16 January 2019, Anthony Hilsley (Hilsley) was:

Clients; and
(d) a principal and director of Superannuation Advisory Service Pty Ltd trading
as Wise Financial Planning and/or SAS Advice (Wise Financial
Planning).
39 On or about 3 January 2017, RI Advice became aware of a Cybersecurity

Incident involving Hilsley and Wise Financial Planning (Wise Cybersecurity
Incident).
26
Particulars
The Wise Cybersecurity Incident was recorded in the ADG Incident

Register Incident Data Report with ‘logged’, ‘submitted’ and ‘report
sent’ dates of 3 January 2017 and an incident number of INC-
336398 [FFG.1016.0001.0004] and in the Tab ‘Pre-IOOF COR
Incident Register’ of the IOOF COR Incident Master Spreadsheet
with an incident reference of RE_022633 [FFG.1016.0001.1389].
Letter from RI Advice to ASIC dated 25 January 2019 in response

to Notice issued by ASIC under s 912C of ASIC Act
[FFG.1013.0001.0003 at 0005].
40 By about 20 February 2017 at the latest, RI Advice:
(a) was aware, in respect of the Wise Cybersecurity Incident, that:
(i) from about 26 December 2016 to about 1 January 2017, Wise

Financial Planning’s main reception computer was hacked by
ransomware software delivered by email; and
(ii) as a consequence, a number of Wise Financial Planning’s

electronic files were encrypted and made inaccessible;
(b) had endorsed or allowed the Wise Cybersecurity Incident to be recorded

and closed out in the Aligned Dealer Group Incident Register; and
(c) recorded that the remediation and follow up steps undertaken by Wise
Financial Planning and RI Advice in respect of the Wise Cybersecurity
Incident, prior to the incident being closed out in the Aligned Dealer Group
Incident register, were limited to the following:
(i) Wise Financial Planning had notified police, who had confirmed that
the issue was becoming very common, lodged the matter with the
Australian Cybercrime Online Reporting Network (ACORN),
contacted relevant financial product providers and requested a ‘flag’
on client records;
27
(ii) Wise Financial Planning’s external IT provider had reviewed

affected server files, and had done a ‘clean’ of the server, placed
additional unspecified ‘security measures’ on Wise Financial
Planning’s server, ‘updated’ passwords on unspecified devices and
ensured by unspecified means that there were ‘no back door
security gaps’, and confirmed that client data had not been affected
by the incident; and
(iii) the RI Advice Event Working Group had endorsed that no ‘targeted
review’ was required.
Particulars
The various reported matters and steps taken in respect of the Wise
Cybersecurity Incident referred to in sub-paragraphs (a) to (c)
above were recorded in the IOOF COR Incident Master
Spreadsheet [FFG.1016.0001.1389] and the Wise Cybersecurity
Incident was recorded in the ADG Incident Register Incident Data
Report with a close out date of 20 February 2017
[FFG.1016.0001.0004].

[FFG.1013.0001.0003 at 0005].

after becoming aware of the Wise Cybersecurity Incident and prior to endorsing
or allowing the closure of the Wise Cybersecurity Incident in the Aligned Dealer
Group Incident Register, RI Advice should have:
(a) identified gaps or deficiencies within the Cybersecurity Documentation and

Controls relevant to the root cause of the Wise Cybersecurity Incident
referred to in paragraph 40(a)(i) above; and
(b) incorporated the findings about the root cause and lessons learnt from the
Wise Cybersecurity Incident into its ongoing identification and mitigation of
risk in respect of cybersecurity and cyber resilience across its AR network,
by:
28

Wise Cybersecurity Incident:
(B) Email filtering;
(C) Application whitelisting;
(D) Privilege management; and
(E) Incident response; and
Particulars

(b) Email filtering [ED 9.4 and ED 9.8];
(c) Application whitelisting [ED 9.2 and ED 9.5];
(d) Privilege management [ED 5.3, ED 5.5 and ED 10.6]; and
(e) Incident response [ED 12.1 to ED 12.5]; and


the Wise Cybersecurity Incident which was tailored to the identified
29
Particulars
C.6 RI Circular Quay Cybersecurity Incident – May 2017
43 At all material times, John Leslie Walker (Walker) was and is:

Clients; and
(d) a principal of a financial advice business trading as RetireInvest Circular

Quay (RI Circular Quay).
44 On or about 30 May 2017, RI Advice became aware of a Cybersecurity Incident

involving RI Circular Quay that had occurred over the course of the past day
(RI Circular Quay Cybersecurity Incident).
Particulars
Email from Janelle Carey of RI Circular Quay to Advice Risk, copied

to Joseph Ayrout, RI Advice, dated 30 May 2017 re RI Circular
Quay - Desktop PC hacked [RIF.0004.0004.7817].
Tab ‘Pre-IOOF COR Incident Register’ in the IOOF COR Incident

Master Spreadsheet with an incident reference of RE_028669 and
‘Date Discovered’ date of 30 May 2017 and ‘COR Entered’ date of 6
June 2017 [FFG.1016.0001.1389].
30
45 Between about 30 May and 3 October 2017, RI Advice:
(a) became aware that RI Circular Quay had reported in respect of the
RI Circular Quay Cybersecurity Incident that:
(i) a computer server on RI Circular Quay’s local computer network

had been hacked by brute force through a remote access port;
(ii) RI Circular Quay’s shared office files had been encrypted and as a
result RI Circular Quay staff were not able to access them;
(iii) RI Circular Quay had been asked to pay a ransom to have the files
unencrypted and made accessible;
(iv) RI Circular Quay did not have a backup system in place;
(v) unless RI Circular Quay paid a ransom the encrypted data was not
recoverable;
(vi) the encrypted data included statement of advice records (which

contained customers’ names, addresses, dates of birth and
financial records), Centrelink customer numbers, fund manager
names and policy numbers, bank account details and tax file
numbers; and
(vii) approximately 226 client files had been affected;
Particulars

to Joseph Ayrout, RI Advice dated 30 May 2017 re RI Circular Quay
- Desktop PC hacked [RIF.0004.0004.7817].
Email from Janelle Carey of RI Circular Quay to Advice Risk dated

6 June 2017 re RI Circular Quay - Desktop PC hacked
[RIF.0004.0004.4704].

9 June 2017 re RI Circular Quay - Desktop PC hacked Acorn
Reference No. ARN-PC64-TRK4 [RIF.0004.0004.4704].
31
Email from Advice Risk to Janelle Carey of RI Circular Quay, copied

to Joseph Ayrout, RI Advice, dated 23 June 2017 attaching
spreadsheet entitled ‘List of Clients Affected with date of birth’
[RIF.0004.0004.4716 and RIF.0004.0004.4723].

to Joseph Ayrout, RI Advice, dated 26 June 2017 re RI Circular
Quay - Desktop PC hacked Acorn Reference No. ARN-PC64-TRK4
[RIF.0004.0004.4704].

to Joseph Ayrout, RI Advice, dated 17 July 2017 attaching
[RIF.0004.0004.4704 and RIF.0004.0004.4715].
Email from Joncarl La Rosa of RI Circular Quay to George Reinoso,

Nicholas Ponniah and Joseph Ayrout, RI Advice, dated 9 August
2017 re RI ACORN Report submission ARN-PC64-TRK4
[RIF.0004.0004.6929].
The RI Circular Quay Cybersecurity Incident was recorded in the

ADG Incident Register Incident Data Report [FFG.1016.0001.0004]
and in the Tab ‘Pre-IOOF COR Incident Register’ in the IOOF COR
Incident Master Spreadsheet [FFG.1016.0001.1389].
(b) had not obtained sufficiently detailed information from RI Circular Quay in
order to determine the root cause of the RI Circular Quay Cybersecurity
Incident; and
Particulars
Email from Joncarl La Rosa of RI Circular Quay to George Reinoso,

Nicholas Ponniah and Joseph Ayrout, RI Advice, dated 9 August
2017 re RI ACORN Report submission ARN-PC64-TRK4
[RIF.0004.0004.6929].
32
(c) endorsed or allowed the RI Circular Quay Cybersecurity Incident to be

retained in the Aligned Dealer Group Incident Register as an ‘open’
incident.
Particulars
As referred to in paragraph 47 below, the RI Circular Quay

Cybersecurity Incident was not closed out until about 3 October
2018 and was open for approximately 484 days before being closed
out.

ADG Incident Register Incident Data Report with ‘logged’,
‘submitted’ and ‘report sent’ dates of 6 June 2017 and a ‘close’ date
of 3 October 2018 (incident number INC-115056)
[FFG.1016.0001.0004] and a ‘COR date entered’ of 6 June 2017 in
the Tab ‘Pre-IOOF COR Incident Register’ in the IOOF COR
46 By about 4 October 2017, RI Advice was aware that:
(a) RI Advice was only able to provide very minimal support to RI Circular
Quay to seek to ensure that that such a Cybersecurity Incident did not
happen again as RI Advice did not have any specific cybersecurity
specifications or guidelines; and
(b) ANZ’s Manager of Security and Technology Risk Services had

recommended to RI Advice that RI Advice ask ANZ’s Cyber Security
Operations team to conduct an assessment of the technical environments
of the various RI Advice AR offices.
Particulars
Email exchange involving Joseph Ayrout, Practice Development

Leader, RI Advice, Peter Ornsby, CEO of RI Advice and Tessa
Micock, ANZ, and David Perger, ANZ dated 3 and 4 October 2017
RE: Privacy Consideration: RI Circular Quay [RIF.0004.0004.4665].
33
47 The RI Circular Quay Cybersecurity Incident recorded in the Aligned Dealer

Incident Register:
(a) remained open as at 15 May 2018;
(b) was not closed out until about 3 October 2018; and
(c) was open for approximately 484 days before being closed out.
Particulars

ADG Incident Register Incident Data Report with a ‘close’ date of
3 October 2018 [FFG.1016.0001.0004].
48 As at 15 May 2018, RI Advice had recorded that the remediation and follow up
steps undertaken by RI Circular Quay and RI Advice in respect of the RI Circular
Quay Cybersecurity Incident were limited to the following:
(a) the incident had been reported to ACORN;
(b) RI Circular Quay had reported that the desktop computer was completely
reset and all software reloaded; anti-virus software had been loaded on all
computer systems; remote access had been disabled and all staff had
been requested to change their email passwords; and the office internet
router password had been changed;
(c) relevant financial product providers had been contacted, and a caution flag
had been placed on the customers’ accounts to mitigate potential fraud
attempts;
(d) ANZ had been provided with a list of affected RI Circular Quay clients so
that additional security could be placed on the accounts; and
(e) RI Circular Quay had notified approximately 222 impacted clients and
recommended that they update passwords and contact
http://www.idcare.org/ for further support.
34
Particulars

6 June 2017 re RI Circular Quay - Desktop PC hacked
[RIF.0004.0004.4704].

9 June 2017 re RI Circular Quay - Desktop PC hacked Acorn
Reference No. ARN-PC64-TRK4 [RIF.0004.0004. 4704].

to Joseph Ayrout, RI Advice, dated 26 June 2017 re RI Circular
Quay - Desktop PC hacked Acorn Reference No. ARN-PC64-TRK4
[RIF.0004.0004. 4704].

to Joseph Ayrout, RI Advice, dated 17 July 2017 attaching
[RIF.0004.0004.4704 and RIF.0004.0004.4715].
Email from Advice Risk to Tessa Micock and Joncarl La Rosa,

copied to Peter Ornsby, RI Advice, dated 3 October 2017 Re
Privacy Considerations [RIF.0004.0004.4695].

ADG Incident Register Incident Data Report with ‘logged’,
‘submitted’ and ‘report sent’ dates of 6 June 2017
[FFG.1016.0001.0004] and a ‘COR Date Entered’ of 6 June 2017 in
the Tab ‘Pre-IOOF COR Incident Register’ in the IOOF COR

[FFG.1013.0001.0003 at 0005].
49 By reason of the matters pleaded in paragraphs 13 and 15 and 43 to 48 above,

after becoming aware of the RI Circular Quay Cybersecurity Incident, RI Advice
should have:
35
(a) identified the root cause of the RI Circular Quay Cybersecurity Incident;

Controls relevant to the root cause of the RI Circular Quay Cybersecurity
Incident; and
RI Circular Quay Cybersecurity Incident into its ongoing identification and
AR network, by:

across its entire AR network, and seeking technical security
assurance across a number of its ARS, of the effectiveness of the
RI Circular Quay Cybersecurity Incident:
(A) Account lockout policies;
(B) Password complexity;
(C) Multi-factor authentication;
(D) Port security;
(E) Log monitoring;
(F) Incident response;
(G) Patch management; and
(H) Backups; and
Particulars

(a) Account lockout policies [ED 5.3];
(b) Password complexity [ED 5.1 and ED 7.1];

36
(c) Multi-factor authentication [ED 5.1, ED 5.3 and ED 5.6];
(d) Port security [ED 9.4 and ED 9.8];
(e) Log monitoring [ED 10.1 to ED 10.6];
(f) Incident response [ED 12.1 to ED 12.5];
(g) Patch management [ED 11.2 and ED 11.4]; and
(h) Backups [ED 13.3 and ED 13.5].


the RI Circular Quay Cybersecurity Incident which was tailored to
the identified cybersecurity risks applicable to its AR network,
including promptly reviewing and remediating any gaps or
50 RI Advice did not take the steps referred to in paragraphs 46(b) and 49 above,
adequately or at all, by 15 May 2018 or at any relevant time.
Particulars
The only steps taken were those set out in paragraph 48 above,
which did not amount to taking the steps referred to in paragraphs
46(b) and 49 above adequately or at all.
C.7 FFG Data Breach – December 2017 to April 2018
51 At all material times, Frontier Financial Group Pty Ltd as trustee for The Frontier
Trust (FFG) was and is:
(b) not an AR of any other financial services licensee; and

Clients.
37
52 From about 30 December 2017 until about 15 April 2018, an unknown malicious
agent obtained and retained unauthorised remote access to FFG’s file server
(FFG Data Breach), through an FFG employee’s account.
53 During the FFG Data Breach, the malicious agent spent a total of more than 155
hours logged into the FFG file server.
54 The compromised FFG file server contained Personal Information including

documents recording client names, addresses, tax file numbers, transaction
account numbers, transaction details, identification documents, and, in some
cases, health information.
Particulars
The data contained on the compromised FFG file server is referred

to the ‘Event Closure Report – RI Advice: Frontier Financial Group
(FFG) Notifiable Data Breach (NBD) – FINAL’ dated 18 September
2019 – [FFG.1020.0001.0154] and in the KPMG Retire Invest Pty
Ltd Cyber Incident Response – Forensic Review dated 24 October
2018 [PP2.1003.0002.0004].
55 FFG did not detect the FFG Data Breach until about 16 April 2018.
56 On or about 15 May 2018, RI Advice became aware:
(a) of the FFG Data Breach;
(b) that FFG had detected the FFG Data Breach on or about 16 April 2018;
and
(c) that three FFG Retail Clients had informed FFG of the unauthorised use of
their personal information, which included a mail redirection application
being lodged with Australia Post, and multiple bank accounts that had
been opened, without their consent.
Particulars
Telephone call between Richard McLean, the proprietor of FFG,

and Peter Ornsby, CEO of RI Advice, referred to in email between
38
Peter Ornsby and Advice Risk dated 15 May 2018 Re Frontier

Financial [FFG.0014.0001.0179].
The FFG Data Breach was recorded in the FFG ADG Incident
Register Incident Data Report (incident review number IFR-01589)
with ‘discovery’, ‘logged’, ‘submitted’ and ‘report sent’ dates of 15
May 2018 [FFG.1016.0001.0004].
Email from Steven Woodford of FFG to Peter Ornsby dated 15

May 2018 [FFG.0014.0001.0180].

[FFG.1013.0001.0003 at 0006].
D. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 15 MAY 2018 AND

INADEQUACY OF CYBERSECURITY SYSTEMS IN PLACE AS AT 15 MAY 2018
D.1 Inadequacy of May 2018 Cybersecurity Documentation and Controls
57 Prior to and as at 15 May 2018, the Cybersecurity Documentation and Controls

that RI Advice held or had access to for the management of risk in respect of
cybersecurity and cyber resilience across its AR network were as follows:
(a) ANZ Aligned Licensees & Advice Standards, Business Continuity, version
1.0, date of rehearsal 19 March 2018 [FFG.1022.0001.1916];
(b) ANZ Aligned Licensees & Advice Standards, Governance Framework,

version 2.0, dated April 2017 [FFG.1012.0001.0197];
(c) ANZ Business Continuity and Crisis Management Policy, version 5, dated
April 2018 [FFG.1022.0001.0559];
(d) ANZ Business Continuity Management, Enablement & Governance dated

September 2016 [FFG.1022.0001.0570];
(e) ANZ Control 37 - Disaster Recovery Tests have been prepared and are
tested on a regular basis [FFG.1022.0001.0545];
39
(f) ANZ Disaster Recovery Issues Work Instructions dated about February
2014 [FFG.1022.0001.0598];
(g) Electronic Storage Guide, version 1.0, released 26 March 2018, effective
1 May 2018 [FFG.1002.0001.0005];
(h) ANZ Global Operational Risk Library, Risk Library Index, version 4.0,
dated 15 August 2013 [FFG.1018.0001.0216];
(i) ANZ Information Security Standard, version 1.0, dated February 2016
[FFG.1022.0001.0747];
(j) ANZ Operational Risk – Change Management Process, version 2.1, dated
8 January 2016 [FFG.1018.0001.0416];
(k) ANZ Operational Risk Capital Measurement Methodology, version 1.2,

dated 21 July 2015 [FFG.1018.0001.0318];
(l) ANZ Operational Risk – Key Control Effectiveness, version 2.0, dated
1 April 2017 [FFG.1018.0001.0230];
(m) ANZ Operational Risk – Risk and Control Assessment, version 1.8, dated
28 June 2016 [FFG.1018.0001.0512];
(n) ANZ Operational Risk Measurement and Management Policy, version 4.0,
dated December 2016 [FFG.1018.0001.0498];
(o) Privacy Standard, version 2.0, dated February 2018

[FFG.1022.0001.1205];
(p) Cybersecurity awareness presentations and guides;
Particulars
RI Advice – Cyberfraud presentation dated November 2014

[FFG.1007.0001.0093].
Kaplan Professional Cyber resilience: good practice and guidance

dated November 2016 [FFG.1003.0001.0098].
40
(q) RI Advice procedures, application forms and checklists for recruitment,

appointment and cancellation of ARs and RI Advice Practices; and
Particulars
ADG Recruitment Fact Find (Version 15) dated February 2018

[FFG.1022.0001.2377].
Goldseal Human Resources Guidance Handbook (version 12)

dated about February 2018 Section 8.10 (Reference checks)
[FFG.1022.0002.0010].
RI Advice Practice Development Manager Application Checklist

dated about 14 February 2018 [FFG.1022.0001.2374].
RI Advice APPOINTMENT: Authorised Representative Appointment

Checklist dated about 6 February 2016 [FFG.1022.0001.1654].
RI Advice Authorised Representative Application Form, Version 18,

April 2018 [FFG.1022.0001.1679].
RI Advice Practice Application Form Version 14, May 2017

[FFG.1022.0001.1702].
RI Advice Reference Check Form dated about July 2016

[FFG.1022.0001.1650].
(r) RI Advice, Section 3 of RI Advice Professional Standards Manual,

Procedures and Policies dated July 2017 [FFG.1022.0001.0448],
(the May 2018 Documentation and Controls).
58 Prior to and as at 15 May 2018, RI Advice did not have in place any
Cybersecurity Documentation and Controls for the management of risk in respect
of cybersecurity and cyber resilience across its AR network other than as referred
to in paragraph 57 above.
41
59 By its May 2018 Documentation and Controls, RI Advice:
(a) did not adequately document the roles and responsibilities of RI Advice
and its ARs as to the management of risk in respect of cybersecurity and
cyber resilience across its AR network;
(b) predominantly relied upon ANZ-developed documents, which:
(i) were specific to the ANZ organisation and its IT environment;
(ii) were not tailored to RI Advice and its ARs’ requirements for the
management of risk in respect of cybersecurity and cyber resilience
across its AR network; and
Particulars
With the exception of the documents referred to in paragraphs

57(g), (i), (o), (p), (q) and (r) above, each of the May 2018
Documentation and Controls had the characteristics referred to in
sub-paragraphs (i) and (ii) above.
(iii) had not been implemented and operationalised by RI Advice as part

of its governance and management of risk in respect of
cybersecurity and cyber resilience across its AR network;
Particulars
With the exception of the documents referred to in paragraphs

57(g), (p), (q) and (r) above, each of the May 2018 Documentation
and Controls had the characteristics referred to in sub-paragraph
(iii) above.
(c) did not adopt and implement adequate Cybersecurity Documentation and
Controls in each of the 13 Cybersecurity Domains;
(d) did not meet the Minimum Cybersecurity Requirements; and
(e) did not adequately manage risk in respect of cybersecurity and cyber
resilience across its AR network.
42
Particulars
The gaps between the May 2018 Documentation and Controls and
the Cybersecurity Documentation and Controls which RI Advice
should have had in place in each of the 13 Cybersecurity Domains
in order to meet the Minimum Cybersecurity Requirements are set
out in Schedule B.
D.2 Contraventions in respect of conduct up to and as at 15 May 2018
60 By reason of the matters pleaded in paragraphs 2 to 5, 11 to 15, 21, 22, 25, 26,
31, 32, 36, 37, 41, 42, 49, 50 and 57 to 59 above, as at 15 May 2018, RI Advice:
(a) in contravention of s 912A(1)(a) of the Act, failed to do all things necessary

to ensure that the financial services covered by the Licence were provided
efficiently, honestly and fairly, in that by reason of RI Advice’s failures to
comply with its obligations referred to in paragraphs 13 to 15 above, the
financial services covered by the Licence were not provided efficiently or
fairly because RI Advice’s performance in respect of cybersecurity and
cyber resilience was inadequate and exposed the persons to whom the
financial services were supplied to an unacceptable level of risk, and did
not meet the reasonable standard of performance that the public is entitled
to expect;
(b) in contravention of s 912A(1)(b) of the Act, failed to comply with the

condition of the Licence requiring it to establish and maintain compliance
measures that ensure, as far as is reasonably practicable, that it complies
with the provisions of the financial services laws (which relevantly
comprise ss 912A(1)(a), (d) and (h) of the Act), in that by reason of
RI Advice’s failures to comply with its obligations referred to in paragraphs
13 to 15 above, RI Advice failed to establish and maintain such
compliance measures in respect of cybersecurity and cyber resilience;
(c) in contravention of s 912A(1)(c) of the Act, failed to comply with the

financial services laws (which relevantly comprise ss 912A(1)(a), (b), (d)
and (h) of the Act);
43
(d) in contravention of s 912A(1)(d) of the Act, failed to have available

adequate resources (including financial, technological and human
resources) to provide the financial services covered by the Licence and to
carry out supervisory arrangements, in that by reason of RI Advice’s
failures to comply with its obligations referred to in paragraphs 13 to 15
above, RI Advice’s relevant resources in respect of cybersecurity and
cyber resilience, comprising its Cybersecurity Documentation and
Controls, were inadequate to provide the financial services covered by the
Licence without exposing the persons to whom the financial services were
supplied to an unacceptable level of risk; and
(e) in contravention of s 912A(1)(h) of the Act, failed to have adequate risk

management systems, in that by reason of RI Advice’s failures to comply
with its obligations referred to in paragraphs 13 to 15 above, RI Advice’s
relevant risk management systems in respect of cybersecurity and cyber
resilience, comprising its Cybersecurity Documentation and Controls, were
inadequate to prevent the exposure of the persons to whom the financial
services were supplied to an unacceptable level of risk.
E. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 12 AND 13 MARCH

2019 AND INADEQUACY OF CYBERSECURITY SYSTEMS IN PLACE AS AT 12
AND 13 MARCH 2019
E.1 First RI Shepparton Cybersecurity Incident – May 2018
61 At all material times, Financial Lifestyle Partners (Shepparton) Pty Ltd and
Sandra Miller were and are:
(a) together trading as an RI Advice Practice, RI Advice Shepparton

(RI Shepparton);
(b) ARs of RI Advice;
(c) not ARs of any other financial services licensee; and

Clients.
44
62 At all material times, Sandra Miller was and is a principal and a director of
Financial Lifestyle Partners (Shepparton) Pty Ltd.
63 On about 29 May 2018, RI Advice became aware of a Cybersecurity Incident

involving Sandra Miller and RI Shepparton that had occurred on about 23 May
2018 (First RI Shepparton Cybersecurity Incident).
Particulars
Email from George Ambrose of RI Advice to ADG Complaints (ANZ)

dated 29 May 2018 [RIF.0004.0005.6804].
Notifiable Data Breach Assessment Guide dated 18 June 2018.

[FFG.1016.0001.0235].
64 By about 13 September 2018 at the latest, RI Advice:
(a) was aware, in respect of the First RI Shepparton Cybersecurity Incident,

that:
(i) an unknown party had obtained unauthorised access to Sandra

Miller’s RI Shepparton email account; and
(ii) the unknown party had used the email account to impersonate
Sandra Miller by sending emails to request a bookkeeper to transfer
USD50,000 to a Turkish bank account that day (which transfer was
not made);
Particulars
RI Advice was provided with copies of the emails exchanged on

23 May 2018 between Sandra Miller’s RI Shepparton email account
and the bookkeeper [RIF.0004.0005.6804 and
RIF.0004.0005.6807].
The ADG Incident Register Incident Data Report

[FFG.1016.0001.0004] and the IOOF COR Incident Master
Spreadsheet [FFG.1016.00001.1389] both record that the First
45
RI Shepparton Cybersecurity Incident was entered on 30 May 2018

with an incident reference of RE_047922.
(b) had endorsed or allowed the First RI Shepparton Cybersecurity Incident to

be recorded in the Aligned Dealer Group Incident Register and the
incident had been endorsed by the RI Advice Event Working Group for
closure in the Aligned Dealer Group Incident Register; and

RI Shepparton and RI Advice in respect of the First RI Shepparton
Cybersecurity Incident, prior to the incident being endorsed for closure in
the Aligned Dealer Group Incident Register, were limited to the following:
(i) RI Advice had advised RI Shepparton to ensure that

RI Shepparton’s staff were informed of this matter and were to be
alert for suspicious emails; to verify all client withdrawal requests
with a phone call; and to upgrade RI Shepparton’s IT security and
set up extra authentication on email accounts;
(ii) RI Shepparton had reported that it had changed ‘all’ passwords for
all staff and had started to use the ‘LastPass’ password manager to
secure all passwords;
(iii) the incident had been registered with ACORN;
(iv) a third-party information technology service provider had reviewed

the incident and all of RI Shepparton’s computers and had
concluded that:
(A) the likely cause was a Trojan (a form of malicious software)

installed on Sandra Miller’s laptop computer, and the Trojan
had been removed;
(B) the unknown actor had access to Sandra Miller’s emails and
appeared to have read her emails in order to impersonate
her, and this email account did not contain client information;
and
46
(C) the unknown actor did not have access to any of RI

Shepparton’s other computer systems, and these had not
been impacted.
Particulars
The various reported matters and steps taken in respect of the First
RI Shepparton Cybersecurity incident referred to in sub-paragraphs
(a) to (c) above were recorded in the RI Advice Event Working
Group Minutes of Forum Meeting #29 dated 13 September 2018
[FFG.1016.0001.0420].
Notifiable Data Breach Assessment Guide [FFG.1016.0001.0235].

after becoming aware of the First RI Shepparton Cybersecurity Incident and prior
to endorsing the closure of the First RI Shepparton Cybersecurity Incident in the
Aligned Dealer Group Incident Register, RI Advice should have:
(a) identified the root cause of the First RI Shepparton Cybersecurity Incident;

Controls relevant to the root cause of the First RI Shepparton
Cybersecurity Incident; and
First RI Shepparton Cybersecurity Incident into its ongoing identification
and mitigation of risk in respect of cybersecurity and cyber resilience
across its AR network, by:

First RI Shepparton Cybersecurity Incident:

47
(C) Incident response;
(E) Application whitelisting;
Particulars
Further details of the following relevant Cybersecurity

Documentation and Controls are provided in Schedule A:
(c) Incident response [ED 12.1 to ED 12.5];
(d) Email filtering [ED 9.4 and ED 9.8]; and
(e) Application whitelisting [ED 9.2 and ED 9.5].


the First RI Shepparton Cybersecurity Incident which was tailored to
the identified cybersecurity risks applicable to its AR network,
including promptly reviewing and remediating any gaps or
at all, by 12 or 13 March 2019 or at any relevant time.
Particulars
48
E.2 RI Advice’s receipt of reports in relation to FFG Data Breach
67 On or about 4 June 2018, FFG lodged a Notifiable Data Breach form (Notifiable
Data Breach Form) in respect of the FFG Data Breach with the Office of the
Australian Information Commissioner (OAIC), and RI Advice was aware of that
fact from about that date.
Particulars
Notifiable Data Breach Form [PP2.0010.0001.0024].
The RI Advice Event Working Group Forum Meeting #30 papers

dated 22 October 2018 [FFG.1016.0001.0544 at 0573 to 0574]
noted that on 16 May 2018 the Notifiable Data Breach Assessment
was to be completed and reviewed by second line risk and legal,
and that on 4 June 2018 the Notifiable Data Breach Form had been
submitted to the OAIC.
68 By its Notifiable Data Breach Form, FFG estimated that it was likely that the 833
customers about whom it held high level information were at risk of serious harm
as a result of the FFG Data Breach.
69 Between about 5 and 7 June 2018, FFG notified certain of its Retail Clients of the
FFG Data Breach, and RI Advice was aware of that fact from about those dates.
Particulars
The notifications were sent by letter dated 5 June 2018, signed by

Richard McLean of FFG. A version of the letter is at
PP2.0011.0001.0116 [at 0118].
The review and dispatch of the letters was noted by the RI Advice
Event Working Group in the Forum Meeting #30 papers dated 22
October 2018 [FFG.1016.0001.0544].
70 On or about 7 August 2018, RI Advice received from FFG a report prepared by a

third-party IT service provider, Vixtro, regarding FFG’s desktop and network
security (Vixtro Report).
49
Particulars
Frontier Financial Group IT Report, dated 3 August 2018

[FFG.1000.0001.0058].
The receipt of the report by RI Advice was noted in the RI Advice,

FFG and KPMG Tripartite meeting minutes for 7 August 2018
[FFG.0010.001.5155].
71 By its receipt of the Vixtro Report, RI Advice was aware that Vixtro had reported
deficiencies with FFG’s desktop and network security, including that:
(a) 90% of desktops were identified as not having up-to-date antivirus

software (page 1);
(b) there were no scheduled scans during the working week for antivirus
software (page 1);
(c) there was no filtering or quarantining of emails (page 2);
(d) no offsite backups had been performed (page 2);
(e) the domain Administrator account was still default and the password was
known by external parties (page 2);
(f) passwords and other security details were found in text files on the server
desktop (page 2); and
(g) the remote desktop computer was accessible on default port 3389
(page 2).
72 By about 7 September 2018, RI Advice was aware that 27 Retail Clients of FFG
had informed FFG of the unauthorised use of their personal information.
Particulars
The 27 affected Retail Clients of FFG were listed in a client impact

spreadsheet dated 7 September 2018 [FFG.0010.0001.5833].
50
The updated client impact spreadsheet was noted as being

available to RI Advice through the ‘evidence folder’, in the RI
Advice, FFG and KPMG Tripartite meeting minutes for
11 September 2018 [FFG.0010.0001.5172].
The communications from affected Retail Clients were kept in FFG

files in respect of each client, which files were made available to
RI Advice: [PP2.0011.0001.0184, PP2.0011.0001.0131,
PP2.0011.0001.0027, PP2.0011.0001.0074, PP2.0011.0001.0116,
PP2.0011.0001.0149, PP2.0011.0001.0348, PP2.0011.0001.0170,
PP2.0011.0001.0390, PP2.0011.0001.0362, PP2.0011.0001.0041,
FFG.0010.0001.0208, PP2.0011.0001.0253, PP2.0011.0001.0216,
PP2.0011.0001.0060, PP2.0011.0001.0230, PP2.0011.0001.0002,
PP2.0011.0001.0320, PP2.0011.0001.0163, PP2.0011.0001.0269,
PP2.0011.0001.0377, PP2.0011.0001.0241, FFG.0010.0001.0551].
E.3 RI Advice’s cyber security risk reviews of RI Advice Practices – late 2018
73 In about August 2018, in response to a request from RI Advice, Security in

Depth, a third-party cybersecurity firm, provided a proposal to perform a cyber
assurance risk review (CARR) of 110 RI Advice Practices.
Particulars
Email chain between Peter Ornsby, CEO of RI Advice, and Michael

Connory, CEO of Security in Depth, between 10 and 15 August
2018 [RIF.0004.0004.3598], attaching Security in Depth Quotation
for supply of Cyber Assurance Risk Rating for RI Group dated 15
August 2018 [RIF.0004.0004.3605].
74 In about September and October 2018, RI Advice engaged Security in Depth to

perform a CARR of only five RI Advice Practices, including RI Circular Quay and
RI Shepparton.
Particulars
Security in Depth was engaged to perform CARRs of the ARs

trading as RI Advice – Berwick (namely Casey FP Pty Ltd, Craig
51
Allan Volk, Pierina Di Stella and Bradley Stephen Poole)

(RI Berwick), the ARs trading as Horizons Wealth (namely,
Matthew John Dunstone, Scott Paul Mitton and The Trustee for
Melbourne Wealth Manager Unit Trust) (Horizons Wealth), the
ARs trading as RI Lower Hunter (namely, Gordon Financial
Services Pty Ltd, Gilbert Gordon and Stephen Baxter) (RI Lower
Hunter), RI Circular Quay, and RI Shepparton.
Email chain between Peter Ornsby and Michael Connory, Security

in Depth re Cyber Assurance Risk rating – pilot dated 4 September
2018 [RIF.0004.0004.6492].
Email from Michael Connory, Security in Depth, to Peter Ornsby re

Introduction letter dated 7 September 2018 [RIF.0004.004.5457].
Email chain between Peter Ornsby and Brad Poole, RI Berwick,

dated 12 September 2018 [RIF.0004.0004.4083].
Email from Peter Ornsby to Gil Gordon, RI Lower Hunter, dated 12

September 2018 [RIF.0004.0004.9119].
Email from Peter Ornsby to Matt Dunston, Horizons Wealth, dated

12 September 2018 [RIF.0004.0004.9191].
Email chain between Peter Ornsby, Sandra Miller, RI Shepparton

and Michael Connory dated 22 and 23 October 2018
[RIF.0004.0005.0114].
Email from Peter Ornsby to Sandra Miller, RI Shepparton dated 23

October 2018 [RIF.0004.0004.9209].
Email from Peter Ornsby to John Walker, RI Circular Quay dated 23

October 2018 [RIF.0004.0004.8964].
75 After having completed the CARRs of three RI Advice Practices, in about

October 2018, Security in Depth provided RI Advice with a CARR report for the
RI Advice Group, by which it informed RI Advice that:
52
(a) each of the three RI Advice Practices had significant issues with managing
and protecting clients’ data, and if this was an accurate reflection on the
entire RI Advice organisation, significant change would be urgently
recommended;
(b) the following critical issues were discovered during Security in Depth’s
review process:
(i) Poor password management – enabling potential malicious

individuals to be able to gain access to client files;
(ii) Limited or poor use of two factor authentication – meaning that

once a password was compromised a malicious individual would
have no security protocols stopping them from gaining complete
access to all systems;
(iii) Limited or non-existent monitoring tools and services to detect if a

malicious individual had gained access or still had access to
internal systems;
(iv) Limited or no process for maintaining strong governance by

implementing and maintaining strong policies and processes;
(v) No processes for managing potential cybersecurity incidents, which

Security in Depth considered a serious requirement for staff
awareness training; and
(vi) No staff or vendor validation process;
(c) Security in Depth had discovered a malicious attempt to gain access to

information, and yet no detection system was in place, no process to
manage the incident was available, and no communication process was
utilised to provide information concerning, and manage, the incident;
(d) the three RI Advice Practices reviewed were well below industry standards
for finance organisations across Australia, and Security in Depth
recommended significant changes to process and policy; and
53
(e) Security in Depth recommended that RI Advice immediately have CARRs

performed of all of its RI Advice Practices (Recommended AR Network
CARRs).
Particulars
The matters referred to in sub-paragraphs (a) to (e) above were

referred to in the CARR report for RI Advice, dated October 2018
[FFG.1012.0001.0066] at page 3.
Security in Depth prepared the report after performing the CARRs

of RI Lower Hunter, RI Advice Berwick and Horizons Wealth.
76 Between about September and October 2018, Security in Depth also provided RI
Advice with CARR reports for five of its RI Advice Practices.
Particulars
CARR report for RI Berwick, dated September 2018

[FFG.1012.0001.0018];
CARR report for Horizons Wealth, dated September 2018

[FFG.1012.0001.0008];
CARR report for RI Lower Hunter, dated October 2018

[FFG.1012.0001.0028];
CARR report for RI Circular Quay, dated October 2018

[FFG.1012.0001.0038]; and
CARR report for RI Shepparton, dated October 2018

[FFG.1012.0001.0048].
77 By reason of its receipt of the five CARR reports referred to in paragraph 76

above, RI Advice was aware that Security in Depth considered that:
(a) three of the five RI Advice Practices’ cybersecurity status was assessed as
‘Poor’ (including RI Circular Quay and RI Shepparton);
54
(b) the other two of the five RI Advice Practices’ cybersecurity status was
assessed as ‘Fair’; and
(c) in relation to the three RI Advice Practices the cybersecurity status of

which was assessed as ‘Poor’:
(i) they had no discernible cybersecurity policies, processes and

procedures in writing, and all policies that did exist had been put
together to manage immediate security requirements rather than
being based on an overarching security framework;
(ii) they had no structured cybersecurity governance program driven

from the executive down; and
(iii) it was highly likely that a cyber incident could occur over the next
twelve months with significant impact on their ability to provide
critical services.
Particulars
RI Berwick’s cybersecurity status was assessed as ‘Poor’. The

matters referred to above relating to RI Berwick were reported in
the CARR report for RI Berwick, dated September 2018
[FFG.1012.0001.0018] at page 3.
Horizons Wealth’s cybersecurity status was assessed as ‘Fair’:

CARR report for Horizons Wealth, dated September 2018
[FFG.1012.0001.0008] at page 3.
RI Lower Hunter’s cybersecurity status was assessed as ‘Fair’:

CARR report for RI Lower Hunter, dated October 2018
[FFG.1012.0001.0028] at page 3.
The matters referred to above relating to RI Circular Quay were

reported in the CARR report for RI Circular Quay, dated October
2018 [FFG.1012.0001.0038] at page 3.
55
The matters referred to above relating to RI Shepparton were

reported in the CARR report for RI Shepparton, dated October 2018
[FFG.1012.0001.0048] at page 3.
78 Further, by about 25 January 2019 at the latest, RI Advice received from Cyber
Indemnity Solutions, a third-party cybersecurity firm, a summary of its
cybersecurity assessment for two RI Advice Practices.
Particulars
Cyber Assessments for Retire Invest Bondi and for Retire Invest
Newcastle & Lower Hunter (undated) [FFG.1012.0001.0058].
RI Advice letter to ASIC dated 25 January 2019

[FFG.1013.0001.0003] (item 3).
As referred to in paragraph 102(a) below, in about April 2019,

RI Advice received detailed assessments of the Cyber Indemnity
Solutions cybersecurity assessment for the two RI Advice Practices.
79 By reason of its receipt of the cybersecurity assessment summary referred to in

paragraph 78 above, RI Advice was aware that Cyber Indemnity Solutions
considered that:
(a) one of the two RI Advice Practices’ cybersecurity status was assessed as
‘Basic/Adhoc’, and the cybersecurity status of the second RI Advice
Practice was assessed as ‘Maturing’; and
Particulars
Retire Invest Bondi’s cybersecurity status was assessed as

‘Basic/Adhoc’ (page 2).
Retire Invest Newcastle & Lower Hunter’s cybersecurity status was

assessed as ‘Maturing’ (page 4).
(b) in relation to the RI Advice Practice the cybersecurity status of which was
assessed as ‘Basic/Adhoc’:
56
(i) identification and management of IT assets was not performed.

When organisations do not know what they have it is very difficult to
protect systems and access because management is ad-hoc at
best (page 3);
(ii) there was no coordination with third party suppliers to manage

cyber risk in respect of supply chain risk (page 3);
(iii) access control was not performed to a sufficient standard. There

were weak passwords, regular users had administration access and
weak authentication was common (page 3);
(iv) there was no protection of data. The organisation did not manage
information and records to any appropriate standard (page 3);
(v) application hardening and white listing was not performed. This left
the organisation vulnerable to many hacking exploits (page 3);
(vi) there was no proactive monitoring of cyber risk with protective

technologies (page 3);
(vii) there was no continuous monitoring of cyber threats. There were

no monitoring capabilities to detect cybersecurity breaches caused
by vulnerabilities (page 3); and
(viii) there were no daily backups performed (page 3).
80 Other than as referred to in paragraphs 76 to 79 above, RI Advice did not obtain

the Recommended AR Network CARRs by 12 or 13 March 2019 and nor, other
than as referred to in paragraph 117(i) below, did it do so at any relevant time.
E.4 KPMG report in relation to the FFG Data Breach
81 On or about 10 July 2018, ANZ, on behalf of RI Advice, engaged KPMG Forensic

Pty Ltd (KPMG) to perform a forensic technology investigation in respect of the
FFG Data Breach.
57
Particulars
Letter from KPMG to Nikolas Kloufetos, ANZ, dated 10 July 2018

[FFG.0015.0001.8906].
RI Advice’s event closure report for the FFG Data Breach dated 18
September 2019 [FFG.1020.0001.0154] refers at pages 1 to 2 to RI
Advice’s engagement of KPMG.
82 On or about 24 October 2018, KPMG provided RI Advice with a report setting out
its conclusions and recommendations from its investigation of the FFG Data
Breach (KPMG Report).
Particulars
KPMG Retire Invest Pty Ltd Cyber Incident Response – Forensic

Review dated 24 October 2018 [PP2.1003.0002.0004].
Appendix A – Grant Thornton Incident assessment Frontier FG

[PP2.1003.0001.0026].
Appendix B - Jayden RDP Sessions [PP2.1003.0001.0032].
Appendix C - Internet Sites Visited [PP2.1003.0001.0042].
Appendix D - Dropbox Files Accessed [PP2.1003.0001.0056].
Appendix E - Artefacts Relating to Frontier File Share Access

[PP2.1003.0001.0058].
Appendix F – Frontier Security Implementation Schedule

[RIF.0004.0005.5290] (Draft).
Appendix G – Essential Eight maturity levels dated April 2018

[RIF.0004.0005.5287].
83 By its receipt of the KPMG Report, RI Advice was aware that KPMG had
concluded that:
58
(a) the root cause of the FFG Data Breach was likely to be the result of the
malicious user performing a brute force attack (that is, attempting login by
trial and error) using an FFG employee login against FFG’s remote
desktop server (at [1.3]);
(b) between 20 and 30 October 2017, there were 27,814 unsuccessful login
attempts using 2,178 different usernames from 10 different countries
(at [2.1]);
(c) there was a lack of working backups of the compromised remote desktop
server, which meant that potential evidence regarding the FFG Data
Breach for the period between 30 December 2017 and 3 March 2018 was
unable to be recovered for analysis (at [1.4] and [2.1]);
(d) on a conservative basis, the malicious user had spent in excess of 155
hours logged into the FFG infrastructure across a span of 106 days from
30 December 2017 to 15 April 2018 (at [1.3]);
(e) the malicious user had installed various software on the FFG server,
including to enable brute forcing, crypto currency mining, a virtual private
network, peer-to-peer file sharing and other hacking capability (at [2.2]);
(f) the malicious user had access through the compromised FFG user’s
account to the entire contents of FFG’s file server, including documents
relating to three FFG clients who were the subject of reported instances of
identity fraud in April 2018 (at [1.3]);
(g) given the extent of the period of compromise and the free access to all
contents of both file server data shares, all data on FFG’s data services
should be considered to be compromised (at [1.3]); and
(h) KPMG recommended that:
(i) all data on the fileserver shares that were accessible during the
period that the malicious user had access be reviewed for
personally identifiable information or other sensitive information that
may indicate the issue was classified as a notifiable data breach (at
[3]);
59
(ii) as a baseline, FFG should consider implementing the Australian

Cyber Security Centre’s Essential Eight cybersecurity strategies to
mitigate cybersecurity incidents, and that after this was
implemented a review of FFG’s information security posture should
be conducted, including a vulnerability assessment and penetration
testing in order to understand and manage the ongoing risk profile
(at [3]); and
(iii) a review of the disaster recovery back-up process should be

conducted to identify the cause which rendered the incremental
backups unusable for KPMG’s analysis, which review should
encompass both the onsite and cloud backups (at 3).
E.5 Inadequacy of steps taken by RI Advice up to 12 and 13 March 2019
84 As at 12 and 13 March 2019, FFG and RI Advice had not concluded their
investigation and remediation of the FFG Data Breach.
Particulars
As referred to in paragraph 96 below, FFG and RI Advice did not

conclude their investigation and remediation until about September
2019.
‘Event Closure Report – RI Advice: Frontier Financial Group (FFG)

Notifiable Data Breach (NBD) – FINAL’ dated 18 September 2019 –
[FFG.1020.0001.0154].
Email dated 19 September 2019 from Richard McLean, of FFG, to

OAIC, copied to Nikolas Kloufetos, Project manager, Licensee
Remediation, IOOF, re OAIC Reference number: DBN18/00331 –
Conclusion of investigation and remediation of Frontier Financial
Group data breach [FFG.1020.0001.0206].
85 From about September and October 2018 to 13 March 2019, including as a

consequence of its knowledge of the FFG Data Breach, RI Advice had planned
and/or undertaken the following cybersecurity initiatives to address cybersecurity
60
issues across its AR network and to reduce the risk of a Cybersecurity Incident
occurring (March 2019 Cybersecurity Initiatives):
(a) engaging external security consultancy firms Security in Depth and Cyber
Indemnity Solutions to conduct cybersecurity reviews of six RI Advice
Practices (Six CARRs).
(b) inclusion of cybersecurity as a risk management discussion topic within

the RI Advice Proprietors Advisory Council (PAC), Risk and Event Forum
and Event Working Group Forum (Cybersecurity Discussion Topics);
(c) beginning of development or update of a number of core cybersecurity

documents including standards, guides and procedures with the
assistance of Security in Depth (Documentation Update);
(d) mandating attestations from ARs as to cyber fraud capabilities and local
area network cyber fraud protections (Attestations on Cyber
Capabilities and Protections);
(e) establishing cyber awareness and training material, including draft cyber
security standard questions relating to the cyber awareness material
(Awareness Material);
(f) mandating the use of multi-factor authentication on Xplan (a database that

held Personal Information) and local area networks (Mandated MFA);
(g) mandating the use of a password manager and password encryption of

email correspondence that included Personal Information (Mandated
Password Management);
(h) reviewing the implementation of a Cyber Standard (Review of Cyber

Standard);
(i) implementing training modules relating to ISO 27001 and Australian

Signals Directorate (ASD) Essential Eight policy and procedure
development (Training Implementation); and
(j) offering a cyber insurance solution to the network of RI Advice ARs (Cyber
Insurance).
61
Particulars
RI Advice letter to ASIC dated 19 December 2018

[FFG.1015.0001.0003].

[FFG.1013.0001.0003].

[FFG.1014.0001.0062]
RI Advice letter to ASIC dated 1 November 2019

[FFG.1021.0001.0003]

[FFG.1023.0001.0003]
Further particulars of the matters pleaded in sub-paragraphs (a) to

(j) above are provided in paragraph 87 below.
86 As at 12 and 13 March 2019, RI Advice had not planned or implemented any

initiatives for the management of risk in respect of cybersecurity and cyber
resilience across its AR network other than as referred to in paragraph 85 above.
87 As at 12 and 13 March 2019, RI Advice had only implemented the March 2019
Cybersecurity Initiatives to the extent referred to below:
(a) in respect of the Six CARRs, cyber security assessments had been
performed on six RI Advice Practices, but RI Advice had not received
detailed reports for the cybersecurity assessments for one of those
practices;
Particulars
RI Advice had received Security in Depth CARR reports for the five
RI Advice Practices referred to in paragraph 76 above and the
Cyber Indemnity Solutions cyber assessment summary for the two
RI Advice Practices referred to in paragraph 78 above (one of which
62
(RI Advice Lower Hunter) had also been assessed by Security in

Depth as referred to in paragraph 76 above).
As detailed in paragraph 102(a) below, RI Advice did not receive

the detailed cybersecurity assessments performed by Cyber
Indemnity Solutions for RI Advice Bondi and RI Advice Lower
Hunter until about 15 April 2019.

[FFG.1014.0001.0062], items 1, 2 and 3.
(b) the Cybersecurity Discussion Topics had been implemented at the PAC
and the RI Event Working Group;
Particulars
The PAC, which included a group of AR representatives, met with

RI management on a quarterly basis: RI Advice letter to ASIC dated
28 November 2019 [FFG.1023.0001.0003].
RI Advice Proprietors Advisory Council PAC Meeting agenda dated

21 and 22 February 2019 [FFG.1026.0001.0166].
The RI Event Working Group involving RI Advice and IOOF

included discussions of cybersecurity related risks
[FFG.1016.0001.0699] (Minutes dated 22 October 2018).
(c) the Documentation Update was planned for 31 March 2019 but was
incomplete;
Particulars

[FFG.1013.0001.0003], item 3(b).
As at 11 March 2019, RI Advice was working with Security in Depth

to update the proposed ‘security policies and procedures’:
RI Report 11 March 2019 [FFG.1022.0001.2732] (page 2).
63
(d) the Attestations on Cyber Capabilities and Protections had not been
implemented, and were due to be implemented on 30 June and
30 September 2019;
Particulars

[FFG.1014.0001.0062], item 4(ii).
(e) Awareness Material had commenced being implemented in February 2019

through the delivery of cybersecurity awareness webinars to ARs run by
Security in Depth, but was incomplete;
Particulars
Implementation of an updated network cyber education program

with Security in Depth started in February 2019: RI Advice letter to
ASIC dated 25 January 2019 [FFG.1013.0001.0003], item 3(b), RI
Advice letter to ASIC dated 30 January 2019
[FFG.1014.0001.0062], item 4(ii).
Five Webinars: LastPass, LastPass: End User Training 2018, Cyber

Security, LastPass: Enterprise, and Cybersecurity Essentials
Webinars [FFG.1020.0001.0425].
The February 2019 webinars were referred to in the RI Report

11 February 2019 [FFG.1022.0001.2643] and the RI Report
11 March 2019 [FFG.1022.0001.2732].
(f) Mandated MFA was planned for 31 March 2019 but was incomplete;
Particulars

[FFG.1014.0001.0062], item 4(ii).
As at 11 March 2019, RI Advice had evaluated and short-listed

different password management solutions and was investigating
64
whether they supported two-factor authentication: RI Report 11

March 2019 [FFG.1022.0001.2732].
(g) Mandated Password Management was planned for 31 March 2019 but
was incomplete;
Particulars

[FFG.1014.0001.0062], item 4(ii).
As at 11 March 2019, RI Advice had evaluated and short-listed

different password management solutions and was investigating
whether they supported two-factor authentication, and had met with
LastPass which had offered a commercial arrangement: RI Report
11 March 2019 [FFG.1022.0001.2732] (page 1 and 2).
(h) the Review of the Cyber Standard was planned for 31 March 2019 but was
incomplete;
Particulars

[FFG.1013.0001.0003], item 3(b).
As at 11 March 2019, RI Advice was ‘working through’ and updating

the proposed security policies and procedures: RI Report 11 March
2019 [FFG.1022.0001.2732] (page 2).
(i) Training Implementation had commenced from February 2019 but was
incomplete; and
Particulars
The training implemented as at 11 March 2019 is referred to in sub-

paragraph (e) above.
(j) Cyber Insurance had been obtained and was being offered to ARs.
65
Particulars
IOOF Cyber Insurance Solution - Feb 2019 Final, February 2019,

[FFG.1020.0001.0108].
RI Advice letter to ASIC dated 19 December 2018

[FFG.1015.0001.0003].
As at 11 March 2019, two RI Advice Practices had taken up the

cyber insurance: RI Report 11 March 2019 [FFG.1022.0001.2732]
(page 1).
88 Further to paragraphs 85 and 87 above, following the change of ownership of

RI Advice from ANZ to IOOF in October 2018, from about October 2018,
RI Advice replaced some of the May 2018 Documentation and Controls that it
held or had access to, and which had been developed by ANZ, with IOOF-
developed documentation (IOOF Developed Documentation).
Particulars
The IOOF Developed Documentation which RI Advice held or had

access to from about October 2018 is set out in Schedule C.
E.6 Inadequacy of March 2019 Cybersecurity Documentation and Controls
89 As at 12 and 13 March 2019, the Cybersecurity Documentation and Controls that

RI Advice held or had access to for the management of risk in respect of
(a) the May 2018 Documentation and Controls referred to in paragraphs

57(g), (o), (p), (q) and (r) above;
(b) the IOOF Developed Documentation;
Particulars

access to as at 12 and 13 March 2019 is set out in Schedule C.
66
(c) RI Advice Practices Practice Servicing Assessment Questionnaire dated

20 December 2018 [FFG.1007.0001.0103];
(d) RI Advice procedures, application forms and checklists for recruitment,

appointment and cancellation of ARs; and
Particulars
The documents referred to in paragraph 57(q) above.
RI Advice Authorised Representative Application Form (Version 19)

dated October 2018 [FFG.1022.0001.1775].
APPOINTMENT: Authorised Representative Appointment Checklist

dated about June 2016 [FFG.1022.0001.1773].
(e) presentations, webinars and newsletters covering cybersecurity

awareness related topics.
Particulars
Quarterly Video links (October 2018 and March 2019]

[FFG.1022.0001.2822].
RI Report 24 September 2018 [FFG.1022.0001.2688].
RI Report 8 October 2018 [FFG.1022.0001.2799].
RI Report 15 October 2018 [FFG.1022.0001.2744].
RI Report 5 November 2018 [FFG.1022.0001.2704].
RI Report 29 January 2019 [FFG.1022.0001.2710].
RI Report 4 February 2019 [FFG.1022.0001.2809].

67
RI Report 11 March 2019 [FFG.1022.0001.2732].
(the March 2019 Documentation and Controls).
90 As at 12 and 13 March 2019, RI Advice did not have in place any Cybersecurity
Documentation and Controls for the management of risk in respect of
cybersecurity and cyber resilience across its AR network other than as referred to
in paragraph 89 above.
91 By its March 2019 Documentation and Controls, as at 12 and 13 March 2019, RI

Advice:
(b) predominantly relied upon the IOOF Developed Documentation, which:
(i) in many cases pre-dated IOOF’s acquisition of RI Advice;
(ii) was specific to the IOOF organisation and its IT environment;
(iii) was not tailored to RI Advice and its ARs’ requirements for the
(iv) had not been implemented and operationalised by RI Advice as part

of, or was not relevant to, its governance and management of risk in
respect of cybersecurity and cyber resilience across its AR network;
Particulars

access to as at 12 and 13 March 2019 which had the characteristics
referred to in sub-paragraphs (i) to (iv) above is set out in
Schedule C.
68
Particulars
The gaps between the March 2019 Documentation and Controls

and the Cybersecurity Documentation and Controls which RI Advice
out in Schedule D.
E.7 Contraventions in respect of conduct up to, or as at, 12 and 13 March 2019
92 By reason of the matters pleaded in paragraphs 2 to 5, 11 to 15, 21, 22, 25, 26,
31, 32, 36, 37, 41, 42, 49, 50, 57 to 59, 65, 66, 85 to 91 above:
(1) at all times from 15 May 2018 to 12 March 2019; alternatively
(2) on 12 March 2019,
RI Advice:

to expect;
69




services were supplied to an unacceptable level of risk.
93 Further, by reason of the matters pleaded in paragraphs 2 to 5, 11 to 15 and 85

to 91 above, including with knowledge of the matters in respect of the
Cybersecurity Incidents pleaded in paragraphs 19, 20(a), 23, 24(a), 29, 30(a), 34,
35(a), 39, 40(a), 44, 45(a), 46, 48, 56, 63 and 64(a) above and knowledge of the
70
other matters pleaded in paragraphs 67 to 84 above, on 13 March 2019,

RI Advice:

to expect;



71

services were supplied to an unacceptable level of risk; and
(f) by reason of the contraventions of each of ss 912A(1)(a), (d) and (h) of the
Act referred to in sub-paragraphs (a), (d) and (e) above, contravened
s 912A(5A) of the Act.
F. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 NOVEMBER 2019

AND INADEQUACY OF CYBERSECURITY SYSTEMS IN PLACE AS AT 1
NOVEMBER 2019
F.1 Empowered Cybersecurity Incident – August 2019
94 At all material times until about 27 March 2020, Empowered Financial Partners
Pty Ltd (Empowered) was:
(b) not an AR of any other financial services licensee; and

Clients on behalf of RI Advice.
95 On or about 23 August 2019, RI Advice became aware of a Cybersecurity

Incident that month involving the compromise of an Empowered staff member’s
email (Empowered Cybersecurity Incident).
Particulars
Incident Report dated 23 August 2019 attached to letter dated 27 August

2019 [FFG.1029.0001.0040].
72
Email from Jeannette McShane, RI Advice to IOOF Advice Risk, re

Incident – Cyber Breach dated 23 August 2019, summarising information
provided by Bernie Cooney of Empowered, forwarded by Wen Li Zhou,
Incident Manager at IOOF to Peter Ornsby, CEO of RI Advice and others
[FFG.1029.0001.0028].
As referred to in paragraph 107 below, RI Advice endorsed or allowed the

Empowered Cybersecurity Incident to be closed in the Aligned Dealer
Group Incident Register by November 2019.
F.2 Inadequacy of steps taken by RI Advice in respect of FFG Data Breach
96 In about September 2019, FFG and RI Advice concluded their investigation and
remediation of the FFG Data Breach, as a result of which:
(a) the investigation had revealed that there were 8,104 Retail Clients
potentially exposed to the FFG Data Breach;
(b) FFG had, by then, notified 7,366 Retail Clients of the FFG Data Breach
and had published a notice on its website in order to notify any others; and
(c) FFG had notified the Australian Taxation Office in respect of Retail Clients
whose tax file numbers were held on its files.
Particulars
‘Event Closure Report – RI Advice: Frontier Financial Group

(FFG) Notifiable Data Breach (NBD) – FINAL’ dated 18
September 2019 – [FFG.1020.0001.0154].
RI Advice letter to ASIC dated 4 October 2019

[FFG.1015.0003.0002].
97 On or about 19 September 2019, FFG informed the OAIC, and RI was aware, of
the matters referred to in paragraph 96 above.
73
Particulars
Email dated 19 September 2019 from Richard McLean, of FFG,

to OAIC, copied to Nikolas Kloufetos, Project manager, Licensee
Remediation, IOOF, re OAIC Reference number: DBN18/00331
– Conclusion of investigation and remediation of Frontier
Financial Group data breach [FFG.1020.0001.0206].

[FFG.1015.0003.0002].
98 By reason of the matters pleaded in paragraphs 13 to 15, 51 to 56, 67 to 72, 81

to 84, 96 and 97 above, after becoming aware of the FFG Data Breach, and with
knowledge of the matters in respect of the Cybersecurity Incidents pleaded in
paragraphs 19, 20(a), 23, 24(a), 29, 30(a), 34, 35(a), 39, 40(a), 44, 45(a), 46, 48
63 and 64(a) above and knowledge of the other matters pleaded in paragraphs
73 to 80 above, by 30 September 2019, alternatively 1 November 2019, RI
Advice should have:

Controls relevant to the root cause of the FFG Data Breach referred to in
paragraphs 52 and 83(a) above and as a result of any review conducted to
identify the cause of the failure of FFG’s disaster recovery backup process
as recommended by KPMG and referred to in paragraph 83(h) above; and
FFG Data Breach into its ongoing identification and mitigation of risk in
respect of cybersecurity and cyber resilience across its AR network, by:

FFG Data Breach:
(A) Privilege management;

74
(C) Password complexity;
(D) Password management;
(E) Account lockout;
(F) Application whitelisting;
(G) Port security;
(H) Web filtering;
(I) Security and compliance score for Microsoft Office 365;
(J) Antivirus protection;
(K) Log monitoring controls;
(L) Incident response;
(M) Backups; and
(N) Holistic cybersecurity framework.
Particulars

(a) Privilege management [ED 5.3 and ED 5.5];
(c) Password complexity [ED 5.1 and ED 7.1];
(d) Password management [ED 5.1 and ED 7.1];
(e) Account lockout [ED 5.3];
(f) Application whitelisting [ED 9.2 and ED 9.5];
(g) Port security [ED 9.4 and ED 9.8];

75
(h) Web filtering [ED 9.4 and ED 9.8];
(i) Security and compliance score for Microsoft Office 365

[ED 9.1];
(j) Antivirus protection [ED 10.5];
(k) Log monitoring controls [ED 10.1 to ED 10.6];
(l) Incident response [ED 12.1 to ED 12.5];
(m) Backups [ED.13.3 and ED.13.5]; and
(n) Holistic cybersecurity framework [ED 1.1].


the FFG Data Breach which was tailored to the identified
99 RI Advice did not take the steps referred to in paragraph 98 above adequately by
1 November 2019 or at any relevant time.
Particulars
The steps which RI Advice had taken by 1 November 2019 referred

to in paragraphs 100 and 102 below did not amount to taking the
steps in respect of cybersecurity and cyber resilience across its AR
network referred to in paragraph 98 above adequately.
F.3 Inadequacy of steps taken by RI Advice up to 1 November 2019
100 By 1 November 2019, RI Advice had planned and/or undertaken the following
cybersecurity initiatives to address cybersecurity issues across its AR network
and to prevent and manage Cybersecurity Incidents (November 2019
Cybersecurity Initiatives):
76
(a) Six CARRs;
(b) Cybersecurity Discussion Topics;
(c) Documentation Update;
(d) Attestations on Cyber Capabilities and Protections;
(e) Awareness Material;
(f) Mandated MFA;
(g) Mandated Password Management;
(h) development of specific roles and teams to manage Cybersecurity

Incidents, such as a ‘Head of IT Cyber Security’ (Cybersecurity
Leadership);
(i) a formal cybersecurity gap analysis of ARs to help understand what

improvements can be made to RI Advice’s current systems and process
(Gap Analysis);
(j) Review of Cyber Standard;
(k) formalisation of the Cybersecurity Incident Response Plan Breach Process

Guide (Cybersecurity Incident Response Plan Finalisation);
(l) Training Implementation; and
(m) Cyber Insurance.
Particulars

[FFG.1013.0001.0003].

[FFG.1014.0001.0062].

[FFG.1015.0003.0002].
77

[FFG.1021.0001.0003].

[FFG.1023.0001.0003].

(m) above are provided in paragraph 102 below.
101 As at 1 November 2019, RI Advice had not planned or implemented any

initiatives for the management of risk in respect of cybersecurity and cyber
resilience across its AR network other than as referred to in paragraph 100
above.
102 As at 1 November 2019, RI Advice had only implemented the November 2019
Cybersecurity Initiatives to the extent referred to below:
(a) the Six CARRs were complete;
Particulars
In addition to the matters referred to in paragraph 87(a) above,

RI Advice received detailed ‘Data Protect’ cyber assessments for
the two RI Advice Practices referred to in paragraph 78 above by
about 15 April 2019.
Email from Sascha Warner, IOOF, to ASIC dated 15 April 2019

[FFG.1014.0002.0001].
Data Protect Cyber Risk Assessment for RI Advice Lower Hunter

dated about 10 April 2019 [FFG.1014.0002.0003] and supporting
documents [FFG.1014.0002.0013, FFG.1014.0002.0021,
FFG.1014.0002.0028, FFG.1014.0002.0037, FFG.1014.0002.0045,
FFG.1014.0002.0052, FFG.1014.0002.0059, FFG.1014.0002.0069,
FFG.1014.0002.0079, FFG.1014.0002.0088, FFG.1014.0002.0099,
FFG.1014.0002.0107, FFG.1014.0002.0116, FFG.1014.0002.0127,
FFG.1014.0002.0136, FFG.1014.0002.0145, FFG.1014.0002.0152,
FFG.1014.0002.0158, FFG.1014.0002.0164, FFG.1014.0002.0172,
78
FFG.1014.0002.0179, FFG.1014.0002.0188, FFG.1014.0002.0195,

FFG.1014.0002.0203, FFG.1014.0002.0212,
FFG.1014.0002.0221].
Data Protect Cyber Risk Assessment for RI Advice Bondi dated

about 12 March 2019 [FFG.1014.0002.0232] and supporting
documents [FFG.1014.0002.0246, FFG.1014.0002.0254,
FFG.1014.0002.0264, FFG.1014.0002.0275, FFG.1014.0002.0286,
FFG.1014.0002.0297, FFG.1014.0002.0310, FFG.1014.0002.0319,
FFG.1014.0002.0330, FFG.1014.0002.0347; FFG.1014.0002.0356,
FFG.1014.0002.0367, FFG.1014.0002.0375, FFG.1014.0002.0388,
FFG.1014.0002.0396, FFG.1014.0002.0406].
(c) the Documentation Update was incomplete, but RI Advice:
(i) was developing the Cybersecurity Documents and Controls referred

to in paragraphs 103(d) and (e) below, which as referred to in those
paragraphs had not been finalised, approved or released;
(ii) had developed the Cybersecurity Documents and Controls referred

to in paragraph 103(f) below;
(iii) had developed the Cyber Security RI Mandatory Requirements

Checklist dated 29 October 2019 [FFG.1022.0001.0421];
(iv) had developed the Cybersecurity Kaplan questions dated about 10

October 2019 [FFG.1022.0001.2561]; and
(v) had developed the RI Advice Practice attestations on

implementation of password management and two factor
authentication;
79
Particulars
AR Responses (13) to questions on implementation of password

management and two factor authentication [spreadsheet] dated
about 9 October 2019 [FFG.1022.0001.3521].
(d) the Attestations on Cyber Capabilities and Protections had not been
implemented and were not expected to be completed until the first quarter
of 2020;
Particulars
On 1 November 2019, RI Advice reported that:
1) in November 2019, the new Cyber Security Support Guide

[FFG.1022.0001.0258] would be sent to each RI Advice
Practice, and each practice’s technical provider would attest that
the practice conformed to the (ten) initiatives outlined in the
guide; and
2) RI Advice had not as yet conducted an audit, assessment or

review of its ARs to gain assurance that the Cyber Security
Support Guide and email encryption had been implemented and
operationalised, but this initiative would ‘be undertaken in the
first quarter of 2020’.

[FFG.1021.0001.0003], items 2, 6(c) and (j).
(e) Awareness Material had commenced being implemented but remained

incomplete;
Particulars
RI Advice had developed training programs on two factor

authentication, appropriate password management and password
encryption of emails that may contain Personal Information:
[FFG.1021.0001.0003], item 2.
80
As at 1 November 2019, RI Advice had recorded that 110 ARs had

completed the ‘Cyber Fraud’ or ‘Cyber Security Training Essentials’
training sessions between about 2 May and 20 August 2019 and 88
ARs had not yet completed this training [FFG.1022.0001.3474].
(f) Mandated MFA had commenced being implemented but was incomplete;
Particulars
Two factor authentication had been implemented for two

applications used by ARs, namely Xplan and DocuSign. RI Advice
had not performed testing to ensure the design and operational
effectiveness of the two factor authentication in Xplan. An audit of
Xplan users for the implementation of two factor authentication was
planned for December 2019. RI Advice was not testing ARs’
systems (other than Xplan) for the implementation of two factor
authentication: RI Advice letter to ASIC dated 1 November 2019
[FFG.1021.0001.0003], items 6(g) and (h).
90 RI Advice Practices had attested that they had implemented two

factor authentication into both Xplan and their local area network (if
that local area network contained client personal information), but 7
RI Advice Practices had not provided this attestation: Practice
Password Management and 2FA Review spreadsheet
[FFG.1022.0001.3521]. 486 ARs and support staff members had
attested that they had activated two factor authentication and 5 ARs
and support staff had not provided this attestation: AR attestation
responses relating to MFA [FFG.1021.0002.0008].
(g) Mandated Password Management was practically complete, however no

testing had taken place to monitor its implementation;
Particulars
RI Advice had provided ARs with the LastPass password

management system, however RI Advice had not undertaken a
testing process to monitor which ARs were using and updating the
81
system: RI Advice letter to ASIC dated 1 November 2019

[FFG.1021.0001.0003], item 6(i).
95 RI Advice Practices had attested that they had implemented an

approved online password manager, and 2 RI Advice Practices had
not provided this attestation. 93 RI Advice Practices had attested
that all documents being sent to clients that hold client personal
information by email were password protected, and 4 RI Advice
Practices had not provided this attestation: Practice Password
Management and 2FA Review spreadsheet [FFG.1022.0001.3521].
(h) Cybersecurity Leadership was a planned initiative which was ‘ongoing’;
Particulars
No date was provided for the implementation of this initiative:

[FFG.1021.0001.0003], item 4 (page 4).
(i) the Gap Analysis had not been implemented and was planned for the first
quarter of 2020;
Particulars

[FFG.1021.0001.0003], item 4 (page 4).
(j) the Review of the Cyber Standard was planned for the end of 2020;
Particulars

[FFG.1021.0001.0003], items 2 and 6(j).
(k) the Cybersecurity Incident Response Plan Finalisation was incomplete, the
document was in draft form only and it was expected that the document
would achieve a ‘final draft status’ by the end of November 2019;
82
Particulars

[FFG.1021.0001.0003], items 2 and 6(j).
(l) Training Implementation had commenced, but was incomplete; and
Particulars
New advisers joining RI Advice were required to complete RI

Advice’s prescribed cybersecurity training program within three
months of joining RI Advice.
RI Advice planned, as part of its November 2019 training program,

to provide a document to its ARs to ask them to have their local
technician sign off that their local area network met the standard:
[FFG.1015.0003.0002].
The training implemented as at 1 November 2019 is referred to in

sub paragraph (e) above.
(m) Cyber Insurance had been obtained and was being offered to ARs.
Particulars

[FFG.1015.0003.0002].
F.4 Inadequacy of November 2019 Cybersecurity Documentation and Controls
103 As at 1 November 2019, the Cybersecurity Documentation and Controls that

RI Advice held or had access to for the management of risk in respect of
(a) the May 2018 Documentation and Controls referred to in paragraphs

57(g), (o), (p), (q) and (r) above;
(b) the IOOF Developed Documentation;

83
Particulars

access to as at 1 November 2019 is set out in Schedule C.
(c) the March 2019 Documentation and Controls documents referred to in

paragraphs 89(c) to (e) above;
(d) Cyber Security Standard (Version 1.0) dated 10 October 2019

[FFG.1022.0001.0246], which:
(i) had not been finalised, approved or released; and
(ii) had not been implemented across RI Advice and its ARs;
Particulars
There is no approval or release date in the document.
(e) RI Advice Information Security Policies dated 13 May 2019

[FFG.1026.0001.0101], which:
Particulars
The document contains yellow highlights and references to ‘XXXX”,

is not signed, and was not referred to in RI Advice’s letter to ASIC
dated 1 November 2019 [FFG.1022.0001.3538].
(f) RI Advice Cyber Security Support Guide dated about May 2019
[FFG.1022.0001.0258];
(g) RI Advice Cybersecurity Incident Response Plan Process Guide (CIRP)

Process Guide: Data Breach (Version 1.1) dated 25 June 2019
[RIF.0006.0011.0001], which:
(i) was in draft form and had not been finalised, approved or released;
and
84
Particulars
The RI Advice Cybersecurity Incident Response Plan Process

Guide (CIRP) Process Guide: Data Breach (Version 1.3) dated 22
April 2020 [RIF.0006.0011.0001] refers to an earlier version
(version 1.1) of this document dated 25 June 2019.

[FFG.1021.0001.0003], items 3 and 6(k).
(h) Electronic Data Storage (Version 1.0), release date 7 October 2019
[FFG.1022.0001.2213];
(i) an RI Advice software asset register (spreadsheet) dated about

31 October 2019 [FFG.1022.0001.1154];
(j) guidance and questionnaires on implementation of password management

and two factor authentication;
Particulars
Cyber Security Attestation - First collector (1) questionnaire dated

AR Responses (13) to questions on implementation on password

management and two factor authentication [spreadsheet] dated
How to Password Protect RI Advice Adobe PDF Documents dated

9 October 2019 [FFG.1022.0001.1542].
Password Management and 2FA dated about 1 November 2019

[FFG.1022.0001.3518];
Sophos XG Firewall dated 1 November 2019

[FFG.1022.0001.3483].
85
How to Turn on 2FA for Adobe dated 1 November 2019

[FFG.1022.0001.3476].
How to Turn on 2FA for Google dated 1 November 2019

[FFG.1022.0001.1561].
How to Turn on 2FA for Microsoft dated 1 November 2019

[FFG.1022.0001.3509].
RI Advice Setting up Two-Factor Identification dated 1 November

2019 [FFG.1022.0001.3480].
Review of AR use of multifactor authentication in XPLAN 2019-06-

12-2FA [spreadsheet] dated 1 November 2019
[FFG.1022.0001.3475].
(k) PSA Completed Report [spreadsheet] dated 1 November 2019

[FFG.1022.0001.3522];
(l) presentations, webinars and newsletters covering cybersecurity

awareness related topics; and
Particulars
APRA Cyber Security Legislation – CPS 234 dated 31 October

2019 [FFG.1022.0001.3462].
It All Started with An Email Presented by Michael Connory, CEO

dated 10 October 2019 [FFG.1022.0001.2825].
RI Report 23 April 2019 [FFG.1022.0001.2766].
RI Report 29 April 2019 [FFG.1022.0001.2803].
RI Report 6 May 2019 [FFG.1022.0001.2816].
RI Report 13 May 2019 [FFG.1022.0001.2659].
RI Report 20 May 2019 [FFG.1022.0001.2760].
RI Report 27 May 2019 [FFG.1022.0001.2785].

86
RI Report 3 June 2019 [FFG.1022.0001.2791].
RI Report 22 July 2019 [FFG.1022.0001.2680].
RI Report 5 August 2019 [FFG.1022.0001.2716].
Cybersecurity Kaplan questions dated about 10 October 2019

[FFG.1022.0001.2561].
Review of Cyber Security Completion [spreadsheet] dated 1

November 2019 [FFG.1022.0001.3474].
(m) RI Advice procedures, application forms and checklists for recruitment,

appointment and cancellation of ARs and RI Advice Practices.
Particulars
APPOINTMENT: Practice Appointment Checklist (CAR or Sole

Trader) dated about 31 October 2019 [FFG.1022.0001.1771].
TERMINATION: AR & CAR Cancellation Checklist dated about 31

October 2019 [FFG.1022.0001.1843].
(the November 2019 Documentation and Controls).
104 As at 1 November 2019, RI Advice did not have in place any Cybersecurity
87
105 By its November 2019 Documentation and Controls, as at 1 November 2019,

RI Advice:
(b) predominantly relied upon the IOOF Developed Documentation, which:

of, alternatively was not relevant to, its governance and
across its AR network.
Particulars

access to as at 1 November 2019 which had the characteristics
referred to in sub-paragraphs (i) to (iv) above is set out in
Schedule C.
88
Particulars
The gaps between the November 2019 Documentation and

Controls and the Cybersecurity Documentation and Controls which
RI Advice should have had in place in each of the 13 Cybersecurity
Domains in order to meet the Minimum Cybersecurity
Requirements are set out in Schedule E.
F.5 Contraventions in respect of conduct up to, or as at, 1 November 2019
106 By reason of the matters pleaded in paragraphs 2 to 5, 11 to 15, 85 to 91 and

100 to 105 above, including with knowledge of the matters in respect of the
Cybersecurity Incidents pleaded in paragraphs 19, 20(a), 23, 24(a), 29, 30(a), 34,
35(a), 39, 40(a), 44, 45(a), 46, 48, 56, 63, 64(a), 67 to 72 and 81 to 84 above and
knowledge of the other matters pleaded in paragraphs 73 to 80 above, at all
times from 13 March to 1 November 2019, alternatively on 1 November 2019, RI
Advice:

to expect;

89



supplied to an unacceptable level of risk;

G. INADEQUACY OF STEPS TAKEN BY RI ADVICE UP TO 1 MAY 2020 AND

INADEQUACY OF CYBERSECURITY SYSTEMS IN PLACE AS AT 1 MAY 2020
G.1 Inadequacy of steps taken by RI Advice in respect of Empowered

Cybersecurity Incident
107 By 18 November 2019 at the latest, RI Advice:

90
(a) was aware, in respect of the Empowered Cybersecurity Incident, that:
(i) an external IT service provider had investigated the incident and

ascertained that:
(A) an unauthorised party had compromised an Empowered staff

member’s mailbox account, which had been used to send
Empowered’s Retail Clients and its information technology
service provider phishing emails regarding a purported
‘Business Proposal from Empowered Financial Partners’
which requested recipients to click on a link to Dropbox
(Phishing Email);
(B) the Phishing Email would have been sent to 174 email
addresses;
(C) the unauthorised party had set up new rules in the

Empowered staff member’s email mailbox automatically
directing all incoming emails to an RSS feed email folder so
that their incoming emails would not appear in the email
inbox;
(D) in the Dropbox cloud file storage account there was a

‘OneDrive document’ that was ‘capturing credentials’ of
people who tried to access it by clicking on the link in the
Phishing Email, which file was shared with the entire
contents of the Empowered staff member’s email contact list
and the list was able to be exported;
(E) some recipients of the Phishing Email may have clicked on

the link and opened the fie in Dropbox before it was removed
from Dropbox by the external IT service provider; and
(F) the unauthorised party possibly had access to the

Empowered staff member’s Microsoft Office 365 email
mailbox ‘for days’ and the third party may have had a ‘copy
of the contents’ of the Empowered staff member’s ‘entire
email’; and
91
(ii) the external IT service provider had determined that the root cause
of the incident was a suspected phishing email that had been
received the week before;
(b) had endorsed or allowed the Empowered Cybersecurity Incident to be

recorded in the Aligned Dealer Group Incident Register and the incident
had been endorsed by the RI Advice Event Working Group for closure in
the Aligned Dealer Group Incident Register; and

Empowered and RI Advice in respect of the Empowered Cybersecurity
Incident, prior to the incident being endorsed for closure in the Aligned
Dealer Group Incident Register, were limited to the following:
(i) Empowered had contacted its external information technology

technician, who had removed the ‘OneDrive document’ from
Dropbox and/or the ‘virus’ and provided a list of names of the 174
email addresses to which it considered that the Phishing Email
would have been sent, and Empowered had sent an email to those
contacts alerting them to the virus;
(ii) the external information technology technician had reset the

password of the compromised mailbox, reset the password of the
Dropbox cloud file storage account, and disabled the mailbox
ruleset in the compromised mailbox (so that incoming emails would
no longer be automatically placed in the RSS feed folder);
(iii) the IOOF Head of Cybersecurity had been informed of the incident
and had been provided with a report from the external information
technology technician;
(iv) the IOOF Head of Cybersecurity had advised RI Advice that no

further IT related actions, including any secondary IT review, were
necessary, although a dedicated cybersecurity training session for
all staff would be helpful, which training the IOOF IT Security team
could provide;
92
(v) Empowered had confirmed that the compromised data comprised

only names and email addresses;
(vi) the RI Advice Event Working Group forum noted that a training
session would be provided to staff when the ‘new standard’ was
released; and
(vii) RI Advice had received advice that the incident was not a notifiable
data breach and that the incident had been handled correctly.
Particulars

Empowered Cybersecurity incident referred to in sub-paragraphs
(a) to (c) above were recorded in the following documents:
Incident Case Record Timeline for incident IFR-02188

[FFG.1029.0001.0026].
Email from Jeannette McShane, RI Advice to IOOF Advice Risk, re

Incident – Cyber Breach dated 23 August 2019, forwarded by Wen
Li Zhou, Incident Manager at IOOF to Peter Ornsby and others
[FFG.1029.0001.0028].
Email from Kylie Weatherall, Empowered, to Wen Li Zhou, Incident

Manager, IOOF dated 3 September 2019 attaching file note from
Kevin Treacey of Kevcom [FFG.1029.0001.0032,
FFG.1029.0001.0035].
Email chain between Ashutosh Kapse, Head of Cybersecurity,

IOOF, and Wen Li Zhou between 26 August 2019 and 30
September 2019 [FFG.1029.0001.0036].
Email from Jeannette McShane, RI Advice to Peter Ornsby, dated

16 October 2019 [FFG.1029.0001.0043].
108 By reason of the matters pleaded in paragraphs 13 to 15, 94, 95 and 107 above,
after becoming aware of the Empowered Cybersecurity Incident and prior to
93
endorsing the close out of the Empowered Cybersecurity Incident in the Aligned
Dealer Group Incident Register, RI Advice should have:

Controls relevant to the root cause of the Empowered Cybersecurity
Incident referred to in paragraph 107(a)(ii) above; and
Empowered Cybersecurity Incident into its ongoing identification and
AR network, by:

Empowered Cybersecurity Incident;
(D) Email filtering;
Particulars

(d) Email filtering [ED 9.4 to ED 9.8].

94


the Empowered Cybersecurity Incident which was tailored to the
109 RI Advice did not take the steps referred to in paragraph 108 above, adequately
or at all, by 18 November 2019 or at any relevant time.
Particulars
which did not amount to taking the steps referred to in paragraph
108 above adequately or at all.
G.2 Contraventions in respect of Empowered Cybersecurity Incident
110 By reason of the matters pleaded in paragraphs 2 to 5, 11 to 15, 94, 95 and 107
to 109 above, at all times since 18 November 2019, RI Advice:

to expect;

95




G.3 Second RI Shepparton Cybersecurity Incident – April 2020
111 On or about 15 April 2020, RI Advice became aware of a Cybersecurity Incident

that occurred on about 14 April 2020 involving Sandra Miller and RI Shepparton
(Second RI Shepparton Cybersecurity Incident).
96
Particulars
Incident report submission lodged by RI Shepparton with RI Advice

Risk Team dated 15 April 2020 [RIF.0006.0016.0001].
Letter from RI Advice to RI Shepparton dated 20 April 2020

attaching completed incident report (IFR-02797)
[FFG.1029.0001.0020].
Letter from RI Advice to ASIC dated 1 May 2020 in response to

Notice issued by ASIC under s 912C of ASIC Act (Reference 18-
20364) [FFG.1027.0001.0003 at .0011].
112 By about 1 May 2020 at the latest, RI Advice:
(a) was aware, in respect of the Second RI Shepparton Cybersecurity

Incident, that:
(i) like the First RI Shepparton Cybersecurity Incident, it involved an

external party’s unauthorised use of Sandra Miller’s RI Shepparton
email account;
(ii) as a consequence, spam emails were sent from Sandra Miller’s

email account to her RI Advice and IOOF contacts, fund managers,
and five Retail Clients in her email contacts (Spam Emails); and
(iii) a third-party information technology service provider had reviewed

the incident and had concluded that the external party had obtained
access to Sandra Miller’s email account, possibly through a
Microsoft Office log-in, at some time in the last five years and had
only just now used it;
(b) had endorsed or allowed the Second RI Shepparton Cybersecurity

Incident to be recorded in the Aligned Dealer Group Incident Register; and

RI Shepparton and RI Advice in respect of the Second RI Shepparton
Cybersecurity Incident were limited to the following:
97
(i) a third-party information technology service provider had removed

global administration rights from Sandra Miller’s RI Shepparton
email account and had ensured that there were no global or user
level forwarding rules which had been created from the account;
(ii) RI Shepparton had reported that it had sent an email to all

recipients to tell them not to open the Spam Emails; all outgoing
emails from the affected email account had ceased within one hour
after the incident; all ‘LastPass’ password manager passwords had
been changed on or about 14 April 2020; and two-factor
authentication had been employed on ‘all client systems’, which RI
Shepparton reported was ‘already in place’;
(iii) RI Advice had notified the IOOF Privacy Officer and IOOF Fraud
team seeking guidance about any steps which RI Shepparton
should take in addition to the steps that had already been
undertaken by RI Shepparton; and RI Advice had requested
RI Shepparton to refer to the IOOF Privacy Officer and the IOOF
Fraud team and complete RI Shepparton’s remediation by 11 May
2020; and
(iv) RI Advice had engaged Security in Depth to perform a review of the

Second RI Shepparton Cybersecurity Incident to identify the root
cause of the incident, which report was expected after 4 May 2020.
Particulars
Email from DWM Support to RI Shepparton, forwarded to RI Advice

dated 14 April 2020 [FFG.1029.0001.0018]
Incident report submission lodged by RI Shepparton with RI Advice

Risk Team dated 15 April 2020 [RIF.0006.0016.0001].
Letter from RI Advice to RI Shepparton dated 20 April 2020

attaching completed incident report (IFR-02797)
[FFG.1029.0001.0020].
98
Letter from RI Advice to ASIC dated 1 May 2020 in response to

Notice issued by ASIC under s 912C of ASIC Act (Reference 18-
20364) [FFG.1027.0001.0003 at .0011].
113 On or about 19 May 2020, after performing a review and assessment of

RI Shepparton, Security in Depth provided RI Advice with a CARR report in
respect of RI Shepparton dated April 2020, which:
(a) rated RI Shepparton’s cybersecurity status as still ‘Poor’ (page 3);
(b) identified that the cause of the Second RI Shepparton Cybersecurity

Incident was a suspected phishing attack, and that the unknown party had
monitored the RI Shepparton email account for a period of time and had
access to thousands of email addresses and contact details, as well as
over ten thousand emails (page 3); and
(c) referred to a number of ‘significant cybersecurity issues’, including:
(i) the poor level of password security across RI Shepparton (page 3);
(ii) no utilisation of two factor authentication (page 3);
(iii) that RI Shepparton’s current infrastructure settings would allow a

sophisticated threat actor to access the current network and email
infrastructure which incorporated significant personally identifiable
information (page 3);
(iv) that RI Shepparton had not effectively reviewed and understood the
critical assets they manage and had not identified strategies to
protect and maintain them (page 5);
(v) that RI Shepparton had not utilised security technologies across the
organisation to identify the occurrence of a cyber security incident
(page 7); and
(vi) that RI Shepparton did not have an incident response plan or a

fully-developed business continuity plan (page 8 and 9).
99
Particulars
Cyber Assurance Risk Rating Report– RI Advice - Shepparton

[FFG.1029.0001.0006].
114 But for RI Advice’s failures to take the steps referred to in paragraph 65 above
and its contraventions referred to in paragraphs 92 and 106 above, the Second
Shepparton Cybersecurity Incident may not have occurred.
Particulars
Both the First Shepparton Cybersecurity Incident and the Second

Shepparton Cybersecurity Incident involved the compromise of an
AR’s email account. But for RI Advice’s failure to adequately
remediate the gaps and deficiencies in the Cybersecurity
Documentation and Controls relevant to the First Shepparton
Cybersecurity Incident across its AR network (including the Cyber
training and awareness [ED 6.1 to ED 6.7], Email filtering [ED 9.4
and ED 9.8] and Multi-factor authentication [ED 5.1, ED 5.3 and ED
5.6] controls) by 12 March 2019, alternatively 1 November 2019,
the Second Shepparton Cybersecurity Incident was unlikely to have
occurred.
G.4 Inadequacy of steps taken by RI Advice up to 1 May 2020
115 By 1 May 2020, RI Advice had planned and/or undertaken the following
cybersecurity initiatives to address cybersecurity issues across its AR network
and to prevent and manage Cybersecurity Incidents (May 2020 Cybersecurity
Initiatives):
(a) Six CARRs;
(b) Cybersecurity Discussion Topics;
(c) Documentation Update;
(d) Attestations on Cyber Capabilities and Protections;
(e) Awareness Material;

100
(f) Mandated MFA;
(g) Mandated Password Management;
(h) Cybersecurity Leadership;
(i) Gap Analysis;
(j) Review of Cyber Standard;
(k) Cybersecurity Incident Response Plan Finalisation;
(l) Training Implementation;
(m) Cyber Insurance;
(n) initiation of a cybersecurity strategy (Cybersecurity Strategy); and
(o) establishment of the Advice Processes and Client Records program, which
would require ARs to store all Personal Information in the Xplan database
(ACR Program).
Particulars

[FFG.1013.0001.0003].

[FFG.1014.0001.0062].

[FFG.1015.0003.0002].

[FFG.1021.0001.0003].

[FFG.1023.0001.0003].
RI Advice letter to ASIC dated 1 May 2020 [FFG.1027.0001.0003].

101

(o) above are provided in paragraph 117 below.
116 As at 1 May 2020, RI Advice had not planned or implemented any initiatives for
the management of risk in respect of cybersecurity and cyber resilience across its
AR network other than as referred to in paragraph 115 above.
117 As at 1 May 2020, RI Advice had only implemented the May 2020 Cybersecurity
Initiatives to the extent referred to below:
(a) the Six CARRs were complete;
(c) the Documentation Update was incomplete, but RI Advice:
(i) had developed the Cybersecurity Documents and Controls referred

to in paragraphs102(c)(iii) to (v) and 103(f) above and 118(d) and (f)
below; and
(ii) was developing the RI Advice Information Security Policies referred

to in paragraph 118(c) below, which had not been finalised,
approved or released;
(d) in respect of the Attestations on Cyber Capabilities and Protections:
(i) the updated Cyber Security Guide [RIF.0006.0001.0001] referred to

in paragraph 118(f) below was provided to ARs on 2 December
2019;
(ii) only 34 of 89 RI Advice Practices had provided attestation to the

adoption of the 11 ‘best practice’ cybersecurity elements referred to
in paragraph 118(f) below; and
(iii) a final due date for this to be completed had not been set;
102
Particulars
On 20 April 2020, RI Advice requested ARs to provide attestation

from the technical support executive from each RI Advice Practice
to the adoption of the 11 elements in the Cyber Security Guide and
had received attestations from 34 of 89 RI Advice Practices
[RIF.0006.0013.0001]. RI Advice was following up with RI Advice
Practices who had not attested to full implementation, but no date
was set for completion: RI Advice letter to ASIC dated 1 May 2020
[FFG.1027.0001.0003], items 1(a) and 6.
(e) Awareness Material had been completed;
Particulars
During November and December 2019, RI Advice conducted a

series of Cyber Security presentations to the AR network, and
between February and May 2020, RI Advice, supported by Security
in Depth, conducted two webinars (Part A and Part B) for its adviser
network to raise awareness about the management of cyber
security risks relevant to their practices: RI Advice letter to ASIC
dated 1 May 2020 [FFG.1027.0001.0003], items 1(a) and (d).
121 ARs or support staff attended the cybersecurity Part A webinar,

and 128 attended the Part B webinars hosted by Security in Depth
[RIF.0006.0004.0001].
(f) in respect of Mandated MFA, RI Advice had received attestations from its
ARs that they had implemented multifactor authentication in Xplan;
Particulars
RI Advice had received attestations from all RI Advice Practices that

they had two factor authentication in place in respect of Xplan. RI
Advice monitored compliance with the 2FA requirements of Xplan
since 4 October 2019 by reviewing monthly on-line audit reports:
RI Advice letter to ASIC dated 1 May 2020 [FFG.1027.0001.0003],
items 1(f) and 4.
103
All_Users_2FA__RI JAN dated 17 January 2020

[RIF.0006.0006.0007].
16 December 2019 Outstanding Xplan 2FA (spreadsheet) dated

about 16 December 2019 [RIF.0006.0006.0001].
20 November 2019 Outstanding Xplan 2FA (spreadsheet) dated

about 20 November 2019 [RIF.0006.0006.0002].
21042020 2FA Report dated about 21 April 2020 spreadsheet

[RIF.0006.0006.0003] which recorded that 96% of users had
activated two factor authentication in Xplan.
As alleged in paragraph 113(c)(ii) above, Security in Depth reported

in its April 2020 CARR that RI Shepparton had no utilisation of two
facto authentication.
(g) Mandated Password Management was complete;
Particulars
LastPass, which was not a mandatory password management

system, had been implemented by 215 ARs and practice staff
(approximately 42% of users).
RI Advice reviewed on-line audit reports available from the

LastPass system about the implementation of Lastpass: LastPass
audit reports: [RIF.0006.0014.0005 (17 April 2020),
RIF.0006.0014.0002 (22 April 2020) and RIF.0006.0014.0003 (27
April 2019)].

item 1(f) and 7.
(h) Cybersecurity Leadership was complete;
(i) in respect of the Gap Analysis:
(i) the scope of the Gap Analysis had been expanded so that a cyber
assessment was planned to be performed on each RI Advice
104
Practice, which was not expected to be completed until the end of

2020; and
(ii) draft cyber assessments for only 3 of the 89 RI Advice Practices

had been completed, which had yet to be considered by RI Advice
for any formal recommendations;
Particulars
The following three draft reports had been provided to RI Advice,

which had yet to be considered by RI Advice for any formal
recommendations:
Cyber Assurance Risk Rating Report Bountiful Wealth dated 23

April 2020 [RIF.0006.0010.0014];
Cyber Assurance Risk Rating Report: Benchmark Consultants

dated 27 April 2020 [RIF.0006.0010.0004]; and
Cyber Assurance Risk Rating Report: RI Advice Berwick dated 27

April 2020 [RIF.0006.0010.0025].

item 1(j).
(j) in respect of the Review of the Cyber Standard:
(i) the Cyber Security Standard was released on 30 March 2020, and
ARs were expected to successfully complete a planned
examination on its contents by 30 June 2020; and
(ii) no attestations or audits to verify that all ARs had fully implemented
the Cyber Security Standard had been completed;
Particulars
The Cyber Security Standard [RIF.0006.0002.0065] was released

and uploaded to the RI Intranet on 30 March 2020. It was planned
that ARs would be tested on this standard as part of an exam which
was planned to be available from 11 May 2020, and that ARs were
105
to complete by 30 June 2020: RI Advice letter to ASIC dated 1 May

2020 [FFG.1027.0001.0003], items 1(d) and (i).
(k) in respect of the Cybersecurity Incident Response Plan Finalisation, the

Cybersecurity Incident Response Plan was released on 22 April 2020 and
provided to ARs on 27 April 2020;
Particulars
RI Advice Cybersecurity Incident Response Plan Process Guide

(CIRP) Process Guide: Data Breach (Version 1.3) dated 22 April
2020 [RIF.0006.0011.0001].
RI Advice provided the Cybersecurity Incident Response Plan to

ARs via a link in a newsletter dated 27 April 2020
[RIF.0006.00005.0098].

item 1(c).
(l) Training Implementation had been completed and ARs were expected to
successfully complete a planned examination on the webinar contents by
30 June 2020;
Particulars
The training implemented as at 1 May 2020 is referred to in sub-

paragraph (e) above.
It was planned that ARs would be tested on the content of the

webinars through an exam which was planned to be available from
11 May 2020 that ARs were to complete by 30 June 2020:
item 1(d).
(m) Cyber Insurance had been obtained and was being offered to ARs;
106
(n) RI Advice expected to have implemented the Cybersecurity Strategy by

the end of 2020, but no formal documentation of the proposed strategy
had been completed; and
Particulars
No relevant documentation is referred to in RI Advice’s letter to

ASIC dated 1 May 2020 [FFG.1027.0001.0003], item 11.
(o) RI Advice expected to have implemented the ACR Program by the end of
2020.
Particulars
The program was commenced on 19 October 2019 and RI Advice

expected it to be implemented by the end of 2020: RI Advice letter
to ASIC dated 1 May 2020 [FFG.1027.0001.0003], item 1(h).
The ACR Nominations and Training Logs - RI Advice [spreadsheet]

dated 27 April 2020 [RIF.0006.0008.0001] recorded that
approximately 10 RI Advice Practices had attended relevant training
sessions.
Advice Processes and Client Records guide dated 27 April 2020

[RIF.0006.0008.0002].
G.5 Inadequacy of May 2020 Cybersecurity Documentation and Controls
118 As at 1 May 2020, the Cybersecurity Documentation and Controls that RI Advice
held or had access to for the management of risk in respect of cybersecurity and
cyber resilience across its AR network were as follows:
(a) the IOOF Developed Documentation;
Particulars

access to as at 1 May 2020 is set out in Schedule C.
107
(b) the November 2019 Documentation and Controls referred to in paragraph

103 above with the exception of the documents referred to in paragraphs
103(b), (d) and (f) above;
(c) the RI Advice Information Security Policies dated 13 May 2019

[FFG.1026.0001.0101] referred to in paragraph 103(e) above, which:
Particulars
The document contains yellow highlights and references to ‘XXXX”,

and is not signed.
The document is not referred to in RI Advice’s letter to ASIC dated

1 May 2020 [FFG.1027.0001.0003].
(d) Cyber Security Standard, released on 30 March 2020

[RIF.0006.0002.0065];
(e) RI Advice Cybersecurity Incident Response Plan Process Guide (CIRP)

Process Guide: Data Breach (Version 1.3) dated 22 April 2020
[RIF.0006.0011.0001];
(f) an updated version of the Cyber Security Support Guide

[RIF.0006.0001.0001] dated about December 2019, which referred to the
following 11 ‘RI Advice Group best practices’:
(i) use a Firewall;
(ii) patch;
(iii) document your cybersecurity policies;
(iv) use a VPN;
(v) educate all employees;
(vi) enforce safe password practices;

108
(vii) regularly back up all data;
(viii) install anti-malware software;
(ix) use multifactor identification;
(x) password protection for emails and correspondence; and
(xi) prepare for a brute force attack.
(g) Security in Depth document titled 'CARR Framework Questions' dated

about 23 April 2020 [RIF.0006.0010.0003];
(h) Small Business Cyber Security Guide dated 2 April 2020

[RIF.0006.0002.0189] developed by the Australian Cyber Security Centre;
(i) guidance and questionnaires on implementation of password management

and two factor authentication;
Particulars
How to Password Protect a PDF file for Free dated 27 April 2020
[RIF.0006.0002.0103].
How to Password Protect RI Advice Word Documents dated 27

April 2020 [RIF.0006.0002.0131].
How to Password Protect RI Advice Word Documents dated 27

April 2020 [RIF.0006.0002.0131].
LastPass FAQs dated 27 April 2020 [RIF.0006.0002.0145].
Work at Home Protection: Quick Security Tips dated 27 April 2020

[RIF.0006.0002.0139].
(j) spreadsheet recording ARs’ implementation of two factor authentication;

and
109
Particulars
All_Users_2FA__RI JAN dated 17 January 2020

[RIF.0006.0006.0007].
16 December 2019 Outstanding Xplan 2FA (spreadsheet) dated

about 16 December 2019 [RIF.0006.0006.0001].
20 November 2019 Outstanding Xplan 2FA (spreadsheet) dated

about 20 November 2019 [RIF.0006.0006.0002].
21042020 2FA Report dated 29 April 2020 spreadsheet

[RIF.0006.0006.0003].
(k) presentations, webinars and newsletters, cybersecurity questions and

mandatory cybersecurity induction questions, and exam questions
covering cybersecurity awareness related topics.
Particulars
Cyber Exam [spreadsheet] dated 26 April 2020

[RIF.0006.0004.0087].
Cyber Security Webinar - Presentation Link dated 6 April 2020

[RIF.0006.0002.0036].
IOOF Cyber Resilience Initiative presentation by Security in Depth

dated 26 April 2020 [RIF.0006.0004.0003].
IOOF Cyber Resilience presentation by Security in Depth dated 26

April 2020 [RIF.0006.0004.0042].
Cyber Resilience - Intranet Content [screenshot] dated 27 April

2020 [RIF.0006.0002.0180].
Cyber Resilience Initiative: Your participation in the pilot group

dated 1 May 2020 [RIF.0006.0010.0001].
Cyber Security CEO Update dated 30 April 2020

[RIF.0006.0001.0010].
110
RI Report 18 November 2019 [RIF.0006.0005.0045].
RI Report 25 November 2019 [RIF.0006.0005.0083].
RI Report 2 December 2019 [RIF.0006.0005.0052].
RI Report 9 December 2019 [RIF.0006.0005.0009].
RI Report 28 January 2020 [RIF.0006.0005.0091].
RI Report 10 February 2020 [RIF.0006.0005.0017].
RI Report 02 March 2020 [RIF.0006.0005.0062].
RI Report 06 April 2020 [RIF.0006.0005.0117].
Webinar Links [URLs] dated about 27 March 2020 (LastPass,

Cybersecurity Webinar, LastPass Enterprise Training July 2019,
Cybersecurity Essentials Part B Webinar) [RIF.0006.0002.0130].
(the May 2020 Documentation and Controls).
119 As at 1 May 2020, RI Advice did not have in place any Cybersecurity
111
120 By its May 2020 Documentation and Controls, as at 1 May 2020, RI Advice:
(b) relied in part upon the IOOF Developed Documentation, which:

of, alternatively was not relevant to, its governance and
across its AR network.
Particulars

access to as at 1 May 2020 which had the characteristics referred
to in sub-paragraphs (i) to (iv) above is set out in Schedule C.
Particulars
The gaps between the May 2020 Documentation and Controls and
the Cybersecurity Documentation and Controls which RI Advice
112

out in Schedule F.
G.6 Contraventions in respect of conduct up to, or as at, 1 May 2020
121 Alternatively to paragraphs 93 and 106 above, and further or alternatively to

paragraph 110 above, by reason of the matters pleaded in paragraphs 2 to 5, 11
to 15, 85 to 91, 100 to 105, 108, 109 and 115 to 120 above, including with
knowledge of the matters in respect of the Cybersecurity Incidents pleaded in
paragraphs 19, 20(a), 23, 24(a), 29, 30(a), 34, 35(a), 39, 40(a), 44, 45(a), 46, 48,
56, 63, 64(a), 67 to 72, 81 to 84, 95 and 107(a) above and knowledge of the
other matters pleaded in paragraphs 73 to 80 above, at all times from 13 March
2019 to 1 May 2020, alternatively at all times since 13 March 2019, alternatively
on 1 May 2020, RI Advice:

to expect;

113



H. RELIEF
By reason of the matters referred to above, ASIC seeks the relief stated below.
Declarations
1 Declarations that RI Advice:
(a) contravened ss 912A(1)(a), (b), (c), (d) and (h) of the Act at all times from
15 May 2018 to 12 March 2019; and
114
(b) contravened ss 912A(1)(a), (b), (c), (d) and (h) and (5A) of the Act at all
times from 13 March 2019 to:
1) the date of judgment; alternatively
2) 1 May 2020; alternatively
3) 1 November 2019,
as a result of its failure to have strategies, frameworks, policies, plans, procedures,

standards, guidelines, systems, resources and controls in respect of cybersecurity and
cyber resilience in place that were adequate to manage risk in respect of cybersecurity
and cyber resilience for itself and across its AR network, and as a result of this
conduct, it:
(i) in contravention of s 912A(1)(a) of the Act, failed to do all things

necessary to ensure that the financial services covered by the
Licence were provided efficiently, honestly and fairly, in that the
financial services covered by the Licence were not provided
efficiently or fairly because RI Advice’s performance in respect of
cybersecurity and cyber resilience was inadequate and exposed the
persons to whom the financial services were supplied to an
unacceptable level of risk, and did not meet the reasonable
standard of performance that the public is entitled to expect;
(ii) in contravention of s 912A(1)(b) of the Act, failed to comply with the

condition of the Licence requiring it to establish and maintain
compliance measures that ensure, as far as is reasonably
practicable, that it complies with the provisions of the financial
services laws (which relevantly comprise ss 912A(1)(a), (d) and (h)
of the Act), in that RI Advice failed to establish and maintain such
compliance measures in respect of cybersecurity and cyber
resilience;
(iii) in contravention of s 912A(1)(c) of the Act, failed to comply with the

financial services laws (which relevantly comprise ss 912A(1)(a),
(b), (d) and (h) of the Act);
115
(iv) in contravention of s 912A(1)(d) of the Act, failed to have available

resources) to provide the financial services covered by the Licence
and to carry out supervisory arrangements, in that RI Advice’s
relevant resources in respect of cybersecurity and cyber resilience,
comprising its Cybersecurity Documentation and Controls, were
inadequate to provide the financial services covered by the Licence
without exposing the persons to whom the financial services were
(v) in contravention of s 912A(1)(h) of the Act, failed to have adequate

risk management systems, in that RI Advice’s relevant risk
management systems in respect of cybersecurity and cyber
resilience, comprising its Cybersecurity Documentation and
Controls, were inadequate to prevent the exposure of the persons
to whom the financial services were supplied to an unacceptable
level of risk; and
(vi) by reason of the contraventions of each of ss 912A(1)(a), (d) and

(h) of the Act referred to in sub-paragraphs (b)(i), (iv) and (v) above,
contravened s 912A(5A) of the Act.
2 Alternatively to paragraph 1 above, declarations that RI Advice:
(a) contravened ss 912A(1)(a), (b), (c), (d) and (h) of the Act on:
1) 15 May 2018; and/or
2) 12 March 2019; and/or
(b) contravened ss 912A(1)(a), (b), (c), (d) and (h) and (5A) of the Act on:
1) 13 March 2019; and/or
2) 1 November 2019; and/or
3) 1 May 2020,
116
as a result of its failure to have strategies, frameworks, policies, plans, procedures,

standards, guidelines, systems, resources and controls in respect of cybersecurity and
cyber resilience in place that were adequate to manage risk in respect of cybersecurity
and cyber resilience for itself and across its AR network, and as a result of this
conduct, it:


resilience;


117


level of risk; and

3 Further or alternatively to paragraphs 1 and 2 above, declarations that at all times

since 18 November 2019 after becoming aware of the Empowered Cybersecurity
Incident, RI Advice failed to take adequate steps to remediate any gaps or
deficiencies across its AR network relevant to the root cause of the Empowered
Cybersecurity Incident, and as a result of this conduct, it:


118

resilience;



level of risk; and

Pecuniary penalties
4 RI Advice pay pecuniary penalties in relation to each of the contraventions of

s 912A(5A) of the Corporations Act referred to in paragraphs 1(b)(vi),
alternatively 2(b)(vi), and, further or alternatively, 3 above.
119
Compliance orders
5 RI Advice must, within 3 months of the date of these Orders, have strategies,
frameworks, policies, plans, procedures, standards, guidelines, systems,
resources and controls in respect of cybersecurity and cyber resilience in place
that are adequate to manage risk in respect of cybersecurity and cyber resilience
for itself and across its AR network.
6 RI Advice must, within 5 months of the date of these Orders, provide the plaintiff
with a written report of a suitably qualified independent expert (Expert)
confirming RI’s compliance with paragraph 5 above.
7 The identity of the Expert and the terms of his or her retainer are to be agreed
between the plaintiff and RI Advice, or failing agreement are to be determined by
the Court.
8 The Expert is to commence their work by no later than 3 months from the date of
these Orders.
9 The costs of the Expert are to be paid by RI Advice.
Other orders
10 RI Advice pay the plaintiff’s costs.
11 Such further or other orders as the Court thinks fit.
Date: 26 October 2020
Signed by Andrew John Christopher

Lawyer for the plaintiff
This pleading was prepared by Fleur Shand of counsel and settled by Stephen
Parmenter QC and Paul Liondas of counsel.
120
Certificate of lawyer
I Andrew John Christopher certify to the Court that, in relation to the statement of claim
filed on behalf of the plaintiff, the factual and legal material available to me at present
provides a proper basis for each allegation in the pleading.
Date: 26 October 2020
Signed by Andrew John Christopher
Lawyer for the plaintiff

121
Schedule A
MINIMUM CYBERSECURITY REQUIREMENTS –

DETAILS OF 13 CYBERSECURITY DOMAINS
Cybersecurity Categories Expected Description

Domain Documents
1. Governance & Strategies, ED 1.1 Strategy: A plan of action which

Business Frameworks, Cybersecurity establishes a set of objectives and goals to
Environment and Policies Strategy, help continually manage and improve
Framework, or cybersecurity and cyber resilience of an
Program organisation. Should be aligned to wider
enterprise risk objectives and business
objectives of an organisation.
Framework: A logical structure which

provides further definition around the
cybersecurity protection, detection,
response, and recovery capabilities of an
organisation. Can either be adopted based
on an existing industry framework (e.g.
National Institute of Standards and
Technology (NIST) CSF, ISO27001), or
developed as an in-house framework.
Program: A program of work which fulfils

the cybersecurity strategy. Often contains a
series of operational work streams as well
as new projects to develop, enhance, or
remediate a capability.
ED A set of top-level rules and statements that

1.2 Cybersecurity govern cybersecurity across an
Policy organisation. Describes cybersecurity
requirements at a high level and is
complemented by lower level policies,
plans, procedures, standards, and
guidelines. Should also consider and
reference legislation and regulations
applicable to an organisation in context of
cybersecurity.
ED 1.3 IT An issue-specific document which stipulates

Acceptable Use the constraints and protocols which a user
Policy (including third parties and contractors)
must agree to and abide by in order to
access an IT asset within an organisation. A
common example is computer login screens
that prompt users to accept and agree
before being granted access into a
corporate system and network.
122

Domain Documents
Plans, ED 1.4 Evaluation A defined evaluation process which allows

Procedures, and Prioritisation an organisation to identify and rank assets
Standards, Process (e.g. or business processes based on their risk to
Guidelines Business Impact the organisation. The output of the
Analysis, Cyber evaluation process should provide a
Risk Assessment, prioritised list of assets or business
Asset Identification processes, which would allow an
and Classification) organisation to design, implement, and
operate cybersecurity controls
commensurate with the level of risk
identified.
Common evaluation processes to help an

organisation identify and rank their areas of
importance based on risk include business
impact assessments, enterprise cyber risk
assessments, and asset identification and
classification processes.
Systems, ED Formalised and agreed functions performed

Resources, 1.5 Cybersecurity by stakeholders with obligations to tasks or
and Controls Security Roles and duties for which those persons are
Responsibilities accountable. Considerations for
(across all levels) cybersecurity should also be integrated as
terms and conditions of employment
contracts.
2. Risk Strategies, ED 2.1 Risk A set of top-level rules and statements that
Assessments Frameworks, Management govern risk management across an
and Risk and Policies Policy organisation. Often supported by a risk
Management management framework and risk
management procedures.
ED 2.2 Risk The parameters which help an organisation

Appetite determine the amount of risk they are willing
Statement (which to accept in pursuit of their strategic
considers cyber objective. In the context of cybersecurity, a
risk) risk appetite should also apply to the level
of cyber risk the organisation is willing to
accept.
Plans, ED 2.3 Risk Documented processes for systematically

Procedures, Assessment and continuously identifying cybersecurity
Standards, Procedures risks to an organisation including the
Guidelines likelihood, the impact, existing safeguards,
and residual risk. Cyber risk assessments
may be aligned to industry-recognised
frameworks or proprietary frameworks, and
may be performed by internal or external
stakeholders.
ED 2.4 Risk Registers which document identified risks to

Registers an organisation including cyber risks.
Sources of identified cyber risk may include
cyber risk assessments, security audits,
penetration tests (which refers to the
process of identifying and attempting to
123

Domain Documents
actively exploit vulnerabilities in order to

penetrate into a system or environment
(Penetration Tests)), and vulnerability
assessments (which refers to the process of
identifying, quantifying, and prioritising
vulnerabilities identified in an information
asset or system (Vulnerability
Assessment). Vulnerability assessments
are typically performed using or assisted
using automated vulnerability assessment
tools.
ED 2.5 Risk Documented processes for managing risks

Management Plans including cyber risk. Often includes risk
prioritisation, risk treatment actions, and
continuous monitoring of risks.
Systems, ED 2.6 Risk Function which is responsible for ensuring

Resources, Management risk including cyber risk is considered as
and Controls function part of the enterprise risk management.
(discussing
enterprise and
cyber risk including
third parties)
ED 2.7 Risk Evidence of risk assessments inclusive of

Assessments cyber risk being performed on a regular
(performed by basis. Alternatively, evidence of cyber risk
internal or external being continually identified from varying
stakeholders) sources of audits, assessments, and
reviews on a regular basis. The risk
assessments typically contain observations,
findings, and recommendations which are
ordinarily formed into management action or
remediation action plans.
3. Asset Strategies, ED 3.1 IT Asset A set of top-level rules and statements that
Management Frameworks, Management govern how IT assets should appropriately
and Policies Policy be configured, managed, and protected
throughout their lifecycle. Often supported
by asset management procedures and
asset registers.
Plans, ED 3.2 Asset Detailed step-by-step instructions on how to

Procedures, Management manage IT assets within an organisation.
Standards, Procedures Often contains procedural details including
Guidelines (including lifecycle roles and responsibilities of asset owners
management, and delegates, when and how hardware
ongoing inventory, and software assets are to be inventoried
review, re-use and and reviewed, procurement or development
disposal) process of assets, maintenance of assets,
and the disposal, reuse and destruction of
assets.
124

Domain Documents
ED 3.3 IT Asset Registers which document identified IT

Registers assets within an organisation. IT asset
(including external registers often contain details inclusive of
IT assets) asset ID, owner, location, asset type,
security classification and business priority.
ED 3.4 Asset Documented classification procedures

Security which allow stakeholders to appropriately
Classification classify IT assets (such as endpoints,
Procedures servers, applications, databases,
(including labelling environments, and information) in line with
and handling of their defined organisational classifications.
assets) Endpoints denote end-user machines and
devices that are typically interconnected
within a corporate environment and internet-
capable. They often present a key
vulnerable point of entry for cybersecurity
attacks. Examples of endpoints include
desktops, laptops, smartphones, tablets,
workstations, and servers (Endpoints).
Systems, ED Description of the processes and tools in

Resources, 3.5 Automated or place to support the IT asset management
and Controls manual processes. This may include automated and
mechanisms to manual mechanisms (e.g. network
maintain an up-to- discovery tools, PowerShell scripts, manual
date, complete, stocktake).
accurate, and
readily available
inventory of IT
Assets information
system
components (e.g.
human processes,
network discovery
and infrastructure
monitoring
solutions)
4. Supply Chain Strategies, ED 4.1 Third A set of top-level rules and statements that
Risk Frameworks, Party Management govern how third parties are managed by an
Management and Policies Policy organisation, including how risk and cyber
risk posed by the third parties should be
governed. Often linked into the broader risk
management framework and supported by
third party risk procedures.
Plans, ED 4.2 Third Documented processes for identifying and

Procedures, Party Risk managing third party risk including cyber
Standards, Assessments and risk. Often details appropriate risk treatment
Guidelines Management actions including avoidance should the risk
Processes from a third party be determined to be
unacceptable.
125

Domain Documents
Systems, ED 4.3 Third Evidence of third party risk questionnaires

Resources, Party Risk and assessments demonstrating cyber risk
and Controls Questionnaires management being actively enacted for
and Assessment third parties. Additional evidence may
Templates include cybersecurity attestations from third
parties such as Service Organisation
Controls (SOC) 2 reports, ISO27001
certifications, results of security tests, and
results of continuity tests. SOC refers to a
series of compliance-related controls
introduced by the American Institute of
Certified Public Accountants (AICPA)
primarily for vendor or service organisations
to meet. A SOC report is a verifiable
auditing report which is performed by a
Certified Public Accountant (CPA) in order
to verify and check the status of internal
controls within an organisation.
A SOC 2 report in particular refers to an
independent report on an organisation’s
design and operating effectiveness of its
internal IT security controls.
5. Access Strategies, ED 5.1 Access A set of top-level rules and statements that
Management Frameworks, Control Policy govern how IT access control is managed
and Policies by an organisation. Often includes
governing rules around standard system
access, access for third parties and
contractors, remote access, multi-factor
authentication, and strong minimum
password requirements (such as password
complexity and restricting default
passwords). Often linked to the
cybersecurity policy and access control
standard operating procedures.
ED 5.2 Mobile A set of top-level rules and statements that

Device govern and control the use of mobile
Management devices (e.g. phones, tablets, smart
Policy devices) within an organisation. Especially
applies to Bring Your Own Device (BYOD)
practices in organisations where users are
allowed to connect and join their mobile
devices for business purposes.
Plans, ED 5.3 Access Detailed step-by-step instructions on

Procedures, Control Procedures managing access to the organisation's IT
Standards, (including assets. Often includes IT access
Guidelines onboarding, onboarding (which refers to the action or
ongoing access process of integrating a new employee into
review, an organisation (Onboarding)) and
offboarding, least offboarding (which refers to the action or
privileges, remote process of separating an employee from an
access) organisation (Offboarding)) processes,
routine access reviews, least privileged-
based access provisioning, system and
application security controls such as brute-
force protection, enforcing multi-factor
126

Domain Documents
authentication, and managing remote

access. Typically links into the access
control policy and cybersecurity policy.
ED 5.4 Mobile Detailed step-by-step instructions on

Device managing the use of mobile devices and the
Management associated risks to an organisation. This
Procedures includes approval requirements, onboarding
processes, required security controls,
ongoing inventory and review, and
offboarding processes. Typically links into
the mobile device policy and broader
access control procedures.
Systems, ED 5.5 IT Access Evidence of IT access reviews being

Resources, Review and performed across an organisation’s IT
and Controls Results (including assets. The frequency and depth of review
segregation of should be in line with the criticality of the IT
duties and least asset being reviewed. Reviews should also
privilege) incorporate examinations across privileged
account activity, segregation of duties, and
least privilege provisioning.
ED 5.6 Usage of Evidence of multi-factor authentication

Multi-Factor implementation (e.g. soft tokens such as
Authentication Google and Microsoft Authenticator, hard
Tools (e.g. Soft tokens such as YubiKey, biometrics).
tokens, hard
tokens)
6. Personnel Strategies, ED 6.1 Security A set of top-level rules and statements that
Security, Frameworks, Training & govern the requirements surrounding
Training and and Policies Awareness Policy cybersecurity training and awareness
Awareness across an organisation. This policy may be
standalone or be included in an overarching
cybersecurity policy.
ED 6.2 Clear Desk A set of rules and statements governing

and Clear Screen clear desk and clear screen requirements of
Policy an organisation. Often links into IT
acceptable usage policy and an overarching
127

Domain Documents
Plans, ED 6.3 Security Formal document which outlines the plan of

Procedures, Training and action for the approach to cybersecurity
Standards, Awareness Plan training and awareness for an organisation.
Guidelines for all users Often includes security training embedded
(including as business-as-usual processes (e.g.
Contractors, Third routine new starter security training, annual
Parties, Privileged security training) as well as planned security
users) awareness initiatives (e.g. planned phishing
campaigns, clear desk and screen audits).
ED 6.4 Clear Guidelines to assist users in maintaining

Desk and Clear clear desks and screens in line with the
Screen Guidelines Clear Desk and Clear Screen policy. Often
includes supporting tips such as using
locked cabinets, lock screen shortcuts,
avoiding keeping sensitive physical
documents for prolonged periods of time.
ED Defined background screening and vetting

6.5 Background steps performed prior to or as part of
Vetting Procedures employee and contractor onboarding
protocols. Generally includes minimum
vetting requirements, role-based additional
vetting requirements, national police
checks, and social media background
vetting.
ED 6.6 Onboarding Defined templates and instructions which

and Offboarding IT outline security requirements for onboarding
Checklists and offboarding employees, contractors and
relevant third parties within an organisation.
Generally involves acknowledgment and
acceptance of policies including relevant
security policies prior to being provided
system access followed by the requirement
to complete security awareness training
within a specified time and confirmation.
Offboarding checklists often include
checking that employees have returned all
IT asset equipment and all system access
has been revoked in a timely manner.
Systems, ED Evidence of an organisation measuring both

Resources, 6.7 Measurement the baseline of user security awareness as
and Controls of Security Training well as the effectiveness of their security
& Awareness training. This may be produced from
completion and ongoing cybersecurity awareness tests (e.g.
effectiveness module questions following cybersecurity
awareness material), test results, and
feedback on assessments and awareness
material.
7. Data Security Strategies, _ _

Frameworks,
and Policies
128

Domain Documents
Plans, ED Detailed step-by-step instructions for

Procedures, 7.1 Information securely storing information and IT assets
Standards, Storage within an organisation. Often includes
Guidelines Procedures security requirements of information stored
at rest such as use of encryption across
servers, Endpoints, applications, and
databases, access management, strong
minimum password requirements (such as
password complexity and restrictions
against default passwords), backup and
disaster recovery requirements.
ED 7.2 Information Detailed step-by-step instructions for

Transfer securely transferring information and IT
Procedures assets within an organisation. Secure
transfer controls often include use of Virtual
Private Networks (VPNs), secure transfer
portals, secure messaging protocols,
approved encryption-in-transit protocols,
and encryption of removable transfer
mediums (e.g. USBs, hard drives).
Systems, ED 7.3 Data Evidence of data loss protection controls

Resources, Loss Protection being implemented and operationalised in
and Controls Controls an organisation. Effective data loss
protection controls typically include the
development of business rules to classify
and protect sensitive information, and
technical controls which rely on those
business rules to detect and block instances
of suspected data loss.
ED Documented information, network, and data

7.4 Information flow diagrams of an organisation’s IT
flow diagrams, environment.
data flow
diagrams, and
logical network
diagrams
8. Secure Strategies, ED 8.1 SDLC A set of top-level rules and statements that
System Frameworks, and Change govern how systems and software are
Development and Policies Management introduced into an organisation’s IT
Life Cycle Policy environment as well as how changes to the
(SDLC) and IT asset baselines are managed. This policy
Change may be standalone or often may be
Management included in an overarching IT policy.
Plans, ED 8.2 SDLC Detailed step-by-step instructions for

Procedures, Security securely managing SDLC lifecycles within
Standards, Procedures an organisation. Often includes security
Guidelines requirements surrounding separation of
development, testing, and production
environments as well as checklist security
reviews and technical security testing.
129

Domain Documents
ED 8.3 Change Detailed step-by-step instructions of an

Control Procedures organisation’s approach to change
(including security) management. This may include change
management roles and responsibilities,
change advisory boards, usage of change
windows, and start to end change
management steps. Thresholds and triggers
for security reviews should also be included
within change procedures.
Systems, _ _
Resources,
and Controls
9. Baseline Strategies, _ _
Operational Frameworks,
Security and Policies
Plans, ED 9.1 IT Document outlining established IT baselines

Procedures, Baselines and and configuration standards (e.g. minimum
Standards, Configuration encryption requirements, network
Guidelines Standards operations baselines, operating system,
cloud environments baselines such as
O365 secure scoring baselines, and
corporate device standards). To meet
application hardening requirements of the
ASD Essential 8, the baselines and
standards should also be inclusive of
hardening steps for Flash, ads, and Java.
Flash commonly refers to a computer
software which allows web developers to
incorporate animations and interactive
content into websites (Flash). Java is a
class-based, object-oriented programming
language that produces software for
multiple platforms (Java). Application
hardening refers to securing an application
or a system by reducing its surface of
vulnerabilities. Common examples of
application hardening include patching
vulnerabilities, turning off nonessential
services and changing default credentials
(Application Hardening).
ED Detailed step-by-step instructions for

9.2 Application establishing and enforcing a standardised
Whitelisting application whitelist across an organisation.
Procedures Application whitelisting is a security
approach designed to protect against
malware being executed on computer
systems. When implemented properly,
application whitelisting ensures that only
approved applications (e.g. executables,
software libraries, scripts and installers) can
be executed (Application Whitelisting).
Requires an initial defined list of approved
applications, established procedures to
130

Domain Documents
enforce technical whitelisting rules via a

method of cryptography which converts any
form of data into a unique string of bytes
(Cryptographic Hash) and certificate rules,
and updating and maintaining whitelists
through change management.
ED 9.3 Microsoft Established guidelines surrounding use of

Office Macro Microsoft Office Macros in an organisation’s
Guidelines and environment. This should include
Procedures organisational guidance on the overall use
of macros, and detailed steps around how
they may be used in an approved and
secure manner.
ED 9.4 Endpoint Detailed instructions on implementing and

and Network operating protective controls to prevent
Protection unauthorised access and malware and
Procedures cyber intrusions to an organisation’s assets
including desktops, laptops, servers,
network devices, email and web filtering,
cloud environments.
Systems, ED Evidence of technical controls enforcing

Resources, 9.5 Application application whitelisting (e.g. use of
and Controls Whitelisting AppLocker and group policy, Endpoint-
Technical Controls based Application Whitelisting solutions).
Group policy refers to a computer software

which allows web developers to incorporate
animations and interactive content into
websites (Group Policy).
ED 9.6 Office Evidence of technical controls restricting the

Macro Settings use of office macros (e.g. Group Policy,
(e.g. Group Policy, trusted locations, digitally signatures)
trusted locations,
digitally signatures)
ED Evidence of Application Hardening across

9.7 Hardened Flash, ads, and java across the internet
usage of Flash, (e.g. blocked usage or additional security
ads, and java controls).
across the internet
ED 9.8 Endpoint Evidence of technical controls to prevent

and Network malware and cyber intrusions within an
Protection organisation’s IT environment (e.g.
Technical Controls Endpoint antimalware solutions, intrusion
prevention systems, Firewalls (systems
designed to prevent unauthorised access to
or from a network through rulesets and
restrictions over data communication traffic.
Firewalls can be implemented in both
hardware and software, or a combination of
131

Domain Documents
both (Firewalls)) and proxies, conditional

access controls, web and email filtering)
10. Security Strategies, ED 10.1 Audit A set of top-level rules and statements that
Continuous Frameworks, and Logging Policy govern audit and logging requirements
Monitoring and Policies across an organisation’s IT assets. This
policy may be standalone or be
incorporated into an overarching
Plans, ED 10.2 Audit Detailed step-by-step instructions about the

Procedures, and Logging enforcement of minimum audit and logging
Standards, Procedures requirements. Often includes minimum
Guidelines (including regular logging retention period (e.g. 12 months),
review) sources of events to be logged, minimum
details to be captured (e.g. unique ID, logon
and logoff time), system-specific details to
be captured, and requirements to review
and audit logs. This should also include
security requirements to protect logs. Links
into the Audit and Logging Policy and the
Event and Incident Monitoring Procedures.
ED 10.3 Event Detailed step-by-step instructions for

and Incident monitoring for security events and potential
Monitoring incidents across an organisation. Often
Procedures details the techniques used to monitor and
correlate events across various logging
sources as well as the establishment of
incident thresholds.
ED 10.4 Security Detailed step-by-step instructions for

Zoning Procedures controlling restricted IT zones and detecting
(e.g. controls for potential physical security incidents in these
restricted IT areas) zones within an organisation. Often details
minimum access security controls (e.g.
restricted swipe card access), audit and
logging procedures (such as sign-in
logbooks), and continuous physical security
monitoring (e.g. CCTV).
Systems, ED 10.5 Endpoint Evidence of technical tools and capability to

Resources, and Infrastructure demonstrate logging and event correlation
and Controls Security Detection capabilities. Tools and capabilities may
Controls include Endpoint and infrastructure-based
detection controls, such as Antivirus,
Intrusion Detection Systems, Next
Generation Firewalls, Wireless Access
Point, Cloud Environment logs. Supports
the Audit and Logging Procedures and
Event and Incident Monitoring Procedures.
132

Domain Documents
ED 10.6 Evidence Evidence of audit and reviews performed

of security audit across logs within an organisation.
and logging Common examples include IT access
reviews (including reviews, privileged access reviews, critical
for internal and application log reviews, and review of
external systems) aggregated events within a centralised log
manager.
11. Vulnerability Strategies, _ _

Management Frameworks,
and Policies
Plans, ED Detailed plan and steps for analysing and

Procedures, 11.1 Vulnerability addressing vulnerabilities as they are
Standards, Management Plan identified. Includes details such as expected
Guidelines and Procedures sources of vulnerability identification (e.g.
routine vulnerability scanning, Penetration
Tests by external stakeholders,
organisational user or external security
researcher reported). Often includes details
surrounding frequency of vulnerability
identification, surrounding roles and
responsibilities for identifying and managing
vulnerabilities, risk ratings, and target
timeframes surrounding critical and high
vulnerabilities. Links into an organisational
risk framework.
ED 11.2 Patch Detailed plan and steps for identifying,

Management assessing, and applying patches in a
Procedures routine and formalised manner. Includes
(including details such as patching timeframes per the
Operating System perceived risk (e.g. extreme risk patches to
and Application be applied within 48 hours per ASD
patching) Essential 8), patch testing approach, and
deployment strategy (e.g. staged
deployment). Typically linked with the
vulnerability management plan and
overarching cybersecurity policy.
Systems, ED Evidence of technical security testing

Resources, 11.3 Technical demonstrating continuous monitoring for
and Controls security testing vulnerabilities, which may impact an
(e.g. penetration organisation.
testing,
vulnerability
scanning, security
audits)
ED 11.4 Patch Evidence of tools and capabilities which

Management support the patch management procedures.
Deployment Tools Tools such as Microsoft System Centre
Configuration Manager (SCCM) may exist
to provide automated mechanisms to
complement the patch management
processes.
133

Domain Documents
12. Incident Strategies, ED 12.1 Incident A set of top-level rules and statements that
Response and Frameworks, Response Policy govern an organisation’s requirements to
Communications and Policies establish and maintain an incident response
capability. The incident policy should
include elements such as purpose and
objectives of the policy, scope of the policy,
identification of key terms relating to cyber
incidents, guidelines for external information
sharing, and incident severity scale.
This policy may standalone or be

incorporated into an overarching
ED 12.2 Data A set of top-level rules and statements that

Breach Response govern an organisation’s requirements to
Policy establish and maintain a data breach
response capability. This policy may be
standalone or be incorporated into an
incident response policy or an overarching
Plans, ED 12.3 Incident Detailed plan and steps for identifying,

Procedures, and Data Breach assessing, and responding to cybersecurity
Standards, Response Plan incidents and data breaches. Includes
Guidelines and Playbooks details such as roles and responsibilities,
incident response phases, communication
steps and call tree (including reliant third
parties), example scenarios, and training
and testing to be performed. Should also
include descriptions of the technical
processes, techniques and checklists that
should be used to assist the incident
response team (which is a team assembled
by the impacted organisation to invoke
common incident handling steps including
identification, containment, eradication, and
recovery (IRT)) in handling the incident, as
well as structured steps for how the
organisation incorporates lessons learnt into
improving its future incident response and
preventing future cybersecurity incidents.
Typically linked with the Incident Response
Policy. This should include external
reporting obligations.
ED 12.4 Public Detailed steps which prepare an

Relations and organisation on responding to external
External stakeholders (including law enforcement)
Communications and public relations issues potentially
Plan arising from data breaches or cybersecurity
incidents. Typically linked with the Incident
Response and Data Breach Response
Plans.
134

Domain Documents
Systems, ED 12.5 Incident Evidence of documented results from

Resources, Response Testing incident response tests or actual incident
and Controls and Post Incident reports which captures detection and
Reports analysis, communication and triaging,
response and recovery, and post-incident
continuous improvement.
13. Continuity Strategies, ED A set of top-level rules and statements that

and Recovery Frameworks, 13.1 Business govern an organisation’s requirements to
Planning and Policies Continuity, Backup establish and maintain business continuity,
and Disaster disaster recovery, and backup capabilities.
Recovery Policy These policies may be standalone from
each other or be combined.
Plans, ED Detailed plan and steps for identifying,

Procedures, 13.2 Business assessing, and responding to business
Standards, Continuity and impacting events and disasters. Includes
Guidelines Disaster Recovery details such as triggers for business
Plan continuity and disasters, communication
steps and call tree (including reliant third
parties), example scenarios, Maximum
Acceptable Outages (MAOs), Recovery
Time Objectives (RTOs), Recovery Point
Objectives (RPOs), and planned training
and testing. Typically linked with the
incident response plan, business continuity
policy, and disaster recovery policy.
ED 13.3 Backup Detailed steps on ensuring there is

Procedures appropriate data backup for an
organisation. Includes details such as scope
of backups, backup frequency, backup
types (e.g. cloud-based, tape), and security
surrounding backups.
Systems, ED Evidence of documented results from

Resources, 13.4 Business incident response tests or actual incident
and Controls Continuity and reports which captures detection and
Disaster Recovery analysis, communication and triaging,
Tests and Post response and recovery, and post-incident
Reports continuous improvement.
ED 13.5 Backup Evidence of documented backup testing

test results performed and results.
135
Schedule B
GAPS IN MAY 2018 CYBERSECURITY DOCUMENTATION AND CONTROLS

AGAINST MINIMUM CYBERSECURITY REQUIREMENTS
Cybersecurity Expected Documents Status (prior to and as at 15 May 2018)

Domain
1. Governance & ED 1.1 Cybersecurity Strategy, Gap. No relevant Cybersecurity

Business Framework, or Program Documentation and Controls present.
Environment
ED 1.2 Cybersecurity Policy Gap. No relevant Cybersecurity
Documentation and Controls present.
ED 1.3 IT Acceptable Use Policy Gap. An ANZ-developed document titled

‘Information Security Standard’ which is
relevant to this control is present
(FFG.1022.0001.0747). However, there is a
lack of evidence to support this document
being implemented and operationalised
across RI Advice and its ARs.
ED 1.4 Evaluation and Gap. While material is present showing RI

Prioritisation Process (e.g. Advice being considered within the ANZ
Business Impact Analysis, Cyber business continuity documentation
Risk Assessment, Asset (FFG.1022.0001.1916), an evaluation
Identification and Classification) process which identifies and prioritises their
assets or business processes based on risk
across the ARs of RI Advice is not present.
An ANZ-developed document titled
ED 1.5 Cybersecurity Security Gap. Defined cybersecurity roles and

Roles and Responsibilities (across responsibilities across RI Advice and its ARs
all levels) are not present.
A formalised agreement which outlines the

overall responsibility and accountability for
cybersecurity between RI Advice and ANZ is
not present.
2. Risk ED 2.1 Risk Management Policy Gap. ANZ risk management framework and
Assessments documentation are present prior to the
and Risk breach (FFG.1018.0001.0498,
Management FFG.1012.0001.0197). Evidence to support
these ANZ risk management practices
permeating across RI Advice and AR
activities is not present.
ED 2.2 Risk Appetite Gap. No relevant Cybersecurity

Statement (which considers Documentation and Controls present.
cyber risk)
136

Domain
ED 2.3 Risk Assessment Gap. ANZ Risk Assessment procedures are

Procedures present (FFG.1018.0001.0512). However,
evidence to demonstrate these procedures
permeating across RI Advice AR activities is
not present.
ED 2.4 Risk Registers Gap. An ANZ global risk library is present

(FFG.1018.0001.0216), but does not contain
cyber risks specific to RI Advice.
ED 2.5 Risk Management Plans Gap. A number of ANZ risk management

procedures are present
(FFG.1018.0001.0318,
FFG.1018.0001.0230). However, evidence
to support these risk management
procedures being implemented across RI
Advice and its ARs is not present.
ED 2.6 Risk Management Gap. Evidence of a risk management group

function (discussing enterprise or committee that continually managed risk
and cyber risk including third across RI Advice and its ARs is not present.
parties)
ED 2.7 Risk Assessments Gap. An ANZ-developed document titled

(performed by internal or external ‘Information Security Standard’ which is
stakeholders) relevant to this control is present
3. Asset ED 3.1 IT Asset Management Gap. No relevant Cybersecurity

Management Policy Documentation and Controls present.
ED 3.2 Asset Management Gap. No relevant Cybersecurity

Procedures (including lifecycle Documentation and Controls present.
management, ongoing inventory,
review, re-use and disposal)
ED 3.3 IT Asset Registers Gap. No relevant Cybersecurity

(including external IT assets) Documentation and Controls present.
ED 3.4 Asset Security Gap. No relevant Cybersecurity

Classification Procedures Documentation and Controls present.
(including labelling and handling of
assets)
137

Domain
ED 3.5 Automated or manual Gap. No relevant Cybersecurity

mechanisms to maintain an up-to- Documentation and Controls present.
date, complete, accurate, and
readily available inventory of IT
Assets information system
components (e.g. human
processes, network discovery and
infrastructure monitoring solutions)
4. Supply Chain ED 4.1 Third Party Management Gap. No relevant Cybersecurity

Risk Policy Documentation and Controls present.
Management
ED 4.2 Third Party Risk Gap. No relevant Cybersecurity
Assessments and Management Documentation and Controls present.
Processes
ED 4.3 Third Party Risk Gap. No relevant Cybersecurity

Questionnaires and Assessment Documentation and Controls present.
Templates
5. Access ED 5.1 Access Control Policy Gap. No relevant Cybersecurity

Management Documentation and Controls present.
ED 5.2 Mobile Device Gap. No relevant Cybersecurity

ED 5.3 Access Control Gap. An ANZ-developed document titled

Procedures (including onboarding, ‘Information Security Standard’ which is
ongoing access review, relevant to this control is present
offboarding, least privileges, (FFG.1022.0001.0747). However, there is a
remote access) lack of evidence to support this document

Management Procedures Documentation and Controls present.
ED 5.5 IT Access Review and Gap. An ANZ-developed document titled

Results (including segregation of ‘Information Security Standard’ which is
duties and least privilege) relevant to this control is present
ED 5.6 Usage of Multi-Factor Gap. No relevant Cybersecurity

Authentication (MFA) Tools (e.g. Documentation and Controls present.
Soft tokens, hard tokens)
6. Personnel ED 6.1 Security Training & Gap. No relevant Cybersecurity

Security, Awareness Policy Documentation and Controls present.
Training and
Awareness
ED 6.2 Clear Desk and Clear Gap. No relevant Cybersecurity
Screen Policy Documentation and Controls present.
138

Domain
ED 6.3 Security Training and Gap. Evidence of security awareness

Awareness Plan for all users comprises ad-hoc cyber awareness
(including Contractors, Third presentations from ANZ, Kaplan Training
Parties, Privileged users) articles, and a presentation by the RI Advice
CEO Peter Ornsby (FFG.1022.0001.2570,
FFG.1003.0001.0098, and
FFG.1007.0001.0093). An overall strategic
plan to drive current and future security
awareness and training needs is not present.

Screen Guidelines Documentation and Controls present.
ED 6.5 Background Vetting No Gap. References to background checks

Procedures are present in HR procedures specific to the
Advisers (FFG.1022.0002.0010).
Additionally, a number of AR appointment
and reference forms are present
(FFG.1022.0001.1650,
FFG.1022.0001.1654, FFG.1022.0001.1656,
FFG.1022.0001.1679, FFG.1022.0001.1702,
FFG.1022.0001.1643, FFG.1022.0001.2374,
FFG.1022.0001.2377).
ED 6.6 Onboarding and Gap. An 'AR & CAR Cancellation Checklist'

Offboarding IT Checklists which references a requirement to remove
system access is present
(FFG.1022.0001.2375). However, further
detailed information (e.g. procedural steps,
checklists or guides) surrounding onboarding
and offboarding steps for RI Advice and its
ARs is not present.
ED 6.7 Measurement of Security Gap. A 'Reboot Reset - Cybercrime in

Training & Awareness completion business' presentation by ANZ Wealth is
and effectiveness present (FFG.1022.0001.2570). Evidence of
ongoing security awareness training as well
as measurement of the training across RI
139

Domain
7. Data Security _
ED 7.1 Information Storage Gap. Electronic Storage Guide applicable to

Procedures RI Advice and its ARs briefly outlines the
broad requirement to secure and control
access to electronic files
(FFG.1002.0001.0005).
A Privacy Standard is present

(FFG.1022.0001.1205) which summarises
high level security considerations with
respect to personal information. No detailed
security procedures are present in this
standard.

Additionally, references to high level data

security elements (e.g. “Electronic
information must be protected”) are present
in the RI Advice Procedures and Policies
(FFG.1022.0001.0448). The document
constitutes a policy as the level of detail
contained within the cybersecurity-related
sections is not sufficient to constitute a
procedure.
Further detailed steps and guidance around

how RI Advice and its ARs should be storing
and protecting their data at rest is not
present.
ED 7.2 Information Transfer Gap. An ANZ-developed document titled

Procedures ‘Information Security Standard’ which is
ED 7.3 Data Loss Protection Gap. No relevant Cybersecurity

Controls Documentation and Controls present.
ED 7.4 Information flow Gap. No relevant Cybersecurity

diagrams, data flow diagrams, and Documentation and Controls present.
logical network diagrams
8. Secure ED 8.1 SDLC and Change Gap. No relevant Cybersecurity

System Management Policy Documentation and Controls present.
140

Domain
Development ED 8.2 SDLC Security N/A – May not be applicable to RI Advice

Life Cycle Procedures and its ARs as they do not internally develop
(SDLC) and applications.
Change
Management
ED 8.3 Change Control Gap. An ANZ Operational Risk Change
Procedures (including security) Management Process document is present
(FFG.1018.0001.0416). However, this
process appears specific to managing
changes to the risk framework only, and
does not address IT changes.
_ _
9. Baseline _ _
Operational
Security
ED 9.1 IT Baselines and Gap. An ANZ-developed document titled
Configuration Standards ‘Information Security Standard’ which is
ED 9.2 Application Whitelisting Gap. No relevant Cybersecurity

Procedures Documentation and Controls present.
ED 9.3 Microsoft Office Macro Gap. No relevant Cybersecurity

Guidelines and Procedures Documentation and Controls present.
ED 9.4 Endpoint and Network Gap. An ANZ-developed document titled

Protection Procedures ‘Information Security Standard’ which is

Technical Controls Documentation and Controls present.
ED 9.6 Office Macro Settings N/A - ASD Top 4 did not mandate hardening
(e.g. Group Policy, trusted of Microsoft Office Macros at this time
locations, digitally signatures)
ED 9.7 Hardened usage of N/A - ASD Top 4 did not mandate hardening
Flash, ads, and java across the of Flash, ads, and java across the internet at
internet this time.
ED 9.8 Endpoint and Network Gap. No relevant Cybersecurity

Protection Technical Controls Documentation and Controls present.
ED 10.1 Audit and Logging Gap. No relevant Cybersecurity

Policy Documentation and Controls present.
141

Domain
10. Security ED 10.2 Audit and Logging Gap. No relevant Cybersecurity

Continuous Procedures (including regular Documentation and Controls present.
Monitoring review)
ED 10.3 Event and Incident Gap. No relevant Cybersecurity

Monitoring Procedures Documentation and Controls present.
ED 10.4 Security Zoning Gap. An ANZ-developed document titled

Procedures (e.g. controls for ‘Information Security Standard’ which is
restricted IT areas) relevant to this control is present
ED 10.5 Endpoint and Gap. No relevant Cybersecurity

Infrastructure Security Detection Documentation and Controls present.
Controls
ED 10.6 Evidence of security Gap. No relevant Cybersecurity

audit and logging reviews Documentation and Controls present.
(including for internal and external
systems)
11. Vulnerability _ _
Management
ED 11.1 Vulnerability Gap. No relevant Cybersecurity
Management Plan and Documentation and Controls present.
Procedures
ED 11.2 Patch Management Gap.

Procedures (including Operating An ANZ-developed document titled
System and Application patching) ‘Information Security Standard’ which is
ED 11.3 Technical security Gap.

testing (e.g. penetration testing, An ANZ-developed document titled
vulnerability scanning, security ‘Information Security Standard’ which is
audits) relevant to this control is present
ED 11.4 Patch Management Gap. No relevant Cybersecurity

Deployment Tools Documentation and Controls present.
12. Incident ED 12.1 Incident Response Gap. No relevant Cybersecurity

Response and Policy Documentation and Controls present.
Communications
ED 12.2 Data Breach Response Gap. No relevant Cybersecurity
142

Domain
ED 12.3 Incident and Data Gap. The 'Electronic Storage Guide'

Breach Response Plan and (FFG.1022.0001.0726) contains a brief
Playbooks checklist with respect to incident
management for cloud solutions. Evidence of
a standalone incident response plan which
has been formalised and implemented
across RI Advice and its ARs is not present.
ED 12.4 Public Relations and Gap. No relevant Cybersecurity

External Communications Plan Documentation and Controls present.
ED 12.5 Incident Response Gap. Evidence of an ad-hoc incident

Testing and Post Incident Reports response process being enacted by RI
Advice and ANZ during the FFG Data
Breach is present (FFG.0014.0001.0474,
FFG.0014.0001.0857, and
FFG.0010.0001.5155). However, evidence
to support the incident response following a
strategy and plan pre-defined prior to a
breach is not present.
13. Continuity ED 13.1 Business Continuity, Gap. The Business Continuity and Crisis
and Recovery Backup and Disaster Recovery Management Policy applies to ANZ and its
Planning Policy controlled entities (FFG.1022.0001.0559).
Additionally, an annual attestation to the
business continuity policy requirements is
present (FFG.1022.0001.1978). These
documents do not appear to extend to the
ARs of RI Advice.
ED 13.2 Business Continuity Gap. Majority of the disaster recovery

and Disaster Recovery Plan documentation present appears to be
specific to ANZ (FFG.1022.0001.0545,
FFG.1022.0001.0570, and
FFG.1022.0001.0598) and not applicable to
RI Advice and its ARs. While a Business
Continuity Manual and business continuity
rehearsal plan for ANZ Aligned Dealer
Groups is present (FFG.1022.0001.1941,
FFG.1022.0001.1916), a business continuity
and disaster recovery plan applicable to the
ARs of RI Advice is not present.
ED 13.3 Backup Procedures No Gap. Guidance and procedures around

Backups appear to be present
(FFG.1022.0001.0526,
FFG.1002.0001.0005).
143

Domain
ED 13.4 Business Continuity Gap. A business continuity scenario and

and Disaster Recovery Tests and Business Impact Analysis for ANZ Aligned
Post Reports Dealer Groups appears to have been
performed which included RI Advice
(FFG.1022.0001.1916,
FFG.1022.0001.1977). The test performed
did not extend to the ARs of RI Advice.
ED 13.5 Backup test results Gap. No relevant Cybersecurity

144
Schedule C
IOOF DEVELOPED DOCUMENTATION
IOOF Developed Documentation as at 12 and 13 March 2019
The IOOF Developed Documentation which RI Advice held or had access to as at 12

and 13 March 2019 was as follows:
1. IOOF Adelaide Network Diagram (Version 1.1) dated 31 January 2018

[FFG.1022.0001.1827]
2. IOOF Business Continuity Management Policy August 2018 (Version 6.0) dated
20 September 2018 [FFG.1022.0001.2145]
3. IOOF BYOD Policy June 2017 (Version 2.0) dated 11 June 2017
[FFG.1022.0001.3013]
4. IOOF Cloud Policy June 2017 (Version 2.0) dated 10 June 2017
[FFG.1022.0001.3135]
5. IOOF Group Privacy Policy (Version 5.0) dated 28 February 2019

[FFG.1022.0001.0373]
6. IOOF IT Backup and Restore Policy June 2017 (Version 2.0) dated 13 July 2017
[FFG.1022.0001.0336]
7. IOOF IT Disaster Recovery Policy June 2017 (Version 2.0) dated 10 June 2017
[FFG.1022.0001.3071]
8. IOOF IT External Party Access Policy June 2017 (Version 2.0) dated 13 July 2017
[FFG.1022.0001.0340]
9. IOOF Level 8, 200 Mary Street, Brisbane (Version 1.0) dated 24 January 2018
[FFG.1022.0001.1828]
10. IOOF Level 16, 55 Colins Street, Melbourne Vic 3000 (Version 1.0) dated 16
January 2018 [FFG.1022.0001.1829]
11. IOOF Major Incident Management Policy June 2 (Version 2.0) dated 13 June 2017
[FFG.1022.0001.1398]
12. IOOF Password Management Policy June 2017 (Version 2.0) dated 13 June 2017
[FFG.1022.0001.1845]
13. IOOF Remote Access Policy June 2017 (Version 2.0) dated 10 June 2017
[FFG.1022.0001.1851]
14. IOOF Security Incident and Response Policy June 2017 (Version 2.0) dated 13
June 2017 [FFG.1022.0001.0444]
145
15. IOOF Security Incident Response Procedure (Version 1.2) dated 11 October 2017
[FFG.1022.0001.0325]
16. IOOF Risk Management Policy December 2018 (Version 3.0) dated December
2018 [FFG.1022.0001.3140]
17. IOOF Ltd Risk Management Strategy August 2018 (Version 0.4) dated 15 August
2018 [FFG.1022.0001.3018]
18. IOOF Vendor Management and Outsourcing Policy (Version 11.2) dated 19
December 2018 [FFG.1022.0001.1617]
19. IOOF Vendor Management and Outsourcing Procedures dated 19 December

2018 [FFG.1022.0001.1633]
20. Incident Notification Standard (Version 7.0) dated September 2018

[FFG.1022.0001.3234]
21. Information Security Standard (Version 1.0) dated February 2016

[FFG.1022.0001.0315]
22. Electronic Storage Guide (Version 1.0) dated 26 March 2018

[FFG.1022.0001.2159]
23. Fraud Standard and Procedures (Version 3.0) dated December 2017
[FFG.1022.0001.1356]
24. Information Security Procedures (Version 2.0) dated July 2018

[FFG.1022.0001.0305]
25. Privacy Standard (Version 2.0) dated February 2018 [FFG.1022.0001.0380]
26. Privacy Guidelines 22 February 2018 (Version 3.0) dated 22 February 2018
[FFG.1022.0001.0353]
Each of the documents referred to above had the characteristics referred to in

paragraph 91(b)(i) above with the exception of Documents 5, 16, 18 and 19.

paragraphs 91(b)(ii) to (iv) above.
IOOF Developed Documentation as at 1 November 2019
The IOOF Developed Documentation which RI Advice held or had access to as at

1 November 2019 was as follows:
27. Documents 1 to 26 above
28. IOOF 20190826 Activities for RI [spreadsheet] dated 26 August 2019

[FFG.1022.0001.2158]
146
29. IOOF 20190826 Dependencies for RI [spreadsheet] dated 26 August 2019

[FFG.1022.0001.2144]
30. IOOF Acceptable Use Policy (Version 3.3) dated 13 September 2019
[FFG.1022.0001.1598]
31. BCM Impact Matrix dated 6 September 2019 [FFG.1022.0001.2156]
32. IOOF Cyber security posture at IOOF July 2019 update dated July 2019
[FFG.1022.0001.2845]
33. DocuSign Risk Assessment V5 [spreadsheet] (Version 5) dated 30 October

2019 [FFG.1022.0001.1355];
34. External Network Penetration Testing Report Prepared for: IOOF Services Co
Pty Ltd NTPT 2019 - updated 2019-03-22 dated 17 March 2019
[FFG.1022.0001.2860]
35. IOOF Financial Crime Working Group Terms of Reference (Version 1.3) dated
June 2019 [FFG.1022.0001.1412]
36. Information Security Standard (Version 1.0) dated February 2016

[FFG.1022.0001.0315]
37. IOOF Interactive Data Centre (PDC) 437 Williamstown Road, Port Melbourne
(Version 2.0) dated 30 April 2019 [FFG.1022.0001.1818]
38. IOOF Life Cycle Management Framework and Policy dated about 31 October
2019 [FFG.1022.0001.1156]
39. IOOF Ltd Friendly Society Risk Appetite Statement - September 2019 FINAL
dated September 2019 [FFG.1022.0001.1419]
40. IOOF Network Assets spreadsheet dated about 31 October 2019

[FFG.1022.0001.1155]
41. IOOF Reference Check Template dated 1 November 2019

[FFG.1022.0001.2371]
42. IOOF Risk Management Policy dated August 2019 [FFG.1022.0001.3097]
43. IOOF Security Policy (Version 2.3) dated 13 September 2019

[FFG.1022.0001.0345]
44. IOOF Security Testing Review Procedure (Draft) (Version 0.2 – described on its
face as “(Draft)”) dated 10 May 2019 [FFG.1022.0001.3169]
45. IOOF Sydney – Logical Diagram (Version 1) dated 27 September 2019

[FFG.1022.0001.1830]
46. KRI Metrics [spreadsheet] dated 30 October 2019 [FFG.1022.0001.1326]
47. PDC Arista EVPN Fabric dated 1 November 2019 [FFG.1022.0001.1820]

147
Each of the documents referred to in item 27 above had the characteristics referred to in

paragraphs 105(b)(ii) to (iv) above with the exception of Documents 28, 29 and 33.
IOOF Developed Documentation as at 1 May 2020
The IOOF Developed Documentation which RI Advice held or had access to as at

1 May 2020 was as follows:
48. Documents 1 to 47 above
49. Adviser Communication: Launching IOOFs New Cyber Resilience Initiative

dated 27 April 2020 [RIF.0006.0002.0183]
50. IOOF Cyber Resilience Initiative - Overview for licensee supervisors [Session 1]
dated 23 January 2020 [RIF.0006.0002.0186]
51. IOOF and Security and Depth Cyber Resilience Initiative presentation dated 26
April 2020 [RIF.0006.0004.0003]
52. Cyber Security Best Practice for IOOF dated 1 April 2020 [RIF.0006.0002.0079]
53. IOOF and Security and Depth Cyber Resilience Initiative presentation dated 26
April 2020 [RIF.0006.0004.0042]
54. IOOF Document password protection (Version 2) dated February 2020

[RIF.0006.0002.0096]
55. IOOF XPLAN Two factor authentication guide dated February 2020
[RIF.0006.0002.0170]
paragraphs 120(b)(ii) to (iv) above with the exception of Documents 28, 29 and 33.
148
Document 54 also had the characteristics referred to in paragraphs 120(b)(ii) to (iv)

above.
149
Schedule D
GAPS IN MARCH 2019 CYBERSECURITY DOCUMENTATION AND CONTROLS

Cybersecurity Expected Documents Status (as at 12 and 13 March 2019)
Domain
1. Governance & ED 1.1 Cybersecurity Strategy, Gap. An IOOF risk strategy is present
Business Framework, or Program (FFG.1022.0001.3018) which contains
Environment references to cybersecurity requirements
including establishing an IT security control
program. This strategy appears specific to
IOOF.
Evidence of an established and formalised

strategy, framework, and cybersecurity
program of work is not present.
ED 1.2 Cybersecurity Policy Gap. No relevant Cybersecurity

ED 1.3 IT Acceptable Use Policy Gap. A document titled ‘Information Security

Standard’ which is relevant to this control is
present (FFG.1022.0001.0315). However,
there is a lack of evidence to support this
document being implemented and
operationalised across RI Advice and its
ARs.
ED 1.4 Evaluation and Gap. A document titled ‘Information Security

Prioritisation Process (e.g. Standard’ which is relevant to this control is
Business Impact Analysis, Cyber present (FFG.1022.0001.0315). However,
Risk Assessment, Asset there is a lack of evidence to support this
Identification and Classification) document being implemented and
ARs.
ED 1.5 Cybersecurity Security Gap. No relevant Cybersecurity

Roles and Responsibilities (across Documentation and Controls present.
all levels)
2. Risk ED 2.1 Risk Management Policy Gap. No relevant Cybersecurity

Assessments Documentation and Controls present.
and Risk
Management ED 2.2 Risk Appetite Gap. No relevant Cybersecurity
Statement (which considers Documentation and Controls present.
cyber risk)
ED 2.3 Risk Assessment Gap. The IOOF Risk Management Strategy

Procedures (FFG.1022.0001.3018) outlines the
overarching risk assessment process.
However, evidence to support these risk
identification and management practices
permeating across the ARs of RI Advice is
not present. An example of such evidence is
a documented RI Advice risk assessment
procedure. A document titled ‘Information
Security Standard’ which is relevant to this
150

Domain
control is present (FFG.1022.0001.0315).

However, there is a lack of evidence to
support this document being implemented
and operationalised across RI Advice and its
ARs.
ED 2.4 Risk Registers Gap. No relevant Cybersecurity

ED 2.5 Risk Management Plans Gap. The IOOF Risk Management Strategy
(FFG.1022.0001.3018) outlines the
overarching risk management process.
However, evidence to support risk
management practices permeating across
the ARs of RI Advice is not present. An
example of such evidence is a documented
RI Advice risk management plan or
procedures which detail formal steps to be
taken when risks are identified (e.g. risks
identified through the Security in Depth
reports).
ED 2.6 Risk Management No Gap. No risk management policy or

function (discussing enterprise security policy is present. Evidence of a
and cyber risk including third working group between RI Advice and IOOF
parties) demonstrating risk management is present
(FFG.1016.0001.0699). A Proprietors
Advisory Council (PAC) exists which
represents the ARs of RI Advice. Evidence of
the PAC council discussing topics including
cybersecurity is present
(FFG.1026.0001.0166).
ED 2.7 Risk Assessments Gap. A number of cyber-related

(performed by internal or external assessments have been performed over
stakeholders) FFG and RI Advice by several independent
third parties including KPMG, Vixtro, Security
in Depth, and Cyber Indemnity Solutions.
While findings had been identified,
management action responses or
remediation action plans are not present.
There is a lack of visibility into how these
assessments have translated into roadmap
of cyber initiatives for RI Advice to follow.
Additionally, evidence of risk assessments
performed across the entire population of
ARs is not present. A document titled
151

Domain
3. Asset ED 3.1 IT Asset Management Gap. No relevant Cybersecurity


ED 3.3 IT Asset Registers Gap. No relevant Cybersecurity

(including external IT assets) Documentation and Controls present.
ED 3.4 Asset Security Gap. No relevant Cybersecurity

Classification Procedures Documentation and Controls present.
(including labelling and handling
of assets)
ED 3.5 Automated or manual Gap. No relevant Cybersecurity

mechanisms to maintain an up-to- Documentation and Controls present.
date, complete, accurate, and
readily available inventory of IT
Assets information system
infrastructure monitoring
solutions)
4. Supply Chain ED 4.1 Third Party Management Gap. The Vendor Management and
Risk Policy Outsourcing Policy (FFG.1022.0001.1617)
Management considers third party risk and third party
cyber risk across IOOF. The policy does not
appear to consider third party risk at the AR
level
ED 4.2 Third Party Risk Gap. The Vendor Management and

Assessments and Management Outsourcing Procedures
Processes (FFG.1022.0001.1633) considers third party
risk and third party cyber risk across IOOF.
The policy does not appear to consider third
party risk at the AR level.
ED 4.3 Third Party Risk Gap. A Practice Servicing Assessment

Questionnaires and Assessment (PSA) template which holds two questions in
Templates relation to information security is present
(FFG.1007.0001.0103). Additionally,
evidence of FFG's review against this PSA
template is present (FFG.1007.0001.0081).
Evidence of a third-party assessment
template for material service providers (e.g.
IT service providers) is not present.
5. Access ED 5.1 Access Control Policy Gap. No relevant Cybersecurity

Management Documentation and Controls present.

152

Domain
ED 5.3 Access Control Gap. Details with respect to access

Procedures (including onboarding, procedures including onboarding, routine
ongoing access review, reviews, least privileged access and
offboarding, least privileges, documented IT asset removal checklist are
remote access) not present. A document titled ‘Information
Security Standard’ which is relevant to this
control is present (FFG.1022.0001.0315).
However, there is a lack of evidence to
support this document being implemented
and operationalised across RI Advice and its
ARs.
ED 5.4 Mobile Device Gap. A Bring Your Own Device Management

Management Procedures Policy appears to be specific to IOOF
(FFG.1022.0001.3013) and does not
acknowledge the Aligned Dealer Groups.
ED 5.5 IT Access Review and Gap. A document titled ‘Information Security

Results (including segregation of Standard’ which is relevant to this control is
duties and least privilege) present (FFG.1022.0001.0315). However,
ARs.
ED 5.6 Usage of Multi-Factor Gap. MFA within O365 does not appear to
Authentication Tools (e.g. Soft have been implemented across RI Advice
tokens, hard tokens) and its ARs as evidenced by the Second RI
Shepparton Cybersecurity Incident. The
exception to this is FFG which appeared to
have implemented MFA within its O365
environment (FFG.1000.0001.0181). No
evidence of MFA attestations from ARs is
present. No evidence of MFA being audited
is present.
6. Personnel ED 6.1 Security Training & Gap. No relevant Cybersecurity

Security, Awareness Policy Documentation and Controls present.
Training and
Awareness
Screen Policy Documentation and Controls present.
ED 6.3 Security Training and Gap. Security Awareness appears to be

Awareness Plan for all users performed through avenues such as
(including Contractors, Third newsletters and external awareness
Parties, Privileged users) presentations (FFG.1022.0001.2643,
FFG.1020.0001.0425). No evidence of
security awareness by way of mandatory
cybersecurity induction and ongoing training
is present.
A document titled ‘Information Security

153

Domain

ARs.

Screen Guidelines Documentation and Controls present.

Advisers (FFG.1022.0002.0010).
(FFG.1022.0001.1650,
FFG.1022.0001.1654, FFG.1022.0001.1656,
FFG.1022.0001.1679, FFG.1022.0001.1702,
FFG.1022.0001.1643, FFG.1022.0001.1644,
FFG.1022.0001.2374, FFG.1022.0001.2377,
FFG.1022.0001.1760, FFG.1022.0001.1767,
FFG.1022.0001.1771,
FFG.1022.0001.1773).
ED 6.6 Onboarding and Gap. No relevant Cybersecurity

Offboarding IT Checklists Documentation and Controls present.
ED 6.7 Measurement of Security Gap. Security awareness material in relation

Training & Awareness completion to RI Advice providing continuous awareness
and effectiveness and training to its ARs is present:
• Quarterly Video links
(FFG.1022.0001.2822)
• Webinar links v2 (FFG.1020.0001.0425)
• RI Advice Presentation
(FFG.1022.0001.2825)
• 20190220 1709 APRA Webinar
Presentation Draft (FFG.1022.0001.3462)
Evidence of mandatory cybersecurity training

and assessment questions is not present.
7. Data Security _
154

Domain

(FFG.1002.0001.0005).
standard.
ARs.
information must be protected” have been
captured in the RI Advice Procedures and
Policies (FFG.1022.0001.0448). This
document constitutes a policy as the level of
detail contained within the cybersecurity-
related sections is not sufficient for it to
constitute a procedure.
how RI Advice and ARs should be storing
and protecting its data at rest are not
present.
ED 7.2 Information Transfer Gap. A document titled ‘Information Security

Procedures Standard’ which is relevant to this control is
ARs.

ED 7.4 Information flow Gap. No relevant Cybersecurity

diagrams, data flow diagrams, and Documentation and Controls present.
logical network diagrams
8. Secure ED 8.1 SDLC and Change Gap. No relevant Cybersecurity

System Management Policy Documentation and Controls present.
Development
Life Cycle ED 8.2 SDLC Security N/A – May not be applicable to RI Advice
(SDLC) and Procedures and its ARs as they do not internally develop
applications.
155

Domain
Change ED 8.3 Change Control Gap. No relevant Cybersecurity

Management Procedures (including security) Documentation and Controls present.
_ _
9. Baseline _ _
Operational
Security
ED 9.1 IT Baselines and Gap. A document titled ‘Information Security
Configuration Standards Standard’ which is relevant to this control is
ARs.


ED 9.4 Endpoint and Network Gap. A document titled ‘Information Security

Protection Procedures Standard’ which is relevant to this control is
ARs.

ED 9.6 Office Macro Settings Gap. While this control is in place within FFG
(e.g. Group Policy, trusted as part of its implementation of the Essential
locations, digitally signatures) 8 (FFG.1020.0001.0193), evidence to
support Office macros controls being
implemented across the rest of the RI Advice
AR population is not present.
ED 9.7 Hardened usage of Gap. While this control is in place within FFG
Flash, ads, and java across the as part of its implementation of the Essential
internet 8 (FFG.0010.0001.6600), evidence to
support the hardening of Flash, and java
being implemented across the rest of the RI
Advice AR population is not present.

10. Security ED 10.1 Audit and Logging Gap. No relevant Cybersecurity

Continuous Policy Documentation and Controls present.
Monitoring
ED 10.2 Audit and Logging Gap. No relevant Cybersecurity
Procedures (including regular Documentation and Controls present.
review)
156

Domain
ED 10.3 Event and Incident Gap. No relevant Cybersecurity

Monitoring Procedures Documentation and Controls present.
ED 10.4 Security Zoning Gap. A document titled ‘Information Security

Procedures (e.g. controls for Standard’ which is relevant to this control is
restricted IT areas) present (FFG.1022.0001.0315). However,
ARs.
ED 10.5 Endpoint and Gap. No relevant Cybersecurity

Infrastructure Security Detection Documentation and Controls present.
Controls

systems)
11. Vulnerability _ _
Management
ED 11.1 Vulnerability Gap. No relevant Cybersecurity
Management Plan and Documentation and Controls present.
Procedures
ED 11.2 Patch Management Gap. A document titled ‘Information Security

Procedures (including Operating Standard’ which is relevant to this control is
System and Application patching) present (FFG.1022.0001.0315). However,
ARs.
ED 11.3 Technical security Gap. A document titled ‘Information Security

testing (e.g. penetration testing, Standard’ which is relevant to this control is
vulnerability scanning, security present (FFG.1022.0001.0315). However,
audits) there is a lack of evidence to support this
ARs.

12. Incident ED 12.1 Incident Response Gap. There is a Security Incident and
Response and Policy Response Policy dated July 2017 which
Communications applies to IOOF Holdings
(FFG.1022.0001.3230). There is no evidence
to support this policy being adopted by RI
Advice and its ARs.

157

Domain
ED 12.3 Incident and Data Gap. The 'Electronic Storage Guide'

Breach Response Plan and (FFG.1022.0001.0726) contains a brief
Playbooks checklist with respect to incident
management for cloud solutions. Evidence of
a standalone incident response plan which
has been formalised and implemented

ED 12.5 Incident Response Gap. While incident summaries are present

Testing and Post Incident Reports for Cybersecurity Incidents which had
occurred after the FFG Data Breach
(FFG.1013.0001.0003), limited details are
present with respect to how the incidents
were contained, what incident handling
documents and methodology was followed,
what IT assets were examined and details
surrounding the root cause. Evidence of the
incident summaries translating into post
incident lessons learnt and remediation plans
is not present. Additionally, evidence of
proactive incident response testing is not
present.
13. Continuity ED 13.1 Business Continuity, Gap. The disaster recovery policy dated
and Recovery Backup and Disaster Recovery June 2017 applies to IOOF Holdings. There
Planning Policy is no reference to Aligned Dealer Groups.
(FFG.1022.0001.3071).
ED 13.2 Business Continuity Gap. No relevant Cybersecurity

and Disaster Recovery Plan Documentation and Controls present.

Backups appear to be adequately captured
(FFG.1022.0001.0526,
FFG.1002.0001.0005). A document titled

and Disaster Recovery Tests and Documentation and Controls present.
Post Reports

158
Schedule E
GAPS IN NOVEMBER 2019 CYBERSECURITY DOCUMENTATION AND

CONTROLS AGAINST MINIMUM CYBERSECURITY REQUIREMENTS
Cybersecurity Expected Documents Status (1 November 2019)

Domain
1. Governance & ED 1.1 Cybersecurity Strategy, Gap. An IOOF risk strategy is present
Business Framework, or Program (FFG.1022.0001.3018) which contains
Environment references to cybersecurity requirements
including establishing an IT security control
program. This strategy appears specific to
IOOF.
A RI Advice Information Security Policy

(FFG.1026.0001.0101) is present which
contains high level requirements aligned to
the ISO27001 security framework. This
policy was not effective at 1 November 2019.
In its letter of response to ASIC dated 1

November 2019, RI Advice referenced its
developed Cybersecurity Standard
(FFG.1022.0001.0246) and Cyber Security
Support Guide (FFG.1022.0001.0258) in
relation to an overarching cybersecurity
framework/strategy. A cybersecurity
framework is a defined structure specific to
cybersecurity which will generally comprise
the mandated rules and processes to help an
organisation reduce its cyber risk to an
acceptable level (Cybersecurity
Framework). While the Standard and Guide
contain various cybersecurity guidance and
requirements, these two documents do not
provide insights into RI Advice's strategic
approach to managing cybersecurity or its
formalised, developed or adopted
Cybersecurity Framework.
ED 1.2 Cybersecurity Policy Gap. A RI Advice Information Security Policy

(FFG.1026.0001.0101) is present. This policy
was not effective at 1 November 2019.
ED 1.3 IT Acceptable Use Policy Gap. The policy is an IOOF document and
does not specifically reference the Aligned
Dealer Groups (FFG.1022.0001.0345).
Evidence to support this policy being
adopted, tailored and implemented across RI
Additionally, a RI Advice Information Security

Policy (FFG.1026.0001.0101) is present
which contains references to acceptable
usage of IT devices. This policy was not
effective at 1 November 2019.
159

Domain

ARs.
ED 1.4 Evaluation and Gap. MAOs and RTOs from the IOOF
Prioritisation Process (e.g. business continuity planning appear to all be
Business Impact Analysis, Cyber the same value (FFG.1022.0001.2144). By
Risk Assessment, Asset having the same value, RI Advice has not
Identification and Classification) determined the priority order in which the key
dependencies should be restored and
recovered. Evidence of an evaluation
process which identifies and prioritises
assets or business processes based on risk
The RI Advice Information Security Policy

(FFG.1026.0001.0101) references a
requirement for an annual Business Impact
Analysis. This policy was not effective at 1
November 2019.

ARs.
ED 1.5 Cybersecurity Security Gap. While cybersecurity roles and

Roles and Responsibilities (across responsibilities are present in the IOOF
all levels) Security Policy document
(FFG.1022.0001.0345), it is unclear how
these apply to the IOOF Aligned Dealer
Groups, including RI Advice. General
governance and risk management
obligations are referred to in the role
description of the RI Advice CEO
(FFG.1022.0001.0901). However, there are
no explicit details surrounding the
management of cyber risk within these
obligations.
RI Advice has also planned the development

of specific roles and teams to manage cyber
events and cybersecurity initiatives
(FFG.1021.0001.0003). However, evidence
to support the implementation of this is not
present. An example of such evidence is
documented role descriptions which explicitly
include responsibilities for managing
cybersecurity risk.
160

Domain
Additionally, evidence of formalised roles and

responsibilities at the AR level is not present.
A formalised agreement between RI Advice
and IOOF which outlines the overall
responsibility and accountability for
cybersecurity is not present.

(FFG.1026.0001.0101) briefly discusses the
roles and responsibilities for employees and
practice management with respect to
information security. This policy was not
2. Risk ED 2.1 Risk Management Policy Gap. An IOOF risk management policy is
Assessments present (FFG.1022.0001.3097). No evidence
and Risk which supports these risk protocols being
Management adopted by RI Advice and the ARs is
present. An example of such evidence would
include RI Advice-developed and
documented risk management procedures
which align to the requirements of the risk
management policy.

(FFG.1026.0001.0101) contains a section
relating to information risk management
policy. This policy was not effective at 1
November 2019.
ED 2.2 Risk Appetite Gap. The risk appetite statement is specific

Statement (which considers to IOOF (FFG.1022.0001.1419). There is no
cyber risk) evidence of a documented risk appetite
statement which considers cyber risk at the
RI Advice level.

overarching risk assessment process. An
IOOF Penetration Testing Procedure is
evidence to support these risk identification
and management practices permeating
An example of such evidence is a
documented RI Advice risk assessment
procedure.
At a policy level, the RI Advice Information

Security Policy (FFG.1026.0001.0101) briefly
references an internal information security
risk assessment methodology. This policy

161

Domain

ARs.

procedure which details formal steps to be
reports).
ED 2.6 Risk Management No Gap. The IOOF Risk Management Policy

function (discussing enterprise (FFG.1022.0001.3097) and Security Policy
and cyber risk including third (FFG.1022.0001.0345) outline roles and
parties) responsibilities but do not specifically
address RI Advice. Evidence of a working
group between RI Advice and IOOF
demonstrating risk management is present
(FFG.1016.0001.0699). Additionally, a
Proprietors Advisory Council (PAC) exists
which represents the ARs of RI Advice.
Evidence of the PAC council discussing
topics including cybersecurity is present
(FFG.1026.0001.0166).
ED 2.7 Risk Assessments Gap. A number of cyber-related

(performed by internal or external assessments have been performed over
stakeholders) FFG and RI Advice by several independent
third parties including KPMG, Vixtro, Security
in Depth, and Cyber Indemnity Solutions.
While findings had been identified,
management action responses or
remediation action plans are not present.
There is a lack of visibility into how these
assessments have translated into a roadmap
of cyber initiatives for RI Advice to follow.
Additionally, evidence of risk assessments
performed across the entire population of
ARs is not present.
Additionally, a DocuSign sign assessment is

present (FFG.1022.0001.1355). While the
authoring organisation of the risk
assessment appears to be IOOF, it is
appropriate for RI Advice to leverage the risk
assessment performed for the usage of the
DocuSign application.
162

Domain


ARs.
3. Asset ED 3.1 IT Asset Management Gap. A Life Cycle Management Framework

Management Policy and Policy is specific to IOOF owned assets.
It does not reference the Aligned Dealer
Groups or ARs. (FFG.1022.0001.1156).
Within the RI Advice Information Security

Policy (FFG.1026.0001.0101) a section titled
'Asset Management Policy' and a high level
statement relating to how organisational
assets are to be managed exists. This policy

ED 3.3 IT Asset Registers Gap. An RI Advice software asset register

(including external IT assets) appears to have been developed
network device asset register has been
developed (FFG.1022.0001.1155). However,
the network device asset register appears to
capture IOOF network assets specifically.
Evidence of ARs developing and maintaining

IT asset registers including Endpoints and
server asset registers is not present. In its
letter to ASIC dated 1 November 2019, RI
Advice has stated that it does not maintain
an asset register for the ARs and that ARs
are responsible for their own Endpoint
management (FFG.1021.0001.0003).
References to hardware and software assets

inventory requirements exist within the RI
Advice Information Security Policy
(FFG.1026.0001.0101). This policy was not
ED 3.4 Asset Security Gap. Security classification is briefly outlined

Classification Procedures in the Cyber Security Standard applicable to
(including labelling and handling advisers (FFG.1022.0001.0246), but further
of assets) documentation providing guidance and steps
163

Domain
on classifying security labels on IT assets is

not present. Additionally, the Cyber Security
Standard appears to be in draft based on the
absence of approval and date within the
document.
Security classifications and protective
markings have been referenced within the RI
ED 3.5 Automated or manual Gap. Inventorying requirements for IT assets

mechanisms to maintain an up-to- have been outlined within the RI Advice
date, complete, accurate, and Information Security Policy
readily available inventory of IT (FFG.1026.0001.0101). This policy was not
Assets information system effective at 1 November 2019.
solutions)
level.
At a policy level, requirements surrounding

the security of third party suppliers have
been documented within the RI Advice
Information Security Policy
ED 4.2 Third Party Risk Gap. The Vendor Management and

Assessments and Management Outsourcing Procedures
Processes (FFG.1022.0001.1633) consider third party
risk and third party cyber risk across IOOF.
The policy does not appear to consider third
party risk at the AR level.
Requirements surrounding third party risk

assessments are present in the Information
Security Policy (FFG.1026.0001.0101). This
ED 4.3 Third Party Risk Gap. A Practice Servicing Assessment

Questionnaires and Assessment (PSA) template which holds two questions in
Templates relation to information security is present.
(FFG.1007.0001.0103) Additionally,
evidence of a review against this PSA
template is present (FFG.1022.0001.3522).
Evidence of a third party assessment
template for material service providers (e.g.
IT service providers) is not present.
164

Domain
5. Access ED 5.1 Access Control Policy Gap. At a policy level, requirements

Management surrounding IT system and physical access
provisioning are present in the Information
ED 5.2 Mobile Device Gap. Mobile device usage policy

Management Policy requirements are present in the Information
ED 5.3 Access Control Gap. Awareness and Implementation

Procedures (including onboarding, documentation surrounding multi-factor
ongoing access review, authentication and password managers for
offboarding, least privileges, RI Advice and its ARs is present
remote access) (FFG.1022.0001.3480,
FFG.1022.0001.2732).
An 'AR & CAR Cancellation Checklist' which

references a requirement to remove system
access is present (FFG.1022.0001.1843). A
brief reference to user account reviews is
present in the Cyber Security Support Guide
(FFG.1022.0001.0258)
Evidence of MFA guidance being provided is

present:
• 2FA & Firewall Router
(FFG.1022.0001.3483)
• 2FA Guide – Adobe (FFG.1022.0001.3476)
• 2FA Guide – Google
(FFG.1022.0001.1561)
• 2FA Guide – Microsoft
(FFG.1022.0001.3509)
• 2FA Guide - Xplan (FFG.1022.0001.3480)
Further details with respect to other access

procedures including onboarding, routine
reviews, least privileged access and
documented IT asset removal checklist are
not present.
Requirements surrounding access controls

including role-based access controls,
managing privileges, and segregation of
duties are not present in the Information

ARs.
165

Domain
ED 5.4 Mobile Device Gap. A Bring Your Own Device Management

Management Procedures Policy appears to be specific to IOOF
(FFG.1022.0001.3013) and does not
acknowledge the Aligned Dealer Groups.
ED 5.5 IT Access Review and Gap. While evidence of password managers

Results (including segregation of being audited and tested across RI Advice
duties and least privilege) and its ARs is present
(FFG.1022.0001.3514,
FFG.1022.0001.3521,
FFG.1022.0001.3518), evidence of IT access
reviews being performed to identify privileged
account activity, least privilege provisioning,
and onboarded and offboarded users across
RI Advice and its ARs is not present.
Mobile device usage policy requirements are

present in the Information Security Policy
Access review requirements, including a

requirement to review user accounts and
permissions every 90 days, have been
documented within the Information Security
Policy (FFG.1026.0001.0101). This policy

ARs.
ED 5.6 Usage of Multi-Factor Gap. Xplan and ‘Local Area Network’ MFA
Authentication Tools (e.g. Soft attestations from ARs are present
tokens, hard tokens) (FFG.1022.0001.3521). Evidence of MFA
being audited across Xplan is present
(FFG.1022.0001.3475).
However, MFA within O365 does not appear
to have been implemented across RI Advice
and its ARs as evidenced by the Second RI
environment (FFG.1000.0001.0181).
A requirement surrounding mandatory two-

factor authentication for all system
administrator accounts has been
166

Domain
6. Personnel ED 6.1 Security Training & Gap. Policy requirements surrounding

Security, Awareness Policy security awareness training have been
Training and documented within the Information Security
Awareness Policy (FFG.1026.0001.0101). This policy
ED 6.2 Clear Desk and Clear Gap. Policy requirements surrounding clean
Screen Policy desk and clean screen has been
ED 6.3 Security Training and No Gap. Security Awareness appears to be

Awareness Plan for all users performed regularly through multiple
(including Contractors, Third avenues such as newsletters, external
Parties, Privileged users) awareness presentations and mandatory
cybersecurity induction questions
(FFG.1022.0001.2643,
FFG.1020.0001.0425, and
FFG.1022.0001.2561). Cybersecurity Kaplan
questions also appear to be developed
(FFG.1020.0001.0209,
FFG.1022.0001.2561).
References to an information security

awareness program have been documented
within the Information Security Policy

ARs.
ED 6.4 Clear Desk and Clear Gap. Requirements surrounding clean desk
Screen Guidelines and clean screen have been documented
within the Information Security Policy
effective at 1 November 2019..

Advisers (FFG.1022.0002.0010).
(FFG.1022.0001.1760,
FFG.1022.0001.1843, FFG.1022.0001.1767,
FFG.1022.0001.1771, FFG.1022.0001.1773,
FFG.1022.0001.1775, FFG.1022.0001.1731,
FFG.1022.0001.2374,
FFG.1022.0001.2377).
167

Domain
Requirements surrounding employee

criminal and employment background checks
are present in the Information Security Policy

ED 6.7 Measurement of Security No Gap. Security awareness material is

Training & Awareness completion present in relation to RI Advice providing
and effectiveness continuous awareness and training to its
ARs:
• RI Report (Various) (e.g. 1 July 2019
FFG.1022.0001.2724, 11 February 2019
FFG.1022.0001.2643, 29 July 2019
(FFG.1022.0001.2695)
(FFG.1022.0001.2822)
•20190220 1709 APRA Webinar
•RI Advice Presentation
(FFG.1022.0001.2825)
Cybersecurity Kaplan questions also appear

to be developed (FFG.1020.0001.0209,
FFG.1022.0001.2561). Evidence of
completion of cybersecurity training is
present (FFG.1022.0001.3474)
7. Data Security _
168

Domain

(FFG.1002.0001.0005).
standard.
information must be protected”) are present
in the RI Advice Procedures and Policies
(FFG.1022.0001.0448). The document
constitutes a policy as the level of detail
contained within the cybersecurity-related
sections is not sufficient to constitute a
procedure.
how RI Advice and ARs should be storing
and protecting their data at rest are not
present.
Encryption and password management
requirements are present in the Information
ARs.
ED 7.2 Information Transfer Gap. References to document encryption,

Procedures VPN, and risks of USBs are present in the
Cybersecurity Support Guide
(FFG.1022.0001.0258). However, the
Cybersecurity Support Guide does not
provide detailed procedural steps to assist RI
Advice and its ARs in implementing
document encryption, VPN, and security
controls for USBs.
Encryption requirements surrounding

information in transit for personally
identifiable information and company
confidential information are present in the
169

Domain

ARs.

ED 7.4 Information flow Gap. Network diagrams appear to be specific

diagrams, data flow diagrams, and to IOOF only and therefore are not applicable
logical network diagrams to RI Advice and its ARs
(FFG.1022.0001.1818).
8. Secure ED 8.1 SDLC and Change Gap. Brief references to change control and
System Management Policy change management processes are present
Development in the Information Security Policy
Life Cycle (FFG.1026.0001.0101). This policy was not
(SDLC) and effective at 1 November 2019.
Change
Management ED 8.2 SDLC Security N/A – May not be applicable to RI Advice
Procedures and its ARs as they do not internally develop
applications.
ED 8.3 Change Control Gap. Brief references to change control and

Procedures (including security) change management processes are present
in the Information Security Policy
9. Baseline _
Operational
Security
ED 9.1 IT Baselines and Gap. While a Cybersecurity Standard has
Configuration Standards been developed (FFG.1022.0001.0246),
evidence of attestations and audits to verify
all ARs have fully implemented the standard
is not present. Additionally, the Cybersecurity
Standard does not appear to have been
finalised based on the absence of approval
and date within the document.
Configurations and standards to harden

against Flash, java, and ads on the internet
are not present.
Brief references to configuration standards

for workstations, servers, and corporate
networks are present in the Information
170

Domain

ARs.


ED 9.4 Endpoint and Network Gap. High level requirements surrounding

Protection Procedures anti-malware controls for Endpoints are

ARs.


10. Security ED 10.1 Audit and Logging Gap. Policy requirements surrounding
Continuous Policy logging are present in the Information
Monitoring Security Policy (FFG.1026.0001.0101). This
ED 10.2 Audit and Logging Gap. Logging requirements are briefly

Procedures (including regular mentioned in the context of network security
review) events (FFG.1022.0001.0258).
Organisational requirements and detailed
guidance on mandatory logs and log details
are not present.
171

Domain
ED 10.3 Event and Incident Gap. References to incident response

Monitoring Procedures procedures are present in the Information
Additionally, the referenced incident
response procedures are not present.
ED 10.4 Security Zoning Gap. Requirements surrounding physical

Procedures (e.g. controls for controls required to protect locations
restricted IT areas) containing corporate information systems are

ARs.
ED 10.5 Endpoint and Gap. References to Endpoint and

Infrastructure Security Detection infrastructure-related monitoring including
Controls wireless access monitoring and systems
monitoring are present in the Information

systems)
11. Vulnerability _
Management
ED 11.1 Vulnerability Gap. A draft IOOF Penetration Test
Management Plan and Remediation Procedures is present
Procedures (FFG.1022.0001.3169). However, evidence
to support these procedures being formalised
and implemented at the AR level is not
present. Additionally, a Vulnerability
Management Plan is not present.
A vulnerability management plan has been

referenced within the Information Security
Additionally, the referenced vulnerability
management plan is not present.
ED 11.2 Patch Management Gap. A requirement for patches to be

Procedures (including Operating deployed to RI Advice corporate and
System and Application patching) production systems within 30 days of release
by the vendor is present in the Information
172

Domain

ARs.
ED 11.3 Technical security Gap. A document titled ‘Information Security

testing (e.g. penetration testing, Standard’ which is relevant to this control is
vulnerability scanning, security present (FFG.1022.0001.0315). However,
audits) there is a lack of evidence to support this
ARs.

Communications applies to IOOF Holdings.
Advice.
Brief reference to security incident response

plans and how security incidents are
managed within the organisation has been

ED 12.3 Incident and Data Gap. An incident response plan is present

Breach Response Plan and (RIF.0006.0011.0001). However, this
Playbooks document appears to still be in draft as at 1
November 2019 and has not been formalised
The 'Electronic Storage Guide'

(FFG.1022.0001.2213) contains a brief
checklist with respect to incident
management for cloud solutions.
It is not clear whether the draft data breach

response plan or the electronic storage guide
would cover cybersecurity incidents that do
not involve sensitive data exposure (e.g.
denial of service attacks). Additionally, an
approach to regular review and testing of the
response plan as well as a formalised call
tree which captures the core team
stakeholders and its associated contact
details (e.g. phone numbers and emails) is
not present in the data breach response plan
173

Domain
or any other breach response-related

documents.


Testing and Post Incident Reports for Cybersecurity Incidents which had
occurred post the FFG Data Breach
(FFG.1013.0001.0003,
FFG.1029.0001.0035), limited details are
present.
(FFG.1022.0001.3071).
ED 13.2 Business Continuity Gap. MAOs and RTOs are present in

and Disaster Recovery Plan documentation (FFG.1022.0001.2144).
However, they appear to have been
assigned the same value, which does not
properly indicate the business priority. A
'BCM Activities for RI Advice' spreadsheet is
present. However, it appears to be limited to
Xplan, processing statements and making
payments to advisers
(FFG.1022.0001.2158).
Evidence supporting business continuity and

disaster recovery capabilities at the AR level
is not present.
Brief reference to business continuity and

disaster recovery plans is present within the
effective at 1 November 2019. Additionally,
the referenced business continuity and
disaster recovery plans are not present.

Backups appear to be adequately captured
(FFG.1022.0001.0526,
FFG.1002.0001.0005, and
FFG.1022.0001.0258).
174

Domain

ARs.

Post Reports

175
Schedule F
GAPS IN MAY 2020 CYBERSECURITY DOCUMENTATION AND CONTROLS

Cybersecurity Expected Documents Status (1 May 2020)

Domain
1. Governance & ED 1.1 Cybersecurity Strategy, Gap. Strategy: As part of its ongoing
Business Framework, or Program approach to cybersecurity, RI Advice has
Environment advised that its approach and strategy to
cyber resilience is a 4 step process: 1.
Diagnosis, 2. Awareness, 3. Training,
Policies and Procedures, and 4. Business
Controls and Governance
(FFG.1027.0001.0003). However, evidence
of a formalised document encapsulating RI
Advice's cyber security strategy with linkages
to a broader enterprise risk management
strategy is not present. Additionally, RI has
not currently developed a standalone
cybersecurity strategy document which
captures its strategic vision and approach to
cybersecurity.
Framework: RI Advice has referred to the

Cyber Security Guide (RIF.0006.0001.0001)
as its framework which it assesses its ARs
against (FFG.1027.0001.0003).
RI Advice has requested and received
attestations from its ARs to the adoption of
the Cyber Security Guide
(RIF.0006.0013.0001). Additionally, RI
Advice has contracted Security in Depth to
perform a number of Cyber Assurance Risk
Rating Reports which cover areas of the
Cyber Security Support Guide
(RIF.0006.0010.0014, RIF.0006.0010.0004,
RIF.0006.0010.0025). As the framework, the
Cyber Security Guide is limited to the '11
points' mandate and does not adequately
capture the full extent of the Minimum
Cybersecurity Requirements.
A Security in Depth document titled 'CARR

Framework Questions' (RIF.0006.0010.0003)
is present. It is unclear whether these
requirements and questions contained within
this document form part of the Cybersecurity
Framework for RI Advice and its ARs.

policy was not effective at 1 May 2020.
176

Domain
Program: An '11 points' mandate from the

Cyber Guide which RI Advice has instructed
its ARs to attest against is present
(RIF.0006.0001.0010)
(RIF.0006.0013.0001).
ED 1.2 Cybersecurity Policy Gap. The cybersecurity policy is an IOOF

document and does not specifically reference
the Aligned Dealer Groups
(FFG.1022.0001.0345).

ED 1.3 IT Acceptable Use Policy Gap. The policy is an IOOF document and
does not specifically reference the Aligned
Dealer Groups (FFG.1022.0001.0345).
Evidence to support this policy being
adopted, tailored and implemented across RI
Additionally, a RI Advice Information Security

Policy (FFG.1026.0001.0101) is present and
contains references to acceptable usage of
IT devices. This policy was not effective at 1
May 2020.
ED 1.4 Evaluation and Gap. MAOs and RTOs from the IOOF
Prioritisation Process (e.g. business continuity planning appear to all be
Business Impact Analysis, Cyber the same value (FFG.1022.0001.2144). By
Risk Assessment, Asset having the same value, RI Advice have not
Identification and Classification) determined the priority order in which the key
dependencies should be restored and
recovered. An evaluation process which
identifies and prioritises its assets or
business processes based on risk across the
ARs of RI Advice is not present.

(FFG.1026.0001.0101) references a
requirement for an annual Business Impact
Analysis. This policy was not effective at 1
May 2020.
ED 1.5 Cybersecurity Security Gap. In its 1 May 2020 letter of response, RI

Roles and Responsibilities (across Advice stated that the CEO holds
all levels) responsibility for implementing the
cybersecurity strategy
(FFG.1027.0001.0003). Outside this letter,
formalised documentation evidencing the
CEO's specific responsibilities for managing
cybersecurity is not present.
Roles and responsibilities specific to incident
response have been captured in RI Advice's
data breach process guide
177

Domain
(RIF.0006.0011.0001). Cybersecurity roles

and responsibilities outside of the IRT such
as ongoing security operational monitoring,
risk management and compliance are not
present.
Additionally, a formalised agreement
between RI Advice and IOOF which outlines
the overall responsibility and accountability
for cybersecurity is not present.

(FFG.1026.0001.0101) briefly discusses the
roles and responsibilities for employees and
practice management with respect to
information security. This policy was not
effective at 1 May 2020.
2. Risk ED 2.1 Risk Management Policy Gap. An IOOF risk management policy is
Assessments present (FFG.1022.0001.3097). No evidence
and Risk of these risk protocols being adopted by RI
Management Advice and the ARs is present. An example
of such evidence would include RI Advice-
developed and documented risk
management procedures which align to the
requirements of the risk management policy.

(FFG.1026.0001.0101) contains a section
relating to information risk management
policy. This policy was not effective at 1 May
2020.
ED 2.2 Risk Appetite Gap. The observed risk appetite statement is

Statement (which considers cyber specific to IOOF. (FFG.1022.0001.1419).
risk) There is no evidence of a documented risk
appetite statement which considers cyber
risk at the RI Advice level.

overarching risk assessment process. An
IOOF Penetration Testing Procedure is
evidence to support these risk identification
and management practices permeating
An example of such evidence is a
documented RI Advice risk assessment
procedure.

was not effective at 1 May 2020.
178

Domain

procedure which details formal steps to be
reports).
ED 2.6 Risk Management No Gap. The IOOF Risk Management Policy

function (discussing enterprise (FFG.1022.0001.3097) and Security Policy
and cyber risk including third (FFG.1022.0001.0345) outline roles and
parties) responsibilities but do not specifically
address RI Advice. Evidence of a working
group between RI Advice and IOOF
demonstrating risk management is present
Proprietors Advisory Council (PAC) exists
which represents the ARs of RI Advice.
Evidence of the PAC council discussing
topics including cybersecurity is present
(FFG.1026.0001.0166).
ED 2.7 Risk Assessments Gap. RI Advice has advised of its plan to

(performed by internal or external perform a cyber assessment across all its
stakeholders) ARs and their practices
(FFG.1027.0001.0003). At this stage, this
has not yet been completed.
A number of cyber-related assessments

have been performed over FFG and RI
Advice by several independent third parties
including KPMG, Vixtro, Security in Depth,
and Cyber Indemnity Solutions. While
findings had been identified, management
action responses or remediation action plans
are not present. There is a lack of visibility
into how these assessments have translated
into roadmap of cyber initiatives for RI Advice
to follow. Additionally, evidence of risk
assessments performed across the entire
population of ARs is not present.
Additionally, a DocuSign sign assessment is

present (FFG.1022.0001.1355). While the
authoring organisation of the risk
assessment appears to be IOOF, it is
appropriate for RI Advice to leverage the risk
assessment performed for the usage of the
DocuSign application.
179

Domain

3. Asset ED 3.1 IT Asset Management Gap. A Life Cycle Management Framework

Management Policy and Policy is specific to IOOF owned assets.
It does not reference the Aligned Dealer
Groups or ARs. (FFG.1022.0001.1156).
Within the RI Advice Information Security

Policy (FFG.1026.0001.0101) a section titled
'Asset Management Policy' and a high level
statement relating to how organisational
assets are to be managed exists. This policy
ED 3.2 Asset Management Gap. The Cyber Security Standard

Procedures (including lifecycle (RIF.0006.0002.0065) discusses the
management, ongoing inventory, requirement to use a security bin and
review, re-use and disposal) shredders to securely dispose of paper
documents. The Standard also discuss the
requirement for suppliers to wipe clean
computer hard drives before reuse.
Documented asset management procedures

which discuss RI Advice's approach to
routine management and inventory of assets
are not present.
ED 3.3 IT Asset Registers Gap. An RI Advice software asset register

(including external IT assets) appears to have been developed
network device asset register has been
developed (FFG.1022.0001.1155). However,
the network device asset register appears to
capture IOOF network assets specifically.
Evidence of ARs developing and maintaining

IT asset registers including Endpoints and
server asset registers is not present. In its
letter to ASIC dated 1 November 2019, RI
Advice stated that it does not maintain an
asset register for the ARs and that ARs are
responsible for their own Endpoint
management (FFG.1021.0001.0003).
References to hardware and software assets

inventory requirements exist within the RI
ED 3.4 Asset Security Gap. The Cyber Security Standard

Classification Procedures (RIF.0006.0002.0065) discusses the
categorisation of information and
180

Domain
(including labelling and handling management of sensitive documents and

of assets) emails. However, there is no further detail
surrounding how other IT assets such as
servers, Endpoints, applications and
databases should be classified.
Security classifications and protective

markings have been referenced within the RI
ED 3.5 Automated or manual Gap. Inventorying requirements for IT assets

mechanisms to maintain an up-to- have been outlined within the RI Advice
date, complete, accurate, and Information Security Policy
readily available inventory of IT (FFG.1026.0001.0101). This policy was not
Assets information system effective at 1 May 2020.
solutions)
level.
At a policy level, requirements surrounding

the security of third party suppliers have
been documented within the RI Advice
ED 4.2 Third Party Risk Gap. A Security in Depth document titled

Assessments and Management 'CARR Framework Questions'
Processes (RIF.0006.0010.0003) is present. It is unclear
whether these requirements and questions
contained within this document form part of
RI Advice's third party risk assessments and
management processes for third party
suppliers.
The Vendor Management and Outsourcing

Procedures (FFG.1022.0001.1633)
considers third party risk and third party
appear to consider third party risk across RI
Advice and its ARs.
Requirements surrounding third party risk

assessments are present within the
Information Security
Policy(FFG.1026.0001.0101). This policy
181

Domain
ED 4.3 Third Party Risk Gap. A Security in Depth document titled

Questionnaires and Assessment 'CARR Framework Questions'
Templates (RIF.0006.0010.0003) is present. It is unclear
whether these requirements and questions
contained in this document form part of RI
Advice's third party risk assessments and
management processes for third party
suppliers. A Practice Servicing Assessment
(PSA) template (FFG.1007.0001.0103) which
holds two questions in relation to information
security is present. Additionally, evidence of
a review against this PSA template is present
(FFG.1022.0001.3522). Evidence of a third
party assessment template for material
service providers (e.g. IT service providers)
is not present.
5. Access ED 5.1 Access Control Policy Gap. At a policy level, requirements

Management surrounding IT system and physical access
provisioning are present in the Information
ED 5.2 Mobile Device Gap. A 'Personal Use Policy' and 'Device

Management Policy Acceptable Use Policy' is referenced in the
Cyber Security Standard
(RIF.0006.0002.0065). However, these
documents are not present.
Mobile device usage policy requirements are

ED 5.3 Access Control Gap. The Cyber Security Standard

Procedures (including onboarding, (RIF.0006.0002.0065) discusses the
ongoing access review, password requirements that should be
offboarding, least privileges, implemented, including the use of passwords
remote access) across desktops, laptops, and mobile
devices, implementation of password policies
and approved password manager solutions.
The Cyber Security Standard
(RIF.0006.0002.0065) also discusses the
requirement for Two-factor authentication for
'all system access'. Additionally, a Security in
Depth developed document titled 'Work at
home protection' (RIF.0006.0002.0139)
discusses the need for MFA and password
management.
An 'AR & CAR Cancellation Checklist' which

references a requirement to remove system
access is present (FFG.1022.0001.1843). A
brief reference to user account reviews is
present in the Cyber Security Support Guide
(RIF.0006.0001.0001).
182

Domain
A number of documents relating to

implementing MFA across Xplan, Microsoft,
Adobe and Google products have been
developed (RIF.0006.0002.0170,
FFG.1022.0001.3480, FFG.1022.0001.3509,
FFG.1022.0001.3476, RIF.0006.0002.0029).
Guides relating to password protecting
documents have also been provided to RI
Advice by Security in Depth
(RIF.0006.0002.0131, RIF.0006.0002.0103).
End user guides and webinars for LastPass
have also been provided to RI Advice
(RIF.0006.0002.0145, RIF.0006.0002.0130).
LastPass audit reports have also been
produced (RIF.0006.0014.0003,
RIF.0006.0014.0005, RIF.0006.0014.0001,
RIF.0006.0014.0002).
Further details with respect to other access

procedures including onboarding,
offboarding, routine reviews, and least
privileged access are not present.
Requirements surrounding access controls

including role-based access controls,
managing privileges, and segregation of
duties are present in the Information Security
ED 5.4 Mobile Device No Gap. The Cyber Security Standard

Management Procedures (RIF.0006.0002.0065) discusses the
requirements for employees when using their
own devices at work, such as ensuring all
devices are password protected, have
regular updates, and ensuring there are
screen timeouts.
ED 5.5 IT Access Review and Gap. While evidence of password managers

Results (including segregation of being audited and tested across RI Advice
duties and least privilege) and its ARs is present
(FFG.1022.0001.3514,
FFG.1022.0001.3521,
FFG.1022.0001.3518), evidence of IT access
reviews being performed to identify privileged
account activity, least privilege provisioning,
and onboarded and offboarded users across
RI Advice and its ARs is not present.
Access review requirements, including a
requirement to review user accounts and
permissions every 90 days, have been
ED 5.6 Usage of Multi-Factor Gap. RI Advice has audited and requested

Authentication Tools (e.g. Soft attestations of its ARs and their
tokens, hard tokens) implementation of MFA across Xplan and
183

Domain
'local area networks' (FFG.1022.0001.3521,

RIF.0006.0006.0005, RIF.0006.0006.0007,
RIF.0006.0006.0001, RIF.0006.0006.0002,
RIF.0006.0006.0003).
MFA within O365 does not appear have

been implemented across RI Advice and its
ARs as evidenced by the Second RI
environment (FFG.1000.0001.0181).
6. Personnel ED 6.1 Security Training & Gap. Policy requirements surrounding

Security, Awareness Policy security awareness training have been
Training and documented within the Information Security
Awareness Policy (FFG.1026.0001.0101). This policy
ED 6.2 Clear Desk and Clear Gap. While a requirement for AR practices to
Screen Policy hold a "clean desk policy" is present in the
Cybersecurity Standard
(RIF.0006.0002.0065), evidence of such a
policy being developed and implemented
Policy requirements surrounding clean desk

and clean screen are documented in the
ED 6.3 Security Training and No Gap. Security awareness appears to be

Awareness Plan for all users performed regularly through multiple
(including Contractors, Third avenues such as newsletters, external
Parties, Privileged users) awareness presentations and mandatory
cybersecurity induction questions
(FFG.1022.0001.2643,
FFG.1020.0001.0425, FFG.1022.0001.2561,
RIF.0006.0002.0036, RIF.0006.0004.0003,
RIF.0006.0004.0042). Additionally,
cybersecurity awareness is present in a
number of communications between RI
Advice and its ARs (RIF.0006.0005.0045,
RIF.0006.0005.0083, RIF.0006.0005.0052).
Cybersecurity Kaplan questions and a
Cybersecurity Exam also appear to have
been developed (FFG.1020.0001.0209,
FFG.1022.0001.2561, RIF.0006.0004.0087).
References to an information security

awareness program are present in the
184

Domain
ED 6.4 Clear Desk and Clear No Gap. Requirements and guidelines for
Screen Guidelines AR practices to maintain clear desks and
implement screen lockout controls are
present in the Cybersecurity Standard
(RIF.0006.0002.0065).
Requirements surrounding clean desk and

clean screen are present in the Information

Advisers (FFG.1022.0002.0010).
(FFG.1022.0001.1760,
FFG.1022.0001.1843, FFG.1022.0001.1767,
FFG.1022.0001.1771, FFG.1022.0001.1773,
FFG.1022.0001.1775, FFG.1022.0001.1731,
FFG.1022.0001.2374,
FFG.1022.0001.2377).
Requirements surrounding employee

criminal and employment background checks
are present in the Information Security Policy

ED 6.7 Measurement of Security No Gap. Evidence of cybersecurity exam

Training & Awareness completion questions is present (RIF.0006.0004.0087).
and effectiveness Security awareness material is present in
relation to RI Advice providing continuous
awareness and training to its ARs: RI Report
(Various) (e.g. 1 July 2019
FFG.1022.0001.2724, 11 February 2019
FFG.1022.0001.2643, 29 July 2019
(FFG.1022.0001.2695)
(FFG.1022.0001.2822)
•20190220 1709 APRA Webinar
•RI Advice Presentation
(FFG.1022.0001.2825)
Cybersecurity Kaplan questions also appear

to be developed (FFG.1020.0001.0209,
FFG.1022.0001.2561). Evidence of
completion of cybersecurity training is
present (FFG.1022.0001.3474)
Evidence of attendance at the cybersecurity
Part A and Part B webinars hosted by
Security in Depth is present
(RIF.0006.0004.0001).
185

Domain
7. Data Security _
ED 7.1 Information Storage Gap. The Cyber Security Standard

Procedures (RIF.0006.0002.0065) discusses the
categorisation of information and
management of sensitive documents and
emails. The Standard also discusses the
retention and destruction requirements per
the Corporations Act and Counter-Terrorism
Financing Act.
With respect to password complexity, the
Cyber Security Standard
(RIF.0006.0002.0065) discusses minimum
complexity requirements including password
rotations every 90 days, minimum 10
character password length, and the mixture
of upper and lower case alphabetical
characters, numbers and special characters
in passwords.
RI Advice introduced an Advice Processes
and Client Records (ACR) program which
seeks to "have all information obtained by
advisers stored in Xplan to protect client
personal information" (FFG.1027.0001.0003,
RIF.0006.0008.0001, RIF.0006.0008.0002).
Further detailed steps with respect to
securely storing information and IT assets
across ARs’ IT and cloud infrastructure (e.g.
File servers, O365) are not present.
Encryption and password management
requirements has been captured within the
ED 7.2 Information Transfer No Gap. A Security in Depth developed

Procedures document titled 'Work at home protection'
(RIF.0006.0002.0139) which discusses the
need to use a VPN is present. The Cyber
Security Standard (RIF.0006.0002.0065)
discusses the requirement to password
protect USBs. The Cyber Security Guide
(RIF.0006.0001.0001) advises on the
dangers of using USBs. RI Advice has
requested and received attestations from its
ARs as to their use of password protection of
emails (FFG.1022.0001.3521).
Encryption requirements surrounding

information in transit for personally
identifiable information and company
confidential information have been referred
to within the Information Security Policy
186

Domain


ED 7.4 Information flow Gap. Network diagrams appear to be specific

diagrams, data flow diagrams, and to IOOF only, and therefore are not
logical network diagrams applicable to RI Advice and its ARs
(FFG.1022.0001.1818).
8. Secure ED 8.1 SDLC and Change Gap. Brief references to change control and
System Management Policy change management processes are present
Development in the Information Security Policy
Life Cycle (FFG.1026.0001.0101). This policy was not
(SDLC) and effective at 1 May 2020.
Change
Management ED 8.2 SDLC Security N/A – May not be applicable to RI Advice
Procedures and its ARs as they do not internally develop
applications.
ED 8.3 Change Control Gap. Brief references to change control and

Procedures (including security) change management processes are present
9. Baseline _
Operational
Security
ED 9.1 IT Baselines and Gap. While a Cybersecurity Standard has
Configuration Standards been developed (RIF.0006.0002.0065),
evidence of attestations and audits to verify
all ARs have fully implemented the standard,
is not present.
A 'Small Business Cyber Security Guide'

(RIF.0006.0002.0189) developed by the
Australian Cyber Security Centre is present.
Evidence to support this guide being
implemented and operationalised across RI
Advice and its ARs is not present, other than
a reference in the 6 April 2020 RI Advice
newsletter (RIF.0006.0005.0121).
Configurations and standards to harden

against Flash, java, and ads on the internet
are not present.
Brief references to configuration standards

for workstations, servers, and corporate
networks are present in the Information
187

Domain
ED 9.2 Application Whitelisting Gap. A 'Software Installation Policy' has

Procedures been briefly referenced within the Cyber
Security Standard (RIF.0006.0002.0065).
The Standard references the requirement for
all software installations to have practice
management and security approval prior to
installation. Additionally, the Standard refers
to the Licensee websites for the list of
approved software. However, the 'Software
Installation Policy' is not present.
ED 9.3 Microsoft Office Macro Gap. While this control is in place within FFG
Guidelines and Procedures as part of its implementation of the Essential
8 (FFG.0010.0001.6600), evidence to
ED 9.4 Endpoint and Network No Gap. The Cyber Security Support Guide
Protection Procedures (RIF.0006.0001.0001) requires ARs to use a
Firewall as well as ensure all computers
have anti-virus software installed.
High level requirements surrounding anti-

malware controls for Endpoints are present
ED 9.5 Application Whitelisting Gap. The Cyber Security Standard

Technical Controls (RIF.0006.0002.0065) references the
requirement for all software installations to
have prior practice management and security
approval prior to installation. Additionally, the
Standard refers to the Licensee websites for
the list of approved software. However,
evidence of the list of approved software
such as a screenshot of the approved
software from the Licensee websites is not
present.
ED 9.8 Endpoint and Network Gap. A Security in Depth developed

Protection Technical Controls document titled 'Work at home protection'
(RIF.0006.0002.0139) advises 'ensure all
188

Domain
anti-virus anti malware software is the latest

version'. Additionally, the Cyber Security
Support Guide (RIF.0006.0001.0001)
requires ARs to use 'a Firewall' as well as
ensure all computers have anti-virus
software installed. However, evidence of
these controls being implemented is not
present. Examples of such evidence include
audits or reviews performed which
demonstrate the number of ARs which have
installed Firewall and antivirus software
within their IT environment.
10. Security ED 10.1 Audit and Logging Gap. Policy requirements surrounding
Continuous Policy logging are present within the Information
Monitoring Security Policy (FFG.1026.0001.0101). This
ED 10.2 Audit and Logging Gap. Logging requirements are briefly

Procedures (including regular mentioned in the context of network security
review) events (RIF.0006.0001.0001). Organisational
requirements and detailed guidance on
mandatory logs and log details are not
present.
ED 10.3 Event and Incident Gap. References to incident response

Monitoring Procedures procedures are present in the Information
Additionally, the referenced incident
response procedures are not present.
ED 10.4 Security Zoning No Gap. Physical security requirements and

Procedures (e.g. controls for procedural steps have been captured in the
restricted IT areas) Cyber Security Standard
(RIF.0006.0002.0065).
Requirements surrounding physical controls

required to protect locations containing
corporate information systems are present in
the Information Security Policy
ED 10.5 Endpoint and Gap. A Security in Depth developed

Infrastructure Security Detection document titled 'Work at home protection'
Controls (RIF.0006.0002.0139) advises 'ensure all
anti-virus anti malware software is the latest
version'. Additionally, the Cyber Security
Support Guide (RIF.0006.0001.0001)
requires ARs to use 'a Firewall' as well as
ensure all computers have anti-virus
software installed. However, evidence of
these controls being implemented is not
present. Examples of such evidence include
audits or reviews performed which
demonstrate the number of ARs that have
189

Domain
installed Firewall and antivirus software

within their IT environments.
Evidence of detection controls relating to

ARs' O365 environment is not present.
Examples of O365 detection controls include
regular review of O365 audit logs in order to
identify any suspicious activities.
References to Endpoint and infrastructure-

related monitoring including wireless access
monitoring and systems monitoring have
been documented within the Information
ED 10.6 Evidence of security Gap. While audits over the usage of MFA
audit and logging reviews and password managers have been
(including for internal and external performed by RI Advice, evidence of security
systems) log audits or reviews of IT systems
conducted by RI Advice is not present. An
example of a security log audit or review is
reviewing O365, network Firewall and
Endpoint antivirus logs for system and user
activity to identify suspicious or malicious
behaviour.
11. Vulnerability _
Management
ED 11.1 Vulnerability Gap. A draft IOOF Penetration Test
Management Plan and Remediation Procedures is present
Procedures (FFG.1022.0001.3169). However, evidence
to support these procedures being formalised
and implemented at the AR level is not
present.
A vulnerability management plan has been

referenced within the Information Security
was not effective at 1 May 2020. Additionally,
the referenced vulnerability management
plan is not present.
ED 11.2 Patch Management No Gap. The Cyber Security Standard

Procedures (including Operating (RIF.0006.0002.0065) and the Cyber
System and Application patching) Security Support Guide
(RIF.0006.0001.0001) discuss a requirement
of ensuring automatic updates for computers.
Additionally, the Security in Depth developed
document titled 'Work at home protection'
(RIF.0006.0002.0139) discusses the need to
ensure all software is updated to the latest
version.
A requirement for patches to be deployed to

RI Advice corporate and production systems
within 30 days of release by the vendor is
190

Domain

ED 11.3 Technical security Gap. In the cyber assessment pilot email

testing (e.g. penetration testing, template (RIF.0006.0010.0001), it is
vulnerability scanning, security mentioned that the remote assessments
audits) would involve demonstrating security
measures are in place within Microsoft Office
365.
It is not clear whether the scope of these

assessments is inclusive of technical testing
with respect to other areas within the ARs' IT
environments, including remote access
vulnerabilities which were evident from the
FFG Data Breach. Additionally, cyber
assessments have not yet been completed
across all the AR practices.
ED 11.4 Patch Management Gap. The Cyber Security Standard

Deployment Tools (RIF.0006.0002.0065) and the Cyber
Security Support Guide
(RIF.0006.0001.0001) discuss a requirement
of ensuring automatic updates for computers.
Additionally, the Security in Depth developed
document titled 'Work at home protection'
(RIF.0006.0002.0139) discusses the need to
ensure all software is updated to the latest
version.
Evidence to demonstrate that RI Advice and

its ARs are maintaining and actively using
patch management deployment tools to
perform regular patch management is not
present. Typical evidence would include
patch reports or Vulnerability Assessment
reports which demonstrate the patch status
of IT assets.
Communications applies to IOOF Holdings.
Advice.
Brief reference to security incident response
plans and how security incidents are
managed within the organisation have been

191

Domain
ED 12.3 Incident and Data Gap. A data breach response plan titled
Breach Response Plan and 'CIRP - Process Guide - Data Breach'
Playbooks (RIF.0006.0011.0001) has been developed
by RI Advice and communicated to its ARs
(RIF.0006.0005.0098). The plan includes
high level response steps, core team roles,
criteria for an 'eligible data breach', client
notification steps, as well as a summarised
response checklist.
The 'Electronic Storage Guide'

(FFG.1022.0001.2213) contains a brief
checklist with respect to incident
management for cloud solutions.
It is not clear whether the data breach

response plan or the electronic storage guide
would cover cybersecurity incidents that do
not involve sensitive data exposure (e.g.
denial of service attacks). Additionally, an
approach to regular review and testing of the
response plan as well as a formalised call
tree which captures the core team
stakeholders and its associated contact
details (e.g. phone numbers and emails) is
not present in the data breach response plan
or any other breach response-related
documents.
ED 12.4 Public Relations and No Gap. The data breach response plan
External Communications Plan titled 'CIRP - Process Guide - Data Breach'
(RIF.0006.0011.0001) developed by RI
Advice discusses the communication steps
including notification to the police, ASIC,
ATO, insurance providers, credit reporting
agencies, and to the impacted individuals.

Testing and Post Incident Reports for incidents which occurred after the FFG
Data Breach (FFG.1013.0001.0003,
FFG.1029.0001.0035), limited details are
present.
(FFG.1022.0001.3071).
192

Domain
ED 13.2 Business Continuity Gap. MAOs and RTOs have been captured
and Disaster Recovery Plan within documentation
(FFG.1022.0001.2144), however they appear
to have been assigned the same value,
which does not properly indicate the
business priority. A 'BCM Activities for RI
Advice' spreadsheet is present, however it
appears to be limited to Xplan, processing
statements and making payments to advisers
(FFG.1022.0001.2158).
Brief reference to business continuity and

disaster recovery plans is present in the
effective at 1 May 2020. Additionally, the
referenced business continuity and disaster
recovery plans is not present.
Evidence supporting business continuity and

disaster recovery capabilities at the AR level
is not present.
ED 13.3 Backup Procedures No Gap. The Cyber Security Standard

(RIF.0006.0002.0065) and the Cyber
Security Support Guide
(RIF.0006.0001.0001) discuss the
requirements and steps that can be taken for
data backups including backing up all critical
data, backup being undertaken minimum
weekly, backups being encrypted, being
stored offsite, and being tested regularly, at a
minimum annually.

Post Reports

193
Schedule G
GLOSSARY OF DEFINED TERMS
Defined Term Meaning First

paragraph
Reference
13 Cybersecurity The cybersecurity domains referred to in 14

Domains paragraph 14
ACORN Australian Cybercrime Online Reporting 40(c)(i)

Network
ACR Program Cybersecurity initiative 115(o)
Act Corporations Act 2001 (Cth) 2(d)
ADG Incident Register A register titled ‘ADG Incident 16(b)

Incident Data Report register_Incident Data Report – All
time.xlsx’ [FFG.1016.0001.0004]
AFSL Australian Financial Services Licence 2(d)
Aligned Dealer Group As referred to in paragraph 16 16

Incident Register
Aligned Dealer Groups ANZ aligned dealer groups that from 2(b)
1 October 2018 became part of the IOOF
Holdings Limited group of companies
ANZ Australia and New Zealand Banking Group 2(a)

Limited
Application Hardening Securing an application or a system by Schedule A,

reducing its surface of vulnerabilities. ED9.1
Common examples of application hardening
include patching vulnerabilities, turning off
nonessential services and changing default
credentials.
Application A security approach designed to protect Schedule A,

Whitelisting against malware being executed on ED9.2
computer systems. When implemented
properly, application whitelisting ensures
that only approved applications (e.g.
executables, software libraries, scripts and
installers) can be executed
194

paragraph
Reference
ARs Authorised representatives (within the 2(e)

meaning of s 761A of the Act)
ASIC Australian Securities and Investment 1

Commission, the plaintiff
ASIC Act Australian Securities and Investments 1(a)

Commission Act 2001 (Cth)
Attestations on Cyber Cybersecurity initiative 85(d)

Capabilities and
Protections
Awareness Material Cybersecurity initiative 85(e)
BYOD Bring Your Own Device Schedule A,

ED5.2
CARR Cyber assurance risk review 73
COR Reporting System A register titled ‘COR reporting 16(b)

ADG Case Records system_ADG Case Records (d1.01)
181005b.xlsx’ [FFG.1016.0001.0005]
Cryptographic Hash A method of cryptography which converts Schedule A,

any form of data into a unique string of bytes ED9.2
Cyber Insurance Cybersecurity initiative 85(j)
Cyber resilience The ability to anticipate, withstand, recover 13

from and adapt to adverse conditions,
stresses, attacks, or compromises on
systems that use or are enabled by cyber
resources regardless of the source
Cybersecurity The ability to protect and defend the use of 13

cyberspace from attacks
Cybersecurity Cybersecurity initiative 85(b)

Discussion Topics
Cybersecurity Strategies, frameworks, policies, plans, 13(b)

Documentation and procedures, standards, guidelines, systems,
Controls resources and controls in respect of
cybersecurity and cyber resilience
195

paragraph
Reference
Cybersecurity domains Subset areas of a cybersecurity framework 14

which contain further granular cybersecurity
controls. Examples of cybersecurity domains
include ‘Access management’ and ‘risk
assessments and risk management’
Cybersecurity Defined structure specific to cybersecurity 14

framework which will generally comprise the mandated
rules and processes to help an organisation
reduce its cyber risk to an acceptable level
Cybersecurity Incident Cybersecurity initiative 100(k)

Response Plan
Finalisation
Cybersecurity Cybersecurity incidents that occurred at RI 15

Incidents Advice or within its AR network
Cybersecurity Cybersecurity initiative 100(h)

Leadership
Cybersecurity Strategy Cybersecurity initiative 115(n)
Documentation Update Cybersecurity initiative 85(c)
Email Filtering A technical IT control commonly deployed to Schedule A,

filter out spam and potentially harmful emails ED9.4
Empowered Empowered Financial Partners Pty Ltd, AR 94

of RI Advice
Empowered Cybersecurity Incident in August 2019 95

Cybersecurity Incident involving Empowered
Endpoint End-user machines and devices that are Schedule A,

typically interconnected within a corporate ED3.4
environment and internet capable. Often
presents a key vulnerable point of entry for
cybersecurity attacks. Examples of
endpoints include desktops, laptops,
smartphones, tablets, workstations, and
servers
FFG Frontier Financial Group Pty Ltd as trustee 51

for The Frontier Trust, AR of RI Advice
196

paragraph
Reference
FFG Data Breach Cybersecurity Incident involving FFG 52
Firefly Cybersecurity Cybersecurity Incident involving Martin and 29

Incident Firefly Wealth that occurred in June 2015
Firefly Wealth Trustee for the Griffin Martin Investment 27

Trust trading as Firefly Wealth, AR of RI
Advice
Firewall System designed to prevent unauthorised Schedule A,

access to or from a network through rulesets ED9.8
and restrictions over data communication
traffic. Firewalls can be implemented in both
hardware and software, or a combination of
both
First RI Shepparton Cybersecurity Incident involving Sandra 63

Cybersecurity Incident Miller and RI Shepparton that occurred on
about 23 May 2018
Flash Flash commonly refers to a computer Schedule A,

software which allows web developers to ED9.1
incorporate animations and interactive
content into websites
Gap Analysis Cybersecurity initiative 100(i)
Group Policy Group policy refers to a Microsoft Windows Schedule A,

feature used to control machines in an ED9.5
organisation’s IT environment
Hilsley Anthony Hilsley, AR of RI Advice 38
Horizons Wealth ARs trading as Horizons Wealth 74
Incident response team Team assembled by the impacted Schedule A

(IRT) organisation to invoke common incident ED12.3
handling steps including identification,
containment, eradication and recovery
IOOF IOOF Holdings Limited 2(b)
IOOF COR Incident A register titled ‘IOOF COR Incident Master 16(b)
Master Spreadsheet Spreadsheet_20181001_IOOF_COR
Incident Master Spreadsheet.xlsx’
[FFG.1016.0001.1389]
197

paragraph
Reference
IOOF Developed Documentation and Controls developed by 88

Documentation IOOF
Java Java is a class-based, object-oriented Schedule A,

programming language that produces ED9.1
software for multiple platforms
KPMG KPMG Forensic Pty Ltd 81
KPMG Report KPMG Retire Invest Pty Ltd Cyber Incident 82

Response – Forensic Review dated 24
October 2018 [PP2.1003.0002.0004] and
appendices [PP2.1003.0001.0026,
PP2.1003.0001.0032, PP2.1003.0001.0042,
PP2.1003.0001.0056, PP2.1003.0001.0058,
RIF.0004.0005.5290 and
RIF.0004.0005.5287].
Licence (AFSL) number 000238429 2(d)
Lifewise Lifewise Financial Solutions Pty Ltd as 17

trustee for Lifewise Financial Solutions
Trust, AR of RI Advice
Lifewise Cyber Fraud Lifewise Retail Client who had been sent 20(a)(iv)
Victim one of the Malicious Lifewise Emails
Lifewise Cybersecurity Cybersecurity Incident involving Rogers and 19

Incident Lifewise that occurred in about early July
2014
Malicious Lifewise A malicious email which appeared to have 20(a)(ii)

Emails been sent from Rogers’ Google email
account
Malicious McHugh A suspicious email that requested money 35(a)(i)

Email and which appeared to have been sent from
McHugh’s email account
Mandated MFA Cybersecurity initiative 85(f)
Mandated Password Cybersecurity initiative 85(g)

Management
MAOs Maximum Acceptable Outages Schedule A,

ED13.2
198

paragraph
Reference
March 2019 Cybersecurity initiatives 83

Cybersecurity
Initiatives
March 2019 Cybersecurity Documentation and Controls 87

Documentation and
Controls
Martin Adele Martin, AR of RI Advice and principal 28

of Firefly Wealth
May 2018 Cybersecurity Documentation and Controls 57

Documentation and
Controls
May 2020 Cybersecurity initiatives 115

Cybersecurity
Initiatives
May 2020 Cybersecurity Documentation and Controls 118

Documentation and
Controls
McHugh Benjamin McHugh, AR of RI Advice 33
Minimum Cybersecurity Documentation and Controls 13(b)

Cybersecurity
Requirements
MFA Multi-factor Authentication 85(f)
NIST National Institute of Standards and Schedule A,

Technology ED1.1
Notifiable Data Breach Notifiable Data Breach form in respect of 67

Form the FFG Data Breach
[PP2.0010.0001.0024].
November 2019 Cybersecurity initiatives 100

Cybersecurity
Initiatives
November 2019 Cybersecurity Documentation and Controls 103

Documentation and
Controls
199

paragraph
Reference
OAIC Office of the Australian Information 67

Commissioner
Offboarding Action or process of separating an employee Schedule A,

from an organisation ED5.3
Onboarding Action or process of integrating a new Schedule A,

employee into an organisation ED5.3
Penetration tests Process of identifying and attempting to Schedule A,

exploit vulnerabilities in order to penetrate ED2.4
into a system or environment
Personal Information Confidential and sensitive personal 3

information and documents in relation to
Retail Clients
Personally identifiable Personally identifiable information (PII) or 83(h)

information personally sensitive information is
identifiable information relating to customers
and employees which may be leveraged to
indirectly enable fraudulent activity
PAC Proprietors Advisory Council 85
PSA Practice Servicing Assessment Schedule D,

ED4.3
Recommended AR CARRs recommended by Security in Depth 75(e)

Network CARRs
Recovery Point The maximum acceptable amount of data Schedule A,

Objective (RPO) loss for an organisation measured in time ED13.2
Recovery Time The desired maximum time allowed between Schedule A,

Objective (RTO) an unexpected failure or disaster of a ED13.2
computer, system network or application
and the resumption of normal operations
and service levels
Remote access Provides a virtual connection between a Schedule A,

user and their target network. Commonly ED5.3
used to provide remote employees access
to an organisation’s corporate systems and
applications from a geographically separate
location. An example of a type of remote
access service is a VPN
200

paragraph
Reference
Retail Clients Retail clients (within the meaning of s 761G 2(e)

of the Act)
Review of Cyber Cybersecurity initiative 85(h)

Standard
RI Advice The defendant 2
RI Advice Practices RI Advice’s ARs organised in practice 10

groups of one or more ARs
RI Berwick ARs trading as RI Advice – Berwick 74
RI Circular Quay RetireInvest Circular Quay, AR of RI Advice 43
RI Circular Quay Cybersecurity Incident involving RI Circular 44

Cybersecurity Incident Quay
RI Corporate Cybersecurity incident involving RI Intranet 23

Cybersecurity Incident
RI Incident Data Report A register titled ‘20190521 ‐ RI Incident 16(b)

Data Report’ [RIF.0003.0103.0524]
RI Intranet RI Advice’s internal intranet site 23
RI Lower Hunter ARs trading as RI Lower Hunter 74
RI Shepparton ARs trading as RI Shepparton 61
Rogers Bradley Ewan Rogers, AR of RI Advice and 18

principal of Lifewise
SCCM Microsoft System Centre Configuration Schedule A

Manager ED11.4
Second RI Shepparton Cybersecurity Incident that occurred on 111

Cybersecurity Incident about 14 April 2020 involving Sandra Miller
and RI Shepparton
Six CARRs Cybersecurity initiative 85(a)
SOC Service Organisation Controls Schedule A,

ED4.3
201

paragraph
Reference
Spam Emails Emails sent from Sandra Miller’s email 112(a)(ii)
Technical Security A technical measure of the cybersecurity 15(c)(ii)

Assurance risks that exist in AR organisations
Toowoomba JEM AR trading as Toowoomba JEM Wealth 61

Wealth
Toowoomba JEM Cybersecurity Incident involving McHugh 34

Wealth Cybersecurity
Incident
Training Cybersecurity initiative 85(i)

Implementation
Vixtro Report A report prepared by a third-party IT service 70

provider, Vixtro, regarding FFG’s desktop
and network security dated 3 August 2018
[FFG.1000.0001.0058].
VPN Virtual Private Network Schedule A,

ED7.2
Vulnerability A Vulnerability Assessment refers to the Schedule A,

Assessment process of identifying, quantifying, and ED2.4
prioritising vulnerabilities identified in an
information asset or system. Vulnerability
assessments are typically performed using
or assisted using automated vulnerability
assessment tools.
The key difference between vulnerability
assessments and penetration tests lies in
the active exploitation of vulnerabilities;
vulnerability assessments do not attempt to
exploit the identified vulnerabilities, while
penetration tests ordinarily do.
Walker John Leslie Walker, AR of RI Advice and 43

principal of RI Circular Quay
Wise Cybersecurity A Cybersecurity Incident involving Hilsley 39

Incident and Wise Financial Planning
202

paragraph
Reference
Wise Financial AR of RI Advice, Superannuation Advisory 38(d)

Planning Service Pty Ltd trading as Wise Financial
Planning and/or SAS Advice

20 191mr 2020 10 26 Vid 556 Asic V Ri Soc Filed

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

20 191mr 2020 10 26 Vid 556 Asic V Ri Soc Filed

Uploaded by

Copyright:

Available Formats

NOTICE OF FILING

Document Lodged: Statement of Claim - Form 17 - Rule 8.06(1)(a)

Dated: 26/10/2020 9:59:19 PM AEDT Registrar

(Filed pursuant to orders made by O’Callaghan J on 18 September 2020)

Federal Court of Australia

District Registry: Victoria

Australian Securities and Investments Commission

RI Advice Group Pty Ltd (ACN 001 774 125)

Filed on behalf of (name & role of party) The Plaintiff

E.1 FIRST RI SHEPPARTON CYBERSECURITY INCIDENT – MAY 2018 ..............................................................43

A. THE PARTIES AND THE AUTHORISED REPRESENTATIVES

1 The plaintiff (ASIC) is:

(a) a body corporate under s 8(1)(a) of the Australian Securities and

2 The first defendant (RI Advice):

(c) since 1 October 2018 has been a wholly-owned subsidiary of IOOF;

3 At all material times, in the course of providing financial services on RI Advice’s

confidential and sensitive personal information and documents in relation to

(b) contact information, including contact phone numbers and email

(c) copies of identification documents, such as driver’s licenses, Medicare

(d) tax file numbers; and

4 Since 15 May 2018, RI Advice’s ARs have provided financial services on RI

RI Advice website: “Become an adviser”

6 As at 15 May 2018, RI Advice had 286 ARs, comprising:

(a) 192 individual ARs; and

(b) 94 corporate ARs.

7 As at 12 and 13 March 2019, RI Advice had 232 ARs, comprising:

(a) 157 individual ARs; and

(b) 75 corporate ARs.

8 As at 1 November 2019, RI Advice had 297 ARs, comprising:

(a) 198 individual ARs; and

(b) 99 corporate ARs.

9 As at 1 May 2020, RI Advice had 293 ARs, comprising:

(a) 191 individual ARs; and

(b) 102 corporate ARs.

10 At all material times, since 15 May 2018:

(a) RI Advice’s AR's have provided financial services on RI Advice’s behalf

The RI Advice website contains a list of RI Advice Practices:

As at 10 August 2018, there were 110 RI Advice Practices: email

As at 1 May 2020, RI Advice stated that there were 89 RI Advice

B. OBLIGATIONS TO IMPLEMENT ADEQUATE CYBERSECURITY SYSTEMS

11 At all material times, RI Advice was required to establish and maintain

Clause 2 of the Licence.

(a) pursuant to s 912A(1)(a) of the Act, to do all things necessary to ensure

(d) pursuant to s 912A(1)(d) of the Act, to have available adequate resources

(e) pursuant to s 912A(1)(h) of the Act, to have adequate risk management

13 By reason of the matters pleaded in paragraphs 2(d) and (e), 3 to 5, 11 and 12

Cybersecurity is the ability to protect and defend the use of

Cyber resilience is the ability to anticipate, withstand, recover from,

(b) have strategies, frameworks, policies, plans, procedures, standards,

Details of the Cybersecurity Documentation and Controls that RI

14 Further to paragraph 13 above, at all material times, the Cybersecurity

1) Governance and business environment;

2) Risk assessments and risk management;

4) Supply chain risk management;

6) Personnel security, training and awareness;

8) Secure system development life cycle and change management;

9) Baseline operational security;

10) Security continuous monitoring;

11) Vulnerability management;

12) Incident response and communications; and

13) Continuity and recovery planning,

(13 Cybersecurity Domains).

Details of the Cybersecurity Documentation and Controls that