The Australian Securities and Investments Commission (ASIC) has taken legal action against FIIG Securities Limited (FIIG) over alleged systemic and prolonged cybersecurity failures. The proceedings, filed in the Federal Court of Australia, highlight serious deficiencies in FIIG’s cybersecurity measures that persisted for more than four years, ultimately leading to a significant data breach.
ASIC alleges that between March 2019 and June 8, 2023, FIIG failed to implement adequate cybersecurity measures, leaving the company and its clients vulnerable to cyber threats. A hacker reportedly infiltrated FIIG’s IT network on May 19, 2023, remaining undetected until June 8, 2023. This resulted in the theft of approximately 385GB of confidential data, affecting around 18,000 clients.
The stolen information included highly sensitive personal data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers. Alarmingly, FIIG was unaware of the breach until it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2, 2023. However, the company only launched an investigation six days later, despite the warning from ASD’s ACSC.
ASIC’s Concerns
ASIC Chair Joe Longo emphasized the importance of cybersecurity measures, stating, “This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems.” He added that cybersecurity is not a “set and forget” matter and requires continuous monitoring and improvement. ASIC expects companies, particularly financial service providers, to proactively manage their cybersecurity risks to protect customers and maintain trust in the financial system.
ASIC has accused FIIG of failing to:
- Implement and monitor properly configured firewalls to defend against cyberattacks.
- Regularly update and patch software and operating systems to address security vulnerabilities.
- Provide mandatory cybersecurity awareness training for staff.
- Allocate sufficient financial, technological, and human resources for cybersecurity risk management.
FIIG Securities: Legal and Regulatory Implications
As an Australian Financial Services (AFS) licensee, FIIG is legally required under the Corporations Act 2001 (Cth) to have adequate risk management systems in place. ASIC has been actively enforcing cybersecurity obligations for financial service providers, making this case its second cybersecurity enforcement action.
In May 2022, ASIC took action against RI Advice, another AFS licensee, for failing to implement adequate risk management systems to address cybersecurity threats. The Federal Court ruled that RI Advice had breached its obligations to act efficiently and fairly by failing to safeguard client information.
ASIC is now seeking declarations of contraventions, civil penalties, and compliance orders against FIIG. This case highlights ASIC’s commitment to ensuring AFS licensees maintain strong cybersecurity measures to protect investors and the broader financial system.
The Broader Cybersecurity Challenge
FIIG’s role as an AFS licensee involves providing custodial and trading services, maintaining records of client investments, and managing funds and fixed-income investments. The nature of its business and the sensitive data it holds make it a prime target for cybercriminals.
Cybersecurity experts have pointed out that the issue is not just the breach itself but FIIG’s failure to implement reasonable and adequate measures to mitigate cybersecurity risks. Annie Haggar, Partner and Head of Cybersecurity at Norton Rose Fulbright Australia noted in a LinkedIn post that ASIC’s case provides insight into what constitutes ‘adequate’ cybersecurity protections. She highlighted key factors that ASIC considers when evaluating a company’s cybersecurity framework:
- The nature of the business and its responsibilities as an AFS licensee.
- The type and sensitivity of information stored, including financial and personal data.
- The value of assets under the company’s control.
- The likelihood of cyber threats and the potential consequences of a successful attack.
Missed Cybersecurity Measures
ASIC has outlined several key cybersecurity measures that FIIG allegedly failed to implement, including:
- An up-to-date and tested incident response plan.
- Effective privileged access management controls.
- Regular vulnerability scanning to identify security weaknesses.
- Deployment of next-generation firewalls and Endpoint Detection and Response (EDR) solutions.
- Keeping software and systems patched and updated.
- Implementing multi-factor authentication (MFA) for enhanced security.
- Properly configuring a Security Information and Event Management (SIEM) system monitored by skilled personnel.
- Conducting security awareness training for employees.
- Establishing processes to continuously review and improve cybersecurity controls.
Industry and Regulatory Response
ASIC has consistently warned financial service providers about the need for strong cybersecurity practices. Following its 2023 Cyber Pulse Survey (REP 776), ASIC urged Australian organizations to prioritize cybersecurity and enhance their resilience against cyber threats. The regulator has made cybersecurity a key enforcement priority, aiming to hold companies accountable for failing to meet their obligations under the Corporations Act.
Companies that fail to meet these obligations may face regulatory action, financial penalties, and reputational damage.
ASIC’s lawsuit against FIIG Securities highlights the growing regulatory focus on cybersecurity compliance within the financial sector. This case reinforces the need for financial institutions to adopt a proactive approach to cybersecurity by implementing adequate protections, regularly updating their security measures, and ensuring that their staff is well-trained in cyber risk management.
For businesses handling sensitive financial data, cybersecurity should not be an afterthought. It must be a continuous priority to safeguard customer information and maintain trust in the digital financial ecosystem.
