The Australian Securities and Investments Commission (ASIC) has initiated legal proceedings against FIIG Securities Limited (FIIG), citing extensive and long-standing cybersecurity shortcomings. Filed in the Federal Court of Australia, the case underscores serious deficiencies in FIIG’s cybersecurity framework that persisted over a four-year span, culminating in a major data breach.
ASIC asserts that from March 2019 to June 8, 2023, FIIG inadequately managed its cybersecurity defenses, rendering both the firm and its clients susceptible to a range of cyber threats. A significant incident occurred when an intruder infiltrated FIIG’s IT infrastructure on May 19, 2023, remaining unnoticed for nearly three weeks until the breach came to light on June 8. The attacker made off with around 385GB of sensitive data, compromising the personal information of approximately 18,000 clients.
The stolen data encompassed critical personal details such as names, addresses, birth dates, and banking information, including bank accounts and tax file numbers. Alarmingly, FIIG remained oblivious to the breach until contacted by the Australian Signals Directorate’s Cyber Security Centre on June 2, 2023, yet initiated their investigation only six days later, despite the notification from authorities.
ASIC Chair Joe Longo stressed the critical importance of robust cybersecurity practices, asserting that this situation should alert all firms to the perils of neglecting such systems. Longo remarked that cybersecurity cannot be a one-time effort; it requires ongoing vigilance and enhancement. ASIC expects that companies, especially those in the financial services, actively manage cybersecurity risks to safeguard consumers and preserve confidence in the financial system.
The allegations against FIIG include a failure to implement and monitor adequately configured firewalls designed to protect against cyberattacks, neglect in regularly updating and patching software to mitigate security vulnerabilities, and a lack of mandatory cybersecurity training for employees. Additionally, FIIG is accused of not dedicating sufficient financial, technological, and human resources for effective risk management regarding cybersecurity threats.
As an Australian Financial Services (AFS) licensee, FIIG is obligated under the Corporations Act 2001 to implement effective risk management systems. This case represents ASIC’s second enforcement action concerning cybersecurity obligations for financial service providers, following a similar scenario involving RI Advice in May 2022. In that instance, the Federal Court determined RI Advice had violated its responsibilities by failing to properly safeguard client data.
ASIC seeks legal declarations regarding FIIG’s breaches, as well as civil penalties and compliance orders. This case signals ASIC’s unwavering commitment to ensuring that AFS licensees adhere to stringent cybersecurity regulations that protect both investors and the financial sector at large.
According to cybersecurity experts, the issue extends beyond the breach itself; it highlights FIIG’s systemic failure to adopt adequate measures to assess and mitigate cybersecurity risks. The nature of FIIG’s operations—offering custodial and trading services while managing sensitive client investments—places it at a heightened risk for cybercriminal activity. The attack tactics likely employed may include techniques for initial access and persistence, as outlined in the MITRE ATT&CK framework, underscoring the challenges organizations face in defending sensitive data.
ASIC’s ongoing warnings to financial service providers regarding cybersecurity best practices underscore the increasing regulatory scrutiny within this sector. The findings from ASIC’s 2023 Cyber Pulse Survey emphasized the need for robust cybersecurity strategies, urging organizations to bolster their defenses against evolving threats. Companies that fail to comply with these regulations risk incurring significant penalties and face potential reputational damage.
The legal action taken against FIIG Securities not only exemplifies the urgent need for enhanced cybersecurity compliance within the financial services sector but also serves as a reminder for firms dealing with sensitive financial data. For such organizations, cybersecurity must remain a continuous and paramount priority to protect customer information and uphold trust across the digital financial landscape.
