FIIG Securities Limited (FIIG) allegedly failed to have adequate cybersecurity measures for more than four years, according to documents filed by ASIC in the Federal Court. This enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised.
ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.
FIIG’s cybersecurity failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web.
The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.
FIIG advised ASIC that it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact.
FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.
ASIC Chair Joe Longo said, ‘This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.
‘Cybersecurity isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.
‘Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.
‘Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place. We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.’
ASIC’s allegations include FIIG’s failure to:
- have appropriately configured and monitored firewalls to protect against cyber attacks
- update and patch software and operating systems to address security vulnerabilities
- provide mandatory training to staff on cyber security awareness, and
- have adequate human, technological and financial resources to manage cyber security.
ASIC is seeking declarations of contraventions, civil penalties and compliance orders.
Licensee failures to have adequate cybersecurity protections is an enforcement priority for ASIC. This is ASIC’s second cybersecurity enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks (22-104MR).
Download
Background
FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients.
ASIC expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.
AFS and Credit Licensees have obligations under sections 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth) to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly, to have available adequate financial, technological and human resources, and to have adequate risk management systems.
In November 2023, in response to the findings of the ASIC cyber pulse survey 2023 (REP 776), ASIC called for greater vigilance from Australian organisations to prioritise their cybersecurity from threats (23-300MR).
ASIC’s regulatory resources include further information about cyber security and cyber resilience: