Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), has filed a federal court case against fixed-income specialist FIIG Securities Limited. The watchdog alleges that the company failed to maintain adequate cybersecurity measures over a four-year period, leading to a data breach that exposed sensitive information belonging to approximately 18,000 clients.
According to ASIC, FIIG’s cybersecurity shortcomings, which spanned from March 2019 to June 2023, left its IT systems vulnerable to cybercriminals. Hackers reportedly infiltrated the firm’s network and remained undetected for nearly three weeks before the breach was identified.
Court documents reveal that approximately 385GB of highly sensitive data was stolen, including names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers. Some of this confidential information was later leaked on the dark web.
ASIC Warns Companies Against Cyber Negligence
ASIC Chair Joe Longo emphasized the importance of proactive cybersecurity management, stating:
“This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems. Cybersecurity isn’t a ‘set and forget’ issue. Businesses must continuously evaluate and update their security measures to protect sensitive data.”
Delayed Response Under Regulatory Scrutiny
The regulator also criticized FIIG’s delayed response to the breach. Reports indicate that the Australian Cyber Security Centre (ACSC) contacted FIIG on June 2, 2023, warning of potential malicious activity. However, the company allegedly failed to act until June 8, nearly a week later.
ASIC’s allegations highlight multiple security failures, including:
- Poorly configured firewalls
- Failure to update and patch software vulnerabilities
- Lack of mandatory cybersecurity training for employees
- Insufficient resources dedicated to cybersecurity management
Legal Obligations and Potential Penalties
Under Australian law, financial services licensees must implement robust cybersecurity risk management systems. ASIC contends that FIIG’s security failures exposed its clients to significant risks, violating its obligations to provide financial services efficiently, honestly, and fairly.
FIIG Securities, a key player in fixed-income investments and bond financing, also acts as a custodian for client assets. As an Australian Financial Services (AFS) licensee, the firm is legally required to maintain sound risk management frameworks.
Second Cybersecurity Enforcement Case for ASIC
This legal action marks ASIC’s second cybersecurity enforcement case. In 2022, the regulator took similar action against RI Advice for failing to meet security obligations.
With cyber threats rising, ASIC has prioritized cybersecurity compliance, urging companies to strengthen their defenses. Following its 2023 Cyber Pulse survey, ASIC has also released resources to help businesses improve cyber resilience and risk management.
FIIG Securities has yet to release an official response to ASIC’s allegations.
Key Takeaways:
- 385GB Data Breach: FIIG Securities allegedly failed to protect sensitive client data, leading to its exposure on the dark web.
- Regulatory Action: ASIC is seeking penalties, compliance orders, and declarations of contraventions.
- Delayed Response: The company reportedly took nearly a week to respond after being alerted to suspicious activity.
- Cybersecurity Failures: Lapses included outdated software, weak firewalls, and lack of staff training.
- Industry Impact: This marks ASIC’s second enforcement case, signaling stricter oversight on cybersecurity compliance.
With cyber threats escalating, ASIC’s lawsuit serves as a stern reminder for financial institutions to prioritize cybersecurity and ensure compliance with regulatory requirements.
