The legal action taken by the Australian Securities and Investments Commission (ASIC) against FIIG Securities Limited (FIIG) for alleged cybersecurity failures has sparked concerns in the financial sector. The proceedings filed in the Federal Court of Australia shed light on the serious deficiencies in FIIG’s cybersecurity measures that endured for over four years, leading to a major data breach that affected thousands of clients.
ASIC’s allegations against FIIG span from March 2019 to June 8, 2023, during which FIIG purportedly neglected to implement adequate cybersecurity measures, leaving both the company and its clients susceptible to cyber threats. A hacker reportedly infiltrated FIIG’s IT network on May 19, 2023, and went undetected until June 8, 2023, resulting in the theft of around 385GB of confidential data, impacting approximately 18,000 clients. The stolen information included highly sensitive personal data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers. Shockingly, FIIG was unaware of the breach until notified by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2, 2023, and only began an investigation six days later, despite the warning from ASD’s ACSC.
ASIC Chair Joe Longo emphasized the critical role of cybersecurity measures, emphasizing that neglecting cybersecurity systems poses significant risks to companies and their customers. He stressed that cybersecurity is an ongoing responsibility that necessitates continuous monitoring and improvement. ASIC expects companies, especially financial service providers, to actively manage their cybersecurity risks to safeguard customers and uphold trust in the financial system.
FIIG Securities, as an Australian Financial Services (AFS) licensee, is mandated by the Corporations Act 2001 (Cth) to have effective risk management systems in place. ASIC’s enforcement actions against financial service providers demonstrate a commitment to ensuring that AFS licensees uphold robust cybersecurity measures to protect investors and the financial system at large.
In a broader context, the challenge of cybersecurity extends beyond FIIG’s specific case. Cybersecurity experts have highlighted not only the breach itself but also FIIG’s failure to implement reasonable measures to mitigate cybersecurity risks. Annie Haggar, Partner and Head of Cybersecurity at Norton Rose Fulbright Australia, emphasized key factors that ASIC considers when evaluating a company’s cybersecurity framework, including the nature of the business, the type of information stored, and foreseeable cyber threats.
ASIC has consistently emphasized the importance of strong cybersecurity practices for financial service providers, urging organizations to prioritize cybersecurity and enhance their resilience against cyber threats. The regulator has made cybersecurity a focal point in its enforcement priorities, aiming to hold companies accountable for lapses in meeting their obligations under the Corporations Act, with potential regulatory consequences, financial penalties, and reputational harm for non-compliant entities.
Overall, ASIC’s legal action against FIIG Securities underscores the increasing regulatory emphasis on cybersecurity compliance in the financial sector. Financial institutions are urged to adopt a proactive approach to cybersecurity by implementing robust protections, regularly updating security measures, and ensuring staff is well-trained in cyber risk management. Safeguarding customer information and maintaining trust in the digital financial ecosystem should be a continuous priority for businesses handling sensitive financial data.