ASIC takes legal action against FIIG Securities over cybersecurity failures

The Australian Securities and Investments Commission (ASIC) has initiated legal proceedings against leading financial services company FIIG Securities Limited (FIIG), alleging prolonged and systemic cybersecurity deficiencies that resulted in a significant data breach.

The lawsuit, filed in the Federal Court of Australia, accused FIIG of failing to implement adequate cybersecurity measures for over four years, ultimately exposing sensitive client data to cybercriminals.

ASIC contended that between March 2019 and June 8, 2023, FIIG did not establish sufficient safeguards against cyber threats, leaving its IT infrastructure vulnerable. The security lapse culminated in a breach on May 19, 2023, when a hacker infiltrated FIIG’s systems and remained undetected for nearly three weeks. The breach led to the theft of approximately 385GB of confidential data, impacting around 18,000 clients. Stolen information included names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers.

The regulator’s investigation revealed that FIIG became aware of the intrusion only after being notified by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2, 2023. Despite this warning, FIIG reportedly delayed launching an investigation until June 8, 2023, further exacerbating concerns over its cybersecurity preparedness.

ASIC Chair Joe Longo underscored the critical need for organizations to prioritize cybersecurity, stating, “This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems.” He emphasized that cybersecurity requires continuous vigilance and proactive risk management, particularly for financial service providers entrusted with sensitive client data.

The lawsuit against FIIG highlights several cybersecurity lapses, including the failure to maintain properly configured firewalls, regularly update software and operating systems, conduct mandatory staff cybersecurity training, and allocate sufficient resources to cybersecurity risk management. As an Australian Financial Services (AFS) licensee, FIIG is legally obligated under the Corporations Act 2001 (Cth) to have adequate risk management systems in place. ASIC is seeking declarations of contraventions, civil penalties, and compliance orders against the company.