The Australian Securities and Investments Commission (ASIC) has filed a lawsuit against FIIG Securities, a fixed-income broker, accusing the company of failing to implement adequate cybersecurity measures for over four years.
This alleged negligence allowed a hacker to infiltrate its IT network and steal sensitive data, exposing the personal information of approximately 18,000 clients.
According to reports from Reuters, the breach lasted for several weeks, raising concerns about the company’s ability to safeguard its network and comply with financial cybersecurity regulations.
Allegations of Cybersecurity Negligence
ASIC’s legal action stems from a series of cybersecurity failures that allegedly occurred between March 2019 and June 2023. The regulator claims that during this period, FIIG Securities did not put in place the necessary systems and controls to protect its network from cyberattacks.
These lapses allowed a hacker to infiltrate the company’s IT infrastructure and remain undetected for several weeks. As a result, approximately 385 gigabytes of confidential client data was stolen, some of which was later released on the dark web.
ASIC asserts that FIIG’s failure to implement proper cybersecurity measures violated its obligations as an Australian Financial Services (AFS) licensee.
The regulatory body claims that these deficiencies left both the company and its clients vulnerable to significant risk, including the unauthorized exposure of sensitive information.
Details of the Breach and Compromised Data
The breach reportedly took place over a period from May 19 to June 8, 2023, when a hacker gained access to FIIG’s IT network. According to ASIC, the stolen data included highly sensitive personal details of FIIG clients, such as names, addresses, birth dates, driver’s licenses, passports, bank accounts, and tax file numbers.
The company was made aware of the potential cybersecurity incident on June 2, 2023, by the Australian Cyber Security Centre (ACSC). However, FIIG had not detected the breach prior to this notification. Despite being informed of the possible malicious activity, FIIG did not launch an investigation into the matter until June 8, 2023, nearly a week later.
ASIC claims that this delayed response and the company’s failure to act swiftly to mitigate the damage resulted in the stolen data being shared on the dark web. Some of the compromised client information is believed to have been exposed to external parties, potentially putting affected clients at risk of identity theft and financial fraud.
FIIG’s Cybersecurity Failures and Asic’s Response
ASIC’s lawsuit outlines several specific cybersecurity failures at FIIG Securities that allegedly contributed to the breach. These failures include the company’s lack of properly configured and monitored firewalls, failure to update and patch software and operating systems, and insufficient training for employees regarding cybersecurity awareness.
The regulator also pointed out that FIIG did not have adequate resources—both human and technological—to defend against cyberattacks effectively.
In response to these findings, ASIC has taken legal action, seeking civil penalties, compliance orders, and declarations of contraventions from the court. The regulator is also requesting the court to require FIIG to improve its cybersecurity measures and comply with Australian financial services regulations.
The Growing Importance of Cybersecurity in Financial Services
ASIC Chair Joe Longo stressed that this legal action is a reminder for all companies of the importance of maintaining strong cybersecurity measures. Longo noted that cybersecurity is not a one-time task but an ongoing process.
He emphasized that companies must proactively monitor and strengthen their cybersecurity practices to prevent data breaches and protect sensitive client information.
This case marks ASIC’s second significant enforcement action in the area of cybersecurity. In 2022, ASIC took action against RI Advice, another financial services firm, for failing to meet its cybersecurity obligations. The regulator has made cybersecurity enforcement a priority and continues to work with financial services firms to improve their cyber resilience.
ASIC expects all financial services licensees in Australia to prioritize cybersecurity and invest in systems that protect both their customers and the broader financial system.
The regulator’s actions against FIIG Securities highlight the growing need for firms to implement robust cybersecurity practices to meet their legal obligations and safeguard against the rising threat of cybercrime.