The Australian Securities and Investments Commission (ASIC) has initiated legal proceedings against investment firm FIIG Securities for alleged insufficient cybersecurity measures, potentially affecting thousands of clients. The regulatory body claimed that from March 2019 to June 2023, FIIG did not comply with the cybersecurity requirements mandated for an Australian Financial Services (AFS) licensee, leading to a significant data breach.
According to documents filed by ASIC in the Federal Court, FIIG’s cybersecurity shortcomings allowed unauthorised access to its network, going unnoticed from 19 May 2023 to 8 June 2023. During this period, a hacker reportedly extracted around 385GB of sensitive customer data, which was later discovered on the dark web. The stolen customer data included highly sensitive customer information, such as names, addresses, birth dates, driver’s licences, passports, bank accounts, and tax file numbers. Approximately 18,000 clients have been notified about the possible exposure of their personal information.
The incident came to light when the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) notified FIIG of a possible cybersecurity event on 2 June 2023. However, FIIG reportedly did not begin its investigation and response until 8 June, almost a week after the initial warning.
“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems,” ASIC Chair Joe Longo said. “Cybersecurity isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.”
ASIC outlines FIIG’s cybersecurity failures
ASIC’s legal action focuses on FIIG’s alleged failures in several key areas of cybersecurity, including firewall configuration and monitoring. The regulator also claimed that FIIG neglected to update and patch software, provide staff with cybersecurity awareness training, and allocate adequate resources to manage cybersecurity threats.
The regulator is seeking court declarations of non-compliance, civil penalties, and orders to enforce proper cybersecurity practices.
FIIG, which offers retail and wholesale investors access to fixed-income investments and bond financing, has acknowledged ASIC’s civil proceedings.
“FIIG is considering the claims made by ASIC and will respond as appropriate. FIIG does not intend to make any further public comments regarding the proceedings at this time,” a FIIG spokesperson told Australian cyber sector-focused news platform Cyber Daily.
This is ASIC’s second such enforcement action following a similar case against AFS licensee RI Advice in May 2022.
Last year, the Australian government unveiled new regulatory frameworks for safe use of AI following consultations with the public and industry. The Tech Council of Australia estimated that generative AI could add A$45bn ($28.4bn) to A$115bn ($72.6bn) annually to the economy by 2030.
Read more: Australia unveils new regulatory frameworks to ensure safe use of AI
