Investment firm FIIG Securities sued by ASIC over allegedly inadequate cybersecurity measures

By on
Investment firm FIIG Securities sued by ASIC over allegedly inadequate cybersecurity measures

ASIC is suing investment firm FIIG Securities Limited (FIIG), alleging it failed to have adequate cybersecurity measures for more than four years.

The regulator is seeking declarations of contraventions, civil penalties and compliance orders.

This alleged failure enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised, according to ASIC.

Documents filed by ASIC in the Federal Court, allege that from March 2019 to 8 June 2023, FIIG – which provides retail and wholesale investors with access to fixed income investments and bond financing – failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.

This enabled a hacker to enter the company’s IT network and go undetected from 19 May 2023 until 8 June 2023, ASIC’s media statement alleges, resulting in the theft of personal information and subsequent release of client data on the dark web.

According to ASIC, the stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.

FIIG advised ASIC that it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact, according to ASIC.

According to ASIC, FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.

ASIC’s allegations include FIIG’s failure to have appropriately configured and monitored firewalls to protect against cyber attacks; update and patch software and operating systems to address security vulnerabilities; provide mandatory training to staff on cyber security awareness, and have adequate human, technological and financial resources to manage cyber security.

[Update] FIIG provided the following comment to CRN:

"FIIG Securities acknowledges the civil proceedings by ASIC in relation to the cyber incident in May 2023. The proceedings relate to that cyber incident only and there have been no further incidents since May 2023," the company said.

"FIIG wishes to clarify that no client investments or funds were accessed as a result of the cyber incident.

"FIIG is considering the claims made by ASIC and will respond as appropriate. FIIG does not intend to make any further public comments regarding the proceedings at this time."

'Wake-up call', says ASIC

ASIC chair Joe Longo stated that this matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems.

“Cybersecurity isn’t a set and forget matter,” he stated.

“All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.

“Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.

“Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place. We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.”

As an AFS licensee, FIIG plays a role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients.

Licensee failures to have adequate cybersecurity protections is an enforcement priority for ASIC. ASIC expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.

AFS and Credit Licensees have obligations under sections 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth) to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly, to have available adequate financial, technological and human resources, and to have adequate risk management systems.

In November 2023, in response to the findings of the ASIC cyber pulse survey 2023, ASIC called for greater vigilance from Australian organisations to prioritise their cybersecurity from threats.

This is ASIC’s second cybersecurity enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

This story has been updated with comment from FIIG Securities.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
asic asic cybersecurity cybersecurity fine fiig fiig securities limited security

Partner Content

Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program

Sponsored Whitepapers

Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Announcing the 2025 Impact Awards partner project finalists

Announcing the 2025 Impact Awards partner project finalists
AWS partners with Datacom for speedier cloud migration with GenAI

AWS partners with Datacom for speedier cloud migration with GenAI
Evergreen acquires 100th MSP, Brisbane-based REDD

Evergreen acquires 100th MSP, Brisbane-based REDD
The Australian Cyber Network closing its doors

The Australian Cyber Network closing its doors

Log in

Email:
Password:
  |  Forgot your password?
By using our site you accept that we use and share cookies and similar technologies to perform analytics and provide content and ads tailored to your interests. By continuing to use our site, you consent to this. Please see our Cookie Policy for more information.