Australia’s
corporate watchdog has launched federal court proceedings against fixed income
specialist FIIG Securities Limited for allegedly maintaining inadequate
cybersecurity systems over a four-year period, resulting in a massive data
breach that compromised sensitive information of approximately 18,000 clients.
FIIG Securities Faces
Federal Court Action After 385GB Data Breach
The
Australian Securities and Investments Commission (ASIC) alleges that FIIG’s
cybersecurity failures, which persisted from March 2019 to June 2023, enabled
hackers to infiltrate the firm’s IT network and operate undetected for nearly
three weeks before the breach was discovered.
According
to court documents, the breach resulted in the theft of approximately 385GB of
confidential data, including highly sensitive client information such as names,
addresses, birth dates, driver’s licenses, passports, bank account details, and
tax file numbers. Some of this information was subsequently released on the
dark web.
“This
matter should serve as a wake-up call to all companies on the dangers of
neglecting your cybersecurity systems,” said ASIC Chair Joe Longo.
“Cybersecurity isn’t a set and forget matter. All companies need to
proactively and regularly check the adequacy of their cybersecurity
measures.”
Delayed Breach Response
Under Scrutiny
The
regulator claims FIIG failed to respond promptly when initially notified of
potential malicious activity. The company was reportedly contacted by the
Australian Signals Directorate’s Australian Cyber Security Centre on June 2,
2023, but did not investigate and respond to the incident until June 8, almost
a week later.
ASIC’s
allegations detail multiple cybersecurity failures by FIIG, including
improperly configured firewalls, failure to update and patch software for
security vulnerabilities, lack of mandatory cybersecurity awareness training
for staff, and inadequate resources devoted to cybersecurity management.
Australian
financial services licensees are required by law to have adequate cybersecurity
risk management systems in place,” Longo added. “We allege FIIG’s
inadequate cybersecurity measures left the business and its confidential client
information vulnerable and exposed to significant risk.”
FIIG
Securities provides retail and wholesale investors with access to fixed income
investments and bond financing, serving as a custodian for client investments
and maintaining records of those investments. As an Australian Financial
Services (AFS) licensee, the firm has legal obligations to ensure financial
services are provided efficiently, honestly and fairly, and to maintain
adequate risk management systems.
Second Cybersecurity Enforcement
The
regulator is seeking declarations of contraventions, civil penalties, and
compliance orders against FIIG. This case marks ASIC’s second cybersecurity
enforcement action, following
a 2022 ruling against RI Advice for similar breaches of license
obligations.
Cybersecurity
failures have become an enforcement priority for ASIC, which has recently
called for greater vigilance from Australian organizations following findings
from its 2023
cyber pulse survey. The regulator has published various resources to help
companies improve their cyber resilience and risk management practices.
FIIG
Securities has not yet issued a public response to the allegations.
Australia’s
corporate watchdog has launched federal court proceedings against fixed income
specialist FIIG Securities Limited for allegedly maintaining inadequate
cybersecurity systems over a four-year period, resulting in a massive data
breach that compromised sensitive information of approximately 18,000 clients.
FIIG Securities Faces
Federal Court Action After 385GB Data Breach
The
Australian Securities and Investments Commission (ASIC) alleges that FIIG’s
cybersecurity failures, which persisted from March 2019 to June 2023, enabled
hackers to infiltrate the firm’s IT network and operate undetected for nearly
three weeks before the breach was discovered.
According
to court documents, the breach resulted in the theft of approximately 385GB of
confidential data, including highly sensitive client information such as names,
addresses, birth dates, driver’s licenses, passports, bank account details, and
tax file numbers. Some of this information was subsequently released on the
dark web.
“This
matter should serve as a wake-up call to all companies on the dangers of
neglecting your cybersecurity systems,” said ASIC Chair Joe Longo.
“Cybersecurity isn’t a set and forget matter. All companies need to
proactively and regularly check the adequacy of their cybersecurity
measures.”
Delayed Breach Response
Under Scrutiny
The
regulator claims FIIG failed to respond promptly when initially notified of
potential malicious activity. The company was reportedly contacted by the
Australian Signals Directorate’s Australian Cyber Security Centre on June 2,
2023, but did not investigate and respond to the incident until June 8, almost
a week later.
ASIC’s
allegations detail multiple cybersecurity failures by FIIG, including
improperly configured firewalls, failure to update and patch software for
security vulnerabilities, lack of mandatory cybersecurity awareness training
for staff, and inadequate resources devoted to cybersecurity management.
Australian
financial services licensees are required by law to have adequate cybersecurity
risk management systems in place,” Longo added. “We allege FIIG’s
inadequate cybersecurity measures left the business and its confidential client
information vulnerable and exposed to significant risk.”
FIIG
Securities provides retail and wholesale investors with access to fixed income
investments and bond financing, serving as a custodian for client investments
and maintaining records of those investments. As an Australian Financial
Services (AFS) licensee, the firm has legal obligations to ensure financial
services are provided efficiently, honestly and fairly, and to maintain
adequate risk management systems.
Second Cybersecurity Enforcement
The
regulator is seeking declarations of contraventions, civil penalties, and
compliance orders against FIIG. This case marks ASIC’s second cybersecurity
enforcement action, following
a 2022 ruling against RI Advice for similar breaches of license
obligations.
Cybersecurity
failures have become an enforcement priority for ASIC, which has recently
called for greater vigilance from Australian organizations following findings
from its 2023
cyber pulse survey. The regulator has published various resources to help
companies improve their cyber resilience and risk management practices.
FIIG
Securities has not yet issued a public response to the allegations.
This post is originally published on FINANCEMAGNATES.
