ASIC sues FIIG Securities over cybersecurity failures

The Australian Securities and Investments Commission has announced it is suing FIIG Securities over alleged cybersecurity failures.

The regulator has announced that it has taken action in the Federal Court alleging that FIIG failed to have adequate cybersecurity measures for more than four years – something which allowed the theft of approximately 385 gigabites of confidential data with some 18,000 clients affected.

ASIC said it alleging that from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.

FIIG’s cybersecurity failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web.

The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.

FIIG advised ASIC that it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact.

FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.

ASIC Chair Joe Longo said, ‘This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.