Australia's corporate watchdog has launched federal court proceedings against fixed income specialist FIIG Securities Limited for allegedly maintaining inadequate cybersecurity systems over a four-year period, resulting in a massive data breach that compromised sensitive information of approximately 18,000 clients.

FIIG Securities Faces Federal Court Action After 385 GB Data Breach

The Australian Securities and Investments Commission (ASIC) alleges that FIIG's cybersecurity failures, which persisted from March 2019 to June 2023, enabled hackers to infiltrate the firm's IT network and operate undetected for nearly three weeks before the breach was discovered.

According to court documents, the breach resulted in the theft of approximately 385 GB of confidential data, including highly sensitive client information such as names, addresses, birth dates, driver's licenses, passports, bank account details, and tax file numbers. Some of this information was subsequently released on the dark web.

“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity Cybersecurity Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Read this Term systems,” said ASIC Chair Joe Longo. “Cybersecurity isn't a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures.”

Delayed Breach Response Under Scrutiny

The regulator claims FIIG failed to respond promptly when initially notified of potential malicious activity. The company was reportedly contacted by the Australian Signals Directorate's Australian Cyber Security Centre on June 2, 2023, but did not investigate and respond to the incident until June 8, almost a week later.

ASIC's allegations detail multiple cybersecurity failures by FIIG, including improperly configured firewalls, failure to update and patch software for security vulnerabilities, lack of mandatory cybersecurity awareness training for staff, and inadequate resources devoted to cybersecurity management.

“Australian financial services licensees are required by law to have adequate cybersecurity risk management Risk Management One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, Read this Term systems in place,” Longo added. “We allege FIIG's inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.”

FIIG Securities provides retail and wholesale investors with access to fixed income investments and bond financing, serving as a custodian for client investments and maintaining records of those investments. As an Australian Financial Services (AFS) licensee, the firm has legal obligations to ensure financial services are provided efficiently, honestly and fairly, and to maintain adequate risk management systems.

Second Cybersecurity Enforcement

The regulator is seeking declarations of contraventions, civil penalties, and compliance orders against FIIG. This case marks ASIC's second cybersecurity enforcement action, following a 2022 ruling against RI Advice for similar breaches of license obligations.

Cybersecurity failures have become an enforcement priority for ASIC, which has recently called for greater vigilance from Australian organizations following findings from its 2023 cyber pulse survey. The regulator has published various resources to help companies improve their cyber resilience and risk management practices.

FIIG Securities has not yet issued a public response to the allegations.