FIIG Securities, a major Australian financial services provider, is currently facing legal action from the Australian Securities and Investments Commission (ASIC) for failing to implement adequate cybersecurity measures. ASIC’s lawsuit, filed in the Federal Court of Australia, focuses on systemic and prolonged failures in FIIG’s cybersecurity framework that stretched over four years, from March 2019 to June 2023. During this period, the company allegedly neglected to put in place sufficient protections, which led to a significant data breach. The breach, which occurred in May 2023, saw a hacker gain access to FIIG’s network and steal approximately 385GB of highly sensitive client data. The breach was not discovered until June 2023, when the Australian Cyber Security Centre (ACSC) contacted FIIG with the alarming news.
The stolen data involved critical personal information, including names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers. This breach affected around 18,000 of FIIG’s clients, who were exposed to significant privacy risks. However, it was only after being informed by the ACSC that FIIG began to investigate the breach, even though the warning came on June 2, 2023. Despite the notification, FIIG waited six more days before launching an internal investigation. ASIC has criticized this delay and has pointed out that the company failed to take adequate steps to mitigate the risks associated with such a breach, showing a lack of readiness in their cybersecurity defenses.
In the course of its investigation, ASIC found several alarming gaps in FIIG’s cybersecurity strategy. The company allegedly failed to implement key security measures, such as up-to-date firewalls, regular patching of software and operating systems, and mandatory cybersecurity training for employees. Furthermore, the company did not allocate sufficient resources—financial, technological, or human—to cybersecurity risk management. ASIC’s Chair, Joe Longo, stressed that cybersecurity is a matter that requires constant attention and improvement, and that neglecting it could result in severe consequences. This case is not the first of its kind, as ASIC has previously taken action against another financial service provider, RI Advice, for similar failures in managing cybersecurity risks.
The breach has prompted wider discussions on the importance of cybersecurity within the financial sector. As an Australian Financial Services (AFS) licensee, FIIG is legally required under the Corporations Act 2001 to maintain adequate risk management systems. This failure to comply with regulations has significant legal and regulatory implications, as ASIC is now seeking civil penalties, declarations of contravention, and compliance orders against the company. Financial services providers, especially those handling sensitive personal and financial data, are now under increasing scrutiny by regulators to ensure they are protecting their clients’ information effectively. The breach has raised alarms about how financial institutions manage their cybersecurity infrastructure and how they respond to threats.
Cybersecurity experts have pointed out that the broader issue goes beyond the breach itself and focuses on FIIG’s failure to implement reasonable measures to mitigate cybersecurity risks. Some of the critical cybersecurity practices that were allegedly neglected include developing an incident response plan, implementing multi-factor authentication, performing vulnerability scanning, and maintaining effective privileged access management controls.
In particular, experts emphasized the importance of training employees to recognize potential threats and ensuring that security measures such as firewalls and monitoring systems are continuously updated and improved. The breach also highlights the rising importance of a strong cybersecurity framework for financial institutions, with ASIC’s emphasis on enforcing regulatory compliance within the industry. The case serves as a cautionary tale, urging all companies—especially those in the financial sector—to reassess their cybersecurity posture to prevent similar breaches and avoid the legal and financial consequences of non-compliance.
