The recent legal action taken by the Australian Securities and Investments Commission (ASIC) against FIIG Securities Limited (FIIG) in the Federal Court serves as a reminder that organisations that fail to maintain adequate cyber security controls are at risk of regulatory action.
FIIG is an Australian Financial Services Licensee (AFSL) specialising in fixed income financial products and services. FIIG collects and maintains personal and sensitive information about its clients including names, address, date of birth, copies of passports or Medicare cards, tax file numbers, and bank details. As an AFSL, FIIG is required to have adequate risk management measures in place to comply with statutory obligations under the Corporations Act 2001 (Cth). ASIC alleges that these cybersecurity failures amount to breaches of those obligations.
ASIC’s Allegations
According to the Concise Statement ASIC alleges that even though FIIG had in place a risk management system which included an IT Information Security Policy and Cyber and Information Security Policy, it failed to implement measures identified in those policies amounting to contraventions of s912(A)(1)(h) of the Act.
ASIC alleges that between 2019 to 2023, FIIG failed to implement and maintain adequate cyber risk management systems, thereby exposing itself and its clients to an increased probability of a cybersecurity incident including unauthorised data access.
The Incident leading to the breach
FIIG’s alleged failures meant that in May 2023, an FIIG employee was able to accidentally download malware, allowing a threat actor to gain remote access to FIIG’s network. The threat actor was able to steal and download around 385GB of data affecting 18,000 clients who were subsequently notified by FIIG that their personal information may have been compromised. Some of this data was eventually shared on the dark web.
Notwithstanding the reputational consequences of such a major breach including significant damage to client trust and business relationships, the costs associated with rectifying and responding to a breach can be momentous. As noted in our September 2024 article, the number of claims stemming from business email compromise is increasing.
The evolving cyber security landscape – What is ‘adequate’?
ASIC alleges that FIIG failed to implement adequate cybersecurity measures, including:
- Maintaining a cyber incident response plan.
- Restricting admin accounts for non-essential tasks.
- Regular vulnerability scanning.
- Installation of End point Detection and Response software alongside routine updates.
- Enforcing Multifactor authentication for remote users.
- Properly configuring and monitoring a SIEM system.
- Mandatory security training and testing.
What may be most concerning in this case is that it was the Australian Cyber Security Centre (ACSC) that alerted the system compromise to FIIG. Prior to that notification FIIG had not identified or responded to the cyber intrusion.
As Bellrock reported last year ASIC will pursue more enforcement actions against AFSL’s in a vein similar to the landmark outcome of the RI Advice case, see article here. In that decision a Financial Services Licensee failed to implement effective cyber security risk management systems and was found to be in breach of their statutory obligations under the Corporations Act 2001 (Cth) and was ordered to pay ASIC’s costs, fixed at $750,000.
The FIIG action is the first example this calendar year of ASIC acting on its 2025 enforcement priorities to focus on Licensee failures in respect of adequate cyber-security protections.
The case serve as a reminder that organisations that adopt a ‘set and forget’ approach to cyber security risk without active and ongoing implementation of risk management policies will be pursued by ASIC (and potentially third parties) in the event these failures lead to an avoidable breach or incident.
Act, don’t react
The time to address cybersecurity vulnerabilities is before a breach occurs—not after. As business practices continue to evolve, new technologies emerge, and organisations increasingly depend on digital storage for critical information, it’s imperative that security systems and controls evolve in tandem.
The growing reliance on digital platforms and data storage exposes organisations to more sophisticated threats. It is essential that organisations learn to adapt, not only with new tools and technologies, but also by fundamentally changing how they approach cybersecurity. We would recommend developing a more proactive, agile, and comprehensive response plan to stay ahead of potential threats.
As reported in our Cyber Liability Insurance Market Update: January 2025 ASIC will continue to put greater focus on how companies prepare for and respond to cyber-attacks. This action against FIIG Securities should serve as a wake-up call. Organisations that neglect proper cybersecurity measures, particularly when these shortcomings cause harm to customers or clients, should be prepared to face consequences.
Contact a Bellrock Advisor to request a Cyber Risk Assessment or to review your cyber liability coverage.
