Introduction
ASIC has sued FIIG Securities Limited (“FIIG”) for alleged systemic and prolonged failures to have in place adequate cybersecurity risk management systems.
Overview
FIIG is an Australian Financial Services (“AFS”) Licensee providing retail and wholesale investors with access to fixed income investing. As part of their operations ASIC alleges that FIIG maintained records of client information and investment records and held client assets and funds on their behalf, making them a ‘real risk’ of cyber intrusion. Despite this, ASIC alleges that between March 2019 to 8 June 2023, FIIG failed to take appropriate steps to ensure the adequacy of its cybersecurity systems.
ASIC’s allegations
ASIC’s allegations include FIIG’s failure to:
configure and monitor firewalls;
patch software and operating systems to address cyber security vulnerabilities;
adequately train staff on cyber security awareness; and
adequately manage cyber security using human, technological and financial resources.
ASIC alleges that FIIG’s failures resulted in hackers entering its IT network undetected between 19 May 2023 and 8 June 2023, enabling the theft of personal client information and its subsequent release on the dark web. This resulted in the compromise of the personal information of 18,000 clients and the theft of 385 gigabytes of confidential data. Further, once notified of the potential cybersecurity threat, on 2 June 2023, FIIG failed to immediately investigate and respond to the incident until 8 June 2023.
ASIC is seeking declarations of contraventions, civil penalties and compliance orders.
Takeaway – ASIC’s Cyber Security Enforcement Priority
Ensuring the adequacy of cyber risk management systems has been a key enforcement priority for ASIC with this action marking ASIC’s second cybersecurity enforcement action demonstrating ASICs expectation that AFS licensees prioritise and invest in cybersecurity systems as well as human, technological and financial services to manage those systems. ASIC Chair Joe Longo cited this matter as a ‘wake-up call’ to AFS Licensees regarding the dangers of simply ‘setting and forgetting’ cybersecurity systems. He went on to further reinforce the proactivity and regularity with which licensees must ensure the operational effectiveness of their cybersecurity risk management systems.
Takeaway – Recommended Cybersecurity Measures
In their notice of filing, ASIC provided a more proscriptive set of cyber security measures, providing examples of best practices regarding cybersecurity systems. These recommended measures include:
a cyber incident response plan;
management of privileged access to accounts;
vulnerability scanning;
“next-generation firewalls”;
configuration of group policies;
Endpoint Detection and Response (EDR) Software;
regular patching and software updates;
daily monitoring of SIEM Software;
mandatory security awareness training delivered to all employees; and
implementing a quarterly process of review to evaluate the effectiveness of existing technical cybersecurity controls.
A more detailed description of these measures can be found in ASIC’s concise statement.
Please contact our financial services team at compliance@cowellclarke.com.au if you would like to discuss licensee obligations further.
Emma Johnson wishes to thank Pat O'Kane for his contribution to this insight.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.