ASIC slaps FIIG Securities with lawsuit

FIIG Securities will face court over allegations of longstanding cybersecurity failures which saw the private data of more than 18,000 clients stolen and released on the dark web.

According to ASIC, FIIG failed to have adequate cyber risk management systems in place for a period of four years - from March 2019 to June 2023.

Due to this failure, ASIC alleges, a hacker was able to infiltrate FIIG's systems for about three weeks, stealing highly sensitive client information such as names, addresses, birth date, driver's licences, passports, bank accounts, and tax file numbers. The data was then released on the dark web.

The breach occurred after a FIIG employee downloaded a .zip file containing malware while browsing the internet.

Not only did the incident - which took place from 19 May 2023 to 8 June 2023 - go undetected by FIIG, but the fund manager also waited a week to act on the issue after having been notified of the hack by the Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) on 2 June 2023, ASIC said. Prior to this contact, FIIG was unaware of the breach, despite having also received numerous firewall email alerts flagging suspicious activity, the regulator said.

In total, about 385GB of confidential data was stolen and some 18,000 clients were impacted.

ASIC said FIIG did not provision adequate human or financial resources to ensuring its cybersecurity measures were up to scratch. It relied on the chief operating officer and the general IT infrastructure team to take care of cybersecurity, but they all had a wide range of other responsibilities and did not have the bandwidth to ensure adequacy, ASIC said.

Among other things, ASIC also alleges FIIG failed to have appropriately configured and monitored firewalls in place; failed to update and patch software and operating systems; and failed to provide mandatory training to staff on cybersecurity awareness.

ASIC chair Joe Longo said the matter should serve as a wake-up call to all companies.

"Cybersecurity isn't a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD's ACSC," he said.

"Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.

"We allege FIIG's inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk."