Australian Securities & Investments Commission sues FIIG Securities over four-year cybersecurity failures linked to 385GB client data theft

The Australian Securities & Investments Commission (ASIC) has commenced Federal Court proceedings against FIIG Securities Limited (FIIG), alleging systemic and prolonged failures to maintain adequate cybersecurity and cyber risk management systems required of an Australian Financial Services (AFS) licensee. ASIC claims the deficiencies enabled a hacker to access FIIG’s network in May–June 2023 and steal approximately 385GB of confidential data, with around 18,000 clients notified that their personal information may have been compromised. According to ASIC’s case, FIIG failed from March 2019 to 8 June 2023 to properly configure and monitor firewalls, update and patch software and operating systems, provide mandatory cyber security awareness training, and maintain adequate human, technological and financial resources to manage cybersecurity. The intrusion allegedly went undetected from 19 May 2023 until 8 June 2023, with FIIG contacted by the Australian Signals Directorate’s Australian Cyber Security Centre about a potential incident on 2 June 2023 but not investigating and responding until 8 June; stolen information included identification and financial details and was subsequently released on the dark web. ASIC is seeking declarations of contraventions, civil penalties and compliance orders, and noted this is its second cybersecurity enforcement action.