FIIG Securities Limited (FIIG) allegedly failed to have adequate cybersecurity measures for more than four years, according to documents filed by ob体育 in the Federal Court. This enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised.
ob体育 alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.
FIIG鈥檚 cybersecurity failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web.
The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver鈥檚 licences, passports, bank accounts and tax file numbers.
FIIG advised ob体育 that it was contacted by the Australian Signals Directorate鈥檚 Australian Cyber Security Centre (ASD鈥檚 ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact.
FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD鈥檚 ACSC.
ob体育 Chair Joe Longo said, 鈥楾his matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.
鈥楥ybersecurity isn鈥檛 a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD鈥橲 ACSC.
鈥楢dvancing digital safety and resilience is a strategic priority for ob体育, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.
鈥楢ustralian financial services licensees are required by law to have adequate cybersecurity risk management systems in place. We allege FIIG鈥檚 inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.鈥�
ob体育鈥檚 allegations include FIIG鈥檚 failure to:
- have appropriately configured and monitored firewalls to protect against cyber attacks
- update and patch software and operating systems to address security vulnerabilities
- provide mandatory training to staff on cyber security awareness, and
- have adequate human, technological and financial resources to manage cyber security.
ob体育 is seeking declarations of contraventions, civil penalties and compliance orders.
Licensee failures to have adequate cybersecurity protections is an enforcement priority for ob体育. This is ob体育鈥檚 second cybersecurity enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks (22-104MR).
Download
Background
FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients.
ob体育 expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.
AFS and Credit Licensees have obligations under sections 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth) to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly, to have available adequate financial, technological and human resources, and to have adequate risk management systems.
In November 2023, in response to the findings of the ob体育 cyber pulse survey 2023 (REP 776), ob体育 called for greater vigilance from Australian organisations to prioritise their cybersecurity from threats (23-300MR).
ob体育鈥檚 regulatory resources include further information about cyber security and cyber resilience: