Peter A Clarke

---

The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

ASIC also allege that FIIG failed to implement parts of its risk management system that were part of its policies (such as ensuring accounts with operating system administrative privileges are not used for day-to-day activities and conducting regular perimeter testing).

The ASIC media release provides:

FIIG Securities Limited (FIIG) allegedly failed to have adequate cybersecurity measures for more than four years, according to documents filed by ASIC in the Federal Court. This enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised.

ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.

FIIG’s cybersecurity failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web.

The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.

FIIG advised ASIC that it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact.

FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.

ASIC Chair Joe Longo said, ‘This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.

‘Cybersecurity isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.

‘Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.

‘Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place. We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.’

ASIC’s allegations include FIIG’s failure to:

• • have appropriately configured and monitored firewalls to protect against cyber attacks
  • update and patch software and operating systems to address security vulnerabilities
  • provide mandatory training to staff on cyber security awareness, and
  • have adequate human, technological and financial resources to manage cyber security.

ASIC is seeking declarations of contraventions, civil penalties and compliance orders.

Licensee failures to have adequate cybersecurity protections is an enforcement priority for ASIC. This is ASIC’s second cybersecurity enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks (22-104MR).

Download

• • Concise statement
  • Originating process

Background

FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients.

ASIC expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.

AFS and Credit Licensees have obligations under sections 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth) to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly, to have available adequate financial, technological and human resources, and to have adequate risk management systems.

In November 2023, in response to the findings of the ASIC cyber pulse survey 2023 (REP 776), ASIC called for greater vigilance from Australian organisations to prioritise their cybersecurity from threats (23-300MR).