ASIC launches second cyber security enforcement action
ASIC is suing FIIG Securities for alleged failures in its cyber security measures, describing the matter as a “wake-up call” to all licensees.
The corporate regulator stated that FIIG Securities Limited (FIIG) allegedly failed to have adequate cyber security measures for over four years, according to documents filed by ASIC in the Federal Court.
FIIG Securities, established in 1998, provides retail and wholesale investors with access to fixed income investments and bond financing. It has approximately $4.5 billion in funds under advice.
This failure led to the theft of approximately 385GB of confidential data, ASIC alleged, with some 18,000 clients notified that their personal information might have been compromised.
ASIC alleged FIIG failed to take the appropriate steps from March 2019 to 8 June 2023 to ensure it had adequate cyber risk management systems in place, which is required by an Australian Financial Services Licensee (AFSL).
“FIIG’s cyber security failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web,” the statement continued.
“The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.”
The regulator stated that FIIG advised ASIC it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cyber security incident on 2 June 2023. FIIG was not aware the incident occurred before this contact, ASIC said.
“FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.”
ASIC chair Joe Longo said the matter should serve as a “wake-up call” to all licensees regarding the dangers of neglecting their cyber security systems.
“Cyber security isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’S ACSC,” he commented.
“Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.
“Australian financial services licensees are required by law to have adequate cyber security risk management systems in place. We allege FIIG’s inadequate cyber security measures left the business and its confidential client information vulnerable and exposed to significant risk.”
As a result, ASIC is seeking declarations of contraventions, civil penalties and compliance orders.
The announcement marks the regulator’s second cyber security enforcement action, with the first being launched against RI Advice in 2022.
In May 2022, the Federal Court ruled AFSL, RI Advice, had breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
ASIC has continued to flag the case of RI Advice as an example of the need for cyber security measures within a financial services firm.
AUTHOR
Jasmine Siljic
Recommended for you
Global X has painted a worrying picture for active ETFs in Australia, with investor adoption proving uneven and the popularity of its low-cost index counterparts only growing stronger.
Australian equity ETFs attracted record inflows of $3.2 billion in 1Q25, while heightened volatility led to a decline in flows for global equity ETFs, according to Vanguard.
The failure of a clinical trial by biotech firm Opthea has caused shares in its backer Regal Partners to decline 52 per cent year-to-date and hit its funds under management, quarterly flows show.
GQG Partners has revealed its quarterly flows for the first three months of 2025 were up 5.8 per cent, after a difficult final quarter of 2024 as a result of institutional redemptions.
