ASIC launches second cyber security enforcement action
ASIC is suing FIIG Securities for alleged failures in its cyber security measures, describing the matter as a “wake-up call” to all licensees.
The corporate regulator stated that FIIG Securities Limited (FIIG) allegedly failed to have adequate cyber security measures for over four years, according to documents filed by ASIC in the Federal Court.
FIIG Securities, established in 1998, provides retail and wholesale investors with access to fixed income investments and bond financing. It has approximately $4.5 billion in funds under advice.
This failure led to the theft of approximately 385GB of confidential data, ASIC alleged, with some 18,000 clients notified that their personal information might have been compromised.
ASIC alleged FIIG failed to take the appropriate steps from March 2019 to 8 June 2023 to ensure it had adequate cyber risk management systems in place, which is required by an Australian Financial Services Licensee (AFSL).
“FIIG’s cyber security failures enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web,” the statement continued.
“The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.”
The regulator stated that FIIG advised ASIC it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cyber security incident on 2 June 2023. FIIG was not aware the incident occurred before this contact, ASIC said.
“FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.”
ASIC chair Joe Longo said the matter should serve as a “wake-up call” to all licensees regarding the dangers of neglecting their cyber security systems.
“Cyber security isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’S ACSC,” he commented.
“Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.
“Australian financial services licensees are required by law to have adequate cyber security risk management systems in place. We allege FIIG’s inadequate cyber security measures left the business and its confidential client information vulnerable and exposed to significant risk.”
As a result, ASIC is seeking declarations of contraventions, civil penalties and compliance orders.
The announcement marks the regulator’s second cyber security enforcement action, with the first being launched against RI Advice in 2022.
In May 2022, the Federal Court ruled AFSL, RI Advice, had breached its licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
ASIC has continued to flag the case of RI Advice as an example of the need for cyber security measures within a financial services firm.
AUTHOR
Jasmine Siljic
Recommended for you
Sydney-based alternative fund manager East Coast Capital Management has formed its first advisory council as it enters its next phase of growth.
With 40 per cent of advice practices looking to increase their ETF usage, the next frontier being embraced is smart beta ETFs with flows doubling in July, providers have said.
Australian ETFs saw flows of $5.8 billion in July, more than double the previous month, and adviser adoption is tipped to help total flows reach $50 billion by the end of the year.
Pinnacle’s London affiliate, Life Cycle Investment Partners, has secured over $15 billion in FUM in its first year and achieved profitability, the firm’s fastest affiliate to do so.
