The Australian Securities and Investments Commission (ASIC) has launched legal proceedings against investment firm FIIG Securities Limited over what it describes as "systemic and prolonged cybersecurity failures" that led to a significant data breach affecting thousands of clients.

According to documents filed in the Federal Court by ASIC, FIIG Securities allegedly failed to implement adequate cybersecurity measures for more than four years, from March 2019 to June 2023.

This negligence reportedly enabled hackers to infiltrate the company's IT network and remain undetected for nearly three weeks, resulting in the theft of approximately 385GB of confidential data.

The breach, which went undetected until Australian intelligence agencies alerted the company, potentially compromised sensitive information belonging to some 18,000 clients.

The stolen data included names, addresses, birth dates, driver's licenses, passports, bank account details, and tax file numbers.

Delayed Response Criticized

ASIC Chair Joe Longo sharply criticized the company's handling of the incident, noting that FIIG did not begin investigating until almost a week after being notified of suspicious activity by the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC).

"This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems," Longo said.

"Cybersecurity isn't a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures."

The regulator's allegations against FIIG Securities include failure to:

• Properly configure and monitor firewalls
• Update and patch software and operating systems
• Provide mandatory cybersecurity awareness training to staff
• Allocate adequate human, technological, and financial resources to manage cybersecurity

ASIC is seeking declarations of contraventions, civil penalties, and compliance orders against the firm, which provides retail and wholesale investors with access to fixed income investments and bond financing.

The exact nature of the breach was outlined in ASIC’s court filing: “… on 19 May 2023, the risk of a cyber intrusion materialised. A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network based lateral movement and privilege escalation.

“On or about 23 May 2023, the threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data. Between about 23 and 30 May 2023, the threat actor downloaded approximately 385GB of data, including Personal Client Information, to an external server.”

The case against FIIG Securities comes amid a surge in cybersecurity incidents worldwide. According to recent industry reports, the global average cost of a data breach reached $US4.88 million in 2024, a 15% increase from 2023 figures. Financial services remain one of the most targeted sectors, with attackers increasingly focused on stealing personally identifiable information that can be monetized on dark web marketplaces.

Second ASIC Cybersecurity Action

This case marks ASIC's second cybersecurity enforcement action. In May 2022, the Federal Court ruled that financial services licensee RI Advice had breached its obligations by failing to have adequate risk management systems for cybersecurity risks.

ASIC's action underscores the regulator's focus on cybersecurity as an enforcement priority, particularly for financial services licensees who handle sensitive client information.

"Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place," Longo emphasized.

"We allege FIIG's inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk."