Bond market specialist FIIG Securities has been sued by ASIC over alleged cybersecurity failures which enabled the theft of 385GB of data, which was then published on the dark web.
Bond market specialist FIIG Securities has been sued by the Australian Securities and Investments Commission over alleged cybersecurity failures which enabled the theft of 385GB of data, which was then published on the dark web.
ASIC alleges from March 2019 to June 2023, FIIG failed to take appropriate steps to ensure it had adequate cyber risk management systems in place.
The failures, ASIC alleges, enabled a hacker to enter the company’s IT network undetected between May 19, 2023 and June 8, 2023, resulting in the theft of personal client information, which was subsequently published on the dark web.
The data stolen included names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers of customers.
FIIG was contacted by the Australian Signal Directorate’s Australia Cyber Security Centre about the incident on June 2 – the first time the company was made aware of the incident.
It did not investigate or respond to the incident until June 8 – a week after it had been notified by the ASD.
ASIC chair Joe Long said the case should be a wake-up call for companies neglecting cybersecurity systems.
“Cybersecurity isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’s ACSC,” he said.
“Advancing digital safety and resilience is a strategic priority for ASIC, and we have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.
“Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place. We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk.”
ASIC alleged the failures included not having an appropriately configured and monitored firewall; not providing mandatory training to staff on cyber security awareness; and not having adequate human, technological and financial resources to manage cyber security.
ASIC will seek civil penalties in the case – only the second time the organisation has cybersecurity enforcement action against an AFS licensee.
In 2022, Sydney-based RI Advice was found guilty of failing to adequately manage cybersecurity risks and fined $750,000.
FIIG provides retail and wholesale investors with access to fixed income investments and bond financing.
The major fund manager has offices in Sydney, Melbourne, Brisbane and Perth.
