ASIC pursues AFS licensee, FIIG, for inadequate cybersecurity risk management

Today, the Australian Securities and Investments Commission (ASIC) announced it had commenced enforcement action against FIIG Securities Limited (FIIG) for failing to have adequate cybersecurity measures in place. This is the first time we have seen ASIC pursue an Australian corporate on cyber security grounds since ASIC’s successful action against RI Advice Group in 2022 for failures to adequately manage cyber security risks in breach of its general Australian Financial Services licence (AFSL) obligations (see our earlier article here).

Takeaways

ASIC Chair Joe Longo says that this claim is “a wake-up call to all companies on the dangers of neglecting your cybersecurity systems”.

In some respects, the case against FIIG is narrower than what may have been anticipated, being confined to obligations imposed on AFSLs. There are no claims for breaches of directors’ duties, despite ASIC’s repeated emphasis since late 2023 about the critical role of boards in managing an organisation’s cyber risk, and indications in late 2024 that ASIC was actively investigating directors and executives for deficiencies in this area.  Such obligations are not confined to AFSLs.

Given these broader obligations, and other regulatory risks (for example under prudential standards and privacy laws), companies should consider the specific expectations that ASIC has outlined in this claim, and what additional steps they should be considering in response.

ASIC’s claim against FIIG draws out the need for risks to be managed wholistically (from planning and technical controls, through to regular testing), supported by appropriate levels of funding, resources and expertise. As we have seen in other ASIC actions (including recently in the context of financial crimes compliance), directors and companies must also consider the specific risks they face given  the nature of the businesses they operate and information they hold.

What risks was FIIG facing?

FIIG is an AFSL specialising in fixed income financial products and services which also provided custodial services, with assets held on behalf of its customers ranging between approximately $2.89 billion and $3.7 billion at the relevant time. In this context, it collected personal information about its clients, including copies of driver’s licences, passports, Medicare cards, TFNs and bank account details.

ASIC alleges that given the nature of its business, the information it held and the value of the assets under its control, there was a real risk that FIIG would be the subject of a cyber intrusion which would have adverse consequences for FIIG and its clients. Those adverse consequences were not merely financial losses from the impact to the operation of the business and potential identity fraud, but also exposure by FIIG to potential civil penalties and claims for damages. FIIG’s alleged cyber security failings exposed it and its clients to those risks to a “heightened and unreasonable extent”.

ASIC alleges that this caused or contributed to the severity of a cyber incident on or about 19 May 2023, which involved approximately 385GB of data (including personal information of FIIG’s clients) being downloaded from FIIG’s servers, some of which was published on the dark web. ASIC alleges that, had FIIG put in place the adequate (but missing) cybersecurity measures, FIIG would have detected the suspicious activity on its network earlier, and prevented the threat actor from downloading some or all of the stolen data (or had the opportunity to).

What does ASIC say should have been done?

ASIC claims that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) – specifically, its obligations to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
    
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and  
    
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

On risk management systems, ASIC’s court documents provide some detail about its expectations. They allege that FIIG failed to have the following cybersecurity measures in place for some or all of the period:

• Planning and training: a cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at onboarding and annually);
   
• Access restrictions:
  • proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
     
• Technical monitoring, detection, patches and updates:
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with  compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);  
     
• Testing:
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

FIIG also failed to implement aspects of the risk management system that were part of its policies (such as ensuring accounts with operating system administrative privileges are not used for day-to-day activities and conducting regular perimeter testing).