ASIC v FIIG … Another cyber security case

Cybersecurity remains a critical concern for financial institutions, and Australian regulators are taking a firm stance. The Australian Securities and Investments Commission (ASIC) has initiated legal action against fixed-income broker FIIG for failing to implement appropriate cybersecurity measures. This failure led to a data breach impacting over 18,000 customers, remaining undetected for an extended period.

This marks the second cybersecurity-related case ASIC has pursued against an Australian Financial Services Licence (AFSL) holder, following the 2022 case against RI Advice.

Lessons from ASIC vs RI Advice

A key point of contention in the earlier RI Advice case was determining the minimum security standards that should have been in place. Information security experts have long debated this issue, and ASIC, in its claim, referenced six global standards, including:

• The ASD Essential Eight
• ASIC Report 429 Cyber Resilience: Health Check (2015)
• ISO 27001 ISMS Requirements
• NIST Framework for Improving Critical Infrastructure Cybersecurity (2018)
• NIST Incident Handling Guide

RI Advice argued that ASIC’s cybersecurity requirements were vague and complex.

ASIC has refined its approach in the FIIG case by clearly outlining expected security controls, reducing ambiguity.

Background: ASIC vs FIIG

FIIG, a specialist in fixed-income products, holds an AFSL and maintains personal and financial data for its clients. ASIC alleges that over a four-year period, FIIG failed to implement adequate cybersecurity measures, allowing hackers to steal approximately 385 gigabytes of confidential data, some of which was later published on the dark web.

Specifically, ASIC claims that FIIG:

• Did not provide financial services efficiently, honestly, and fairly
• Lacked adequate financial, technological, and human resources to ensure cybersecurity compliance
• Had insufficient risk management systems

These allegations point to breaches of sections 912A(1)(a), (d), and (h), and 912A(5A) of the Corporations Act 2001 (Cth).

Delayed Response to Cyber Intrusion

ASIC contends that FIIG only became aware of the cyber breach when alerted by the Australian Cyber Security Centre (ACSC) on June 2, 2023. Prior to this notification, FIIG was unaware of the attack. Furthermore, ASIC alleges that FIIG did not investigate the breach until six days after the ACSC’s alert.

Had FIIG implemented adequate cybersecurity measures, ASIC argues that the breach would have been detected much earlier.

Missing Cybersecurity Measures

ASIC has published its Concise statement and Originating process, detailing the deficiencies in FIIG’s cybersecurity framework covering missing technological measures and failures in human resources and finance resources..

Technological Measures:

Key missing technological controls  listed by ASIC include:

• Cyber incident response plan

• Privileged access management
• Regular vulnerability scanning
• Properly configured next-generation firewalls
• Stringent access controls
• Endpoint device management
• Timely patching of software vulnerabilities
• Logging and Security Information and Event Management (SIEM) software
• Security awareness training for employees
• Regular security reviews

Human Resources:

ASIC asserts that FIIG lacked sufficient personnel with cybersecurity expertise. The company heavily relied on its Chief Operating Officer and IT infrastructure team, whose responsibilities extended beyond cybersecurity, making adequate security oversight impossible.

Financial Resources:

ASIC also claims that FIIG did not allocate enough financial resources to implement necessary cybersecurity measures.

Risk Management Failures

Under section 912A(1)(h) of the Corporations Act, FIIG was required to have a robust risk management system. While FIIG had documented policies, ASIC argues that these policies were not effectively implemented.

Key risk management measures identified but not adopted included:

• Restricting administrative privilege accounts for routine activities
• Conducting regular internal and external penetration testing
• Applying security patches promptly via a structured patch management process
• Disabling unused services, accounts, and applications
• Continuous monitoring of the computing environment
• Reviewing security event logs at least every 90 days

Next Steps

The next phases of the case will likely include ASIC filing a detailed statement of claim and FIIG submitting its defence, unless both parties reach an agreement on the facts.

This case highlights the critical importance of cybersecurity controls for financial institutions handling client financial data. The specific measures outlined in ASIC’s claim serve as a valuable checklist for any organisation looking to bolster its cybersecurity defences and compliance posture.

Jodie Siganto

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.