Australia's corporate regulator is taking fixed-income broker FIIG Securities to court for a slew of alleged cybersecurity failures in the lead-up to a 2023 cyberattack.
The attack, which started in May 2023, saw Russia-based ransom gang AlphV claim the theft of 385GB in confidential data from FIIG.
FIIG, which offers investors access to fixed-income investments and bond financing, notified some 18,000 clients their personal information may have been compromised following the breach, while AlphV published the reportedly stolen data to the dark web shortly after attempting to extort a ransom payment.
Now, the Australian Securities and Investments Commission (ASIC) has announced it is suing FIIG for failing to “take adequate steps” to protects its clients and itself against cybersecurity risks.
“ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services licensee, to ensure it had adequate cyber risk management systems in place,” wrote ASIC.
The watchdog claimed these failures enabled a hacker to enter FIIG’s IT network and “go undetected” for nearly three weeks, resulting in the theft of personal information and subsequent release of client data on the dark web.
ASIC said this stolen data included “highly sensitive customer information” such as names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.
“We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk,” said ASIC Chair Joe Longo.
ASIC is seeking declarations of contraventions, civil penalties and a compliance order involving a review of FIIG’s cybersecurity measures.
FIIG acknowledged the civil proceedings by ASIC, and emphasised “no client investments or funds were accessed as a result of the cyber incident.”
“FIIG is considering the claims made by ASIC and will respond as appropriate,” the company said.
FIIG Securities is headed by CEO Alex Welch.
Security basics missing, staff stretched thin
ASIC’s allegations pointed to lapses in such commonplace cybersecurity measures as multi-factor authentication, incident response planning and privileged access control.
In an announcement, the regulator gave particular emphasis to FIIG’s alleged failures in software patching, appropriately configured firewalls and mandatory cybersecurity awareness training.
“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems,” said Longo.
Allegations in the court documents further detail FIIG did not employ or outsource appropriate human resources, and that the company “substantially relied on its chief operating officer and IT infrastructure team in respect of cybersecurity”.
“The relevant employees had a wide range of other responsibilities and were otherwise unable to ensure the adequacy of FIIG’s cybersecurity measures,” read court documents.
Annie Haggar, head of cybersecurity Australia at law firm Norton Rose Fulbright, said “ASIC has been flagging for some time that it expects organisations to take reasonable steps to prepare for cyberattacks”, and added what are “reasonable cybersecurity measures” for one organisation may not be sufficient for another.
“What this case is showing is that for an organisation holding sensitive data – including, for example, tax file numbers or bank details – and managing significant amounts of money, the ‘minimum’ controls needed include not only the technical tools, but also the skilled personnel to implement and maintain them, and therefore that requires sufficient budget and financial resources to be allocated,” said Haggar.
“Some sectors are better prepared than others, but in every sector there are organisations who have not yet put in place the measures that ASIC has suggested are the minimum required.”
Warnings ignored
FIIG told ASIC that prior to being contacted by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) on 2 June 2023, the company was not aware the incident occurred.
Meanwhile, FIIG did not investigate and respond until “almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.”
“All companies should be ensuring that they are signed up to receive the alerts ASD sends out, and that they are monitoring key email addresses for communications from ASD,” said Haggar.
Notably, court documents suggest FIIG’s response was delayed despite “numerous firewall email alerts generated from 23 May 2023 flagging suspicious activity”.
“Cybersecurity isn’t a set and forget matter,” said Longo.
“All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.”
The proceedings mark ASIC’s second cybersecurity enforcement action after financial services company RI Advice was successfully sued for $750,000 over poor cybersecurity practices in May 2022.