Australia Sues FIIG Investment Firm in Cyber ‘Wake-Up Call’

The Australian financial regulator has filed a lawsuit against FIIG Securities Limited, accusing the leading investment and financing company of lacking adequate cybersecurity controls to stop a threat actor from stealing the confidential personal information of 18,000 customers.

See Also: Top 10 Technical Predictions for 2025

The Australian Securities and Investments Commission said it decided to sue Brisbane-headquartered FIIG Securities in Federal Court after observing the company’s “systemic and prolonged cybersecurity failures” over a four-year period that led to the 2023 data breach.

“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems,” said Joe Longo, chairman of the Australian Securities and Investments Commission. “Cybersecurity isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures.”

Between 2019 and until the breach took place, FIIG failed to appropriately configure its firewalls to protect against cyberattacks; failed to update or patch software and operating systems to address vulnerabilities; did not provide mandatory cybersecurity training to employees; and lacked human, technological and financial resources to manage cybersecurity, the commission said.

Threat actors breached FIIG’s network in June 2023 and stole approximately 385GB of confidential data, including clients’ names, addresses, birth dates, driver’s licenses, passports, bank accounts and tax file numbers.

The investment and financing company, which has more than AU$4.5 billion in funds under management and caters to more than 6,000 Australian investors, did not know about the breach of customer records until the Australian Cyber Security Centre warned it about potential malicious activity. Regulators said FIIG took more than six days after the warning to investigate and respond to the incident.

At that time, FIIG said it “acted with urgency” after it learned about the cyber incident, and took its IT systems and client-facing portals offline, isolating affected systems and worked with third-party cybersecurity experts to investigate the incident.

“We have acted with urgency to investigate and contain the incident to protect the security and privacy of the data we hold,” the company said in 2023. “This includes the initiation of our cyber response strategy, working with third-party cybersecurity experts and isolating affected systems.”

The financial regulator alleged in its lawsuit filed Wednesday that FIIG was solely responsible for the cybersecurity incident because it failed to put in place necessary cybersecurity measures or skilled personnel to comply with its legal obligations to protect data. FIIG violated the Corporations Act, which requires organizations with Australian Financial Services License to maintain adequate risk management systems, regulators said.

FIIG Securities isn’t the first Australian company to be hit by a lawsuit for cybersecurity failings. The commission successfully sued financial services firm RI Advice in May 2022 over significant cybersecurity failures that allowed threat actors to mount multiple cyberattacks against its authorized representatives between 2014 and 2020. These attacks compromised confidential and sensitive personal information of several thousand clients and others.

The Federal Court ordered RI Advice to pay AU$750,000 for ASIC’s costs and directed the company to engage a cybersecurity expert to identify and implement adequate cybersecurity measures to address risks across its authorized representative network.

ASIC also urged organizations to prioritize cybersecurity after a 2023 survey found that one-third of Australian financial organizations did not have a cyber incident response plan, about 60% had limited or no capacity to protect confidential information adequately, and 44% did not manage third-party or supply chain risks.

The financial regulator says cyber risk management and operational resilience are among its top priorities for the year to make banks, insurers and superannuation trustees more resilient to cyberattacks (see: Australian Banks, Insurers Must Perform Security Assessments).

The Australian Prudential Regulation Authority said it “will take a proportionate response and may intensify supervision, require root cause analysis, request remediation plans and consider enforcement action” against companies that are found to have significant cybersecurity vulnerabilities.