In March 2025, the Australian Securities and Investments Commission (ASIC) initiated legal proceedings against FIIG Securities Limited (FIIG) for alleged systemic and prolonged cybersecurity failures. These failures reportedly led to a significant data breach, compromising the personal information of approximately 18,000 clients.
The Allegations Against FIIG
ASIC’s allegations against FIIG are serious and multifaceted. Between March 2019 and June 2023, FIIG allegedly failed to implement adequate cyber risk management systems, as mandated for Australian Financial Services (AFS) licensees. This lapse purportedly allowed a hacker to infiltrate FIIG’s IT network undetected from May 19 to June 8, 2023, resulting in the theft of approximately 385GB of confidential data.
The compromised data included highly sensitive customer information such as names, addresses, birth dates, driver’s licence, passports, bank accounts, and tax file numbers. Notably, FIIG was unaware of the breach until the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) alerted them on June 2, 2023. Despite this notification, FIIG reportedly delayed investigating and responding to the incident until June 8, 2023.
Read our latest post to find out about Critical cybersecurity risks in the Contec Health CMS8000 monitor.
Specific Failures Identified
ASIC’s investigation highlighted several critical deficiencies in FIIG’s cybersecurity practices:
- Firewall Management: FIIG allegedly lacked appropriately configured and monitored firewalls to protect against cyberattacks.
- Software Maintenance: There was a reported failure to update and patch software and operating systems, leaving security vulnerabilities unaddressed.
- Staff Training: FIIG allegedly did not provide mandatory cybersecurity awareness training to its staff.
- Resource Allocation: The company purportedly lacked adequate human, technological, and financial resources dedicated to managing cybersecurity.
These alleged shortcomings underscore the importance of robust cybersecurity measures in the financial sector.
The Role of Penetration Testing and Vulnerability Assessment
To prevent such breaches, financial institutions must implement comprehensive cybersecurity strategies. Two critical components of these strategies are penetration testing and vulnerability assessment.
Vulnerability Assessment
A vulnerability assessment systematically identifies and evaluates security weaknesses within an organisation’s IT infrastructure. This process involves scanning systems, networks, and applications to detect potential vulnerabilities that could be exploited by cyber threats. Regular vulnerability assessments enable organisations to address security gaps proactively, thereby enhancing their overall security posture.
Penetration Testing
Penetration testing, or ethical hacking, simulates cyberattacks to evaluate the effectiveness of an organisation’s security defences. By attempting to exploit identified vulnerabilities, penetration testers can assess the potential impact of real-world cyber threats. This proactive approach provides valuable insights into the organisation’s security weaknesses, allowing for targeted remediation efforts.
Benefits of Implementing These Practices
For financial institutions, incorporating regular vulnerability assessments and penetration testing offers several key benefits:
- Risk Identification: These practices help uncover hidden vulnerabilities before malicious actors can exploit them.
- Regulatory Compliance: Adhering to cybersecurity standards and regulations is crucial in the financial sector. Regular assessments demonstrate compliance and due diligence.
- Reputation Management: Proactively addressing security weaknesses helps maintain client trust and protects the organisation’s reputation.
- Cost Savings: Preventing breaches through proactive measures can save organisations from the significant financial losses associated with data breaches, including fines, legal fees, and remediation costs.
Also, read Vulnerability Summary Reports by Cybernetic GI – February 2025.
Lessons from the FIIG Incident
The FIIG incident serves as a stark reminder of the consequences of inadequate cybersecurity measures. Financial institutions must recognise that cybersecurity is not a one-time effort but an ongoing commitment. Regular vulnerability assessments and penetration testing should be integral components of this commitment.
Moreover, timely responses to potential security incidents are crucial. In FIIG’s case, the delay in investigating and responding to the breach after notification from the ASD’s ACSC exacerbated the situation. Establishing and practising robust incident response protocols can mitigate the impact of security breaches.
Conclusion
The legal action against FIIG Securities Limited by ASIC highlights the critical importance of robust cybersecurity measures in the financial sector. Implementing regular vulnerability assessments and penetration testing can significantly enhance an organisation’s security posture, ensuring the protection of sensitive client information and compliance with