ASIC's Continual Focus on Cybersecurity

ASIC's Continual Focus on Cybersecurity

ASIC has alleged that FIIG Securities Limited (FIIG) failed to have adequate cybersecurity measures for more than four years which enabled a hacker to enter its IT network and go undetected from 19 May 2023 until 8 June 2023, resulting in the theft of personal information and subsequent release of client data on the dark web. The stolen data included highly sensitive customer information, including names, addresses, birth dates, driver’s licences, passports, bank accounts and tax file numbers.

FIIG advised ASIC that it was contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about a potential cybersecurity incident on 2 June 2023. FIIG was not aware the incident occurred before this contact. FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.

ASIC’s allegations include FIIG’s failure to:

have appropriately configured and monitored firewalls to protect against cyber attacks;

update and patch software and operating systems to address security vulnerabilities;

provide mandatory training to staff on cyber security awareness; and

have adequate human, technological and financial resources to manage cyber security.

ASIC Chair Joe Longo said, ‘This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems.'

In its' Market Integrity Update, ASIC advised that they expect all licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system and may take strong may take action where they fail to do so. ASIC has identified benchmarks such as the International Organization for Standardization’s (IOS) that licensees may use for establishing and improving systems to manage the security of data owned or handled by the business. Key cyber risk management requirements identified by IOS include:

Identify and protect critical assets: Secure trading and settlement systems through network segmentation, access controls, encryption, and regular vulnerability assessments. Understanding the interdependencies between systems helps prioritise risk mitigation efforts.

Incident detection and response: Deploy real-time threat detection and response mechanisms, including security monitoring, logging and automated alerts to prevent unauthorised access and mitigate breaches.

Third-party risk management: Regularly assess service providers’ security postures, enforce risk-mitigation measures, and require adherence to recognised security standards to reduce supply chain vulnerabilities.

Resilience and recovery planning: Maintain and test business continuity plans with scenario-based exercises to ensure swift recovery from cyber incidents, including ransomware attacks and data breaches.

Cyber awareness and training: Strengthen staff capabilities through ongoing education, phishing awareness programs, and strict authentication measures to minimise risk of human error.