Failing to protect against cybersecurity risks 6 min read
ASIC has announced it has commenced civil penalty proceedings against FIIG Securities Limited (FIIG) for allegedly failing over four years to protect itself and its clients from cybersecurity risks. Specifically, ASIC claims FIIG failed to:
- provide financial services efficiently, honestly and fairly;
- have adequate resources (financial, technological and human) to ensure appropriate cybersecurity measures and comply with its legal obligations; and
- have adequate risk management systems,
in contravention of sections 912A(1)(a), (d), and (h), and 912A(5A) of the Corporations Act 2001 (Cth).
ASIC's enforcement action against FIIG is consistent with its current enforcement priorities, namely, to ensure licensees have in place adequate cybersecurity protections. ASIC Chair Joe Longo has also emphasised the importance of 'proactively and regularly' checking the adequacy of cybersecurity measures and following the advice of the Australian Signals Directorate's Australian Cyber Security Centre (ACSC).
Background
FIIG holds an Australian Financial Services Licence (AFSL) and specialises in fixed-income products and services. It collects and maintains personal information on clients and held significant assets on their behalf.
ASIC claims that, due to the nature of FIIG's business and the data it held, FIIG was at 'real risk' of cyber intrusion, which could lead to data breaches, financial loss and an inability to access data, provide services or operate its network or systems.
ASIC alleges that, despite this risk, FIIG failed to have adequate cybersecurity measures in place and failed to implement the controls identified in its risk management system to mitigate cybersecurity risks. This culminated in a cyber intrusion in May 2023 where 385GB of data is alleged to have been stolen (affecting approximately 18,000 individual customers), some of which was published on the dark web. ASIC alleges FIIG became aware of this intrusion when the ACSC alerted FIIG that its systems may have been compromised on 2 June 2023. It is alleged that FIIG was not aware the intrusion had occurred before this alert.
ASIC alleges FIIG did not investigate and respond to the incident until 8 June, almost a week after it had been notified of the potential malicious activity by the ACSC.
ASIC has published its Concise statement and Originating process. The likely next steps in the proceeding will involve a detailed statement of claim filed by ASIC and a defence filed by FIIG, unless the parties are able to agree on a statement of agreed facts and admissions.
Takeaways
This is the second time ASIC has commenced proceedings for a failure to have adequate cybersecurity systems in place—the first being in relation to RI Advice in August 2020. These new proceedings demonstrate ASIC's evolving approach to cyber risk management since it brought proceedings against RI Advice. ASIC's articulation of expected technical security measures in the FIIG proceedings is more prescriptive than its expectations around 'adequate cybersecurity documentation and controls' presented in the RI Advice proceedings. Whilst director compliance in relation to cybersecurity remains a priority for ASIC, no proceedings have yet been commenced against FIIG directors or other officers.
The cybersecurity measures ASIC suggests should have been implemented are consistent with many of those identified by the Office of the Australian Information Commissioner in recent civil penalty proceedings brought against Australian Clinical Labs and Medibank, as well as in class action proceedings brought against Optus and Medibank.
A comparison of security measures class action plaintiffs and regulators have alleged are required in these proceedings is available here.
The fact FIIG was allegedly alerted to the issue by the ACSC (ie it was not detected internally) was likely compounded by the alleged six-day delay between the ACSC's alert (2 June 2023) and FIIG's investigation of the potential malicious activity (8 June 2023). ASIC claims that if FIIG had had adequate cybersecurity measures in place, it would have detected suspicious activity well before the ACSC notified it. ASIC suggests FIIG should have had in place:
- endpoint detection and response software that was monitored on a daily basis by a person with sufficient skills, training and experience to identify and respond to any unusual network activity; and
- a cyber incident response plan which addressed: (i) the action to be taken, key roles and responsibilities of FIIG personnel, and regulatory notification requirements, in the event of a cybersecurity event; (ii) incident detection and analysis; and (iii) incident response (containment, eradication and recovery).
ASIC alleges FIIG's risk management systems were inadequate because they failed to implement and maintain necessary cybersecurity measures. Even though FIIG had a risk management system (which included an IT Information Security Policy and Cyber and Information Security Policy), ASIC claims FIIG failed to implement measures identified in those policies. Regulators have repeatedly emphasised the importance of ensuring the operating effectiveness of risk management systems (ie that they are adhered to, and that compliance is monitored and enforced), in addition to design effectiveness.
ASIC expects that: (i) AFSL holders will employ or outsource to people with the skills, knowledge and experience in IT security to ensure adequate cybersecurity measures are implemented; (ii) one or more persons will be assigned the responsibility for doing so; and (iii) that those responsible are given sufficient time to properly discharge their responsibility. In this case, ASIC alleges FIIG overly relied on its Chief Operating Officer and IT infrastructure team, which had competing responsibilities.
ASIC's concise statement is instructive as to the regularity with which it currently expects organisations (at least those of similar circumstances to FIIG) to implement certain technical controls:
|
Activity |
Regularity / timeframes |
|---|---|
|
Testing of cyber incident response plan |
Annually. |
|
Monitoring of Endpoint Detection and Response (EDR) software |
Daily. |
|
Application of patches and software updates |
Within one month of release of patch or update for critical or high importance patches. Within three months of release of patch or update for all other patches. |
|
Storage of logs |
Online for at least 90 days. In an electronic archive for at least 12 months. |
|
Mandatory security awareness training |
At onboarding, and then annually. |
|
Review and evaluation of effectiveness of technical cybersecurity controls |
Quarterly. |
|
Review of event logs by Security Administrator |
Every 90 days. |
Declarations and orders
ASIC is seeking:
- declarations: that FIIG failed to:
- have adequate resources (financial, technological and human) to ensure appropriate cybersecurity measures and comply with its legal obligations;
- have adequate risk management systems; and
- as a consequence of the failures above, failed to do all things necessary to ensure the financial services covered by FIIG's licence were provided efficiently, honestly and fairly,
- a pecuniary penalty: in respect of each of FIIG's alleged contraventions of the Corporations Act (and where, for each contravention, the maximum civil penalty for companies is the greater of (i) 50,000 penalty units ($13.75 million at the time), (ii) three times the benefit obtained and detriment avoided, and (iii) 10% of annual turnover, capped at 2.5 million penalty units ($687.5 million at the time)).
- a compliance order: that FIIG complete a compliance program involving review of its cybersecurity measures and commission an independent expert to report on those measures to ASIC, in such form as the court thinks fit.
- that FIIG pay ASIC's costs.