ASIC's latest enforcement action against FIIG Securities for cybersecurity failures a warning to AFSL holders

Australian financial services licensees should review their compliance with their obligations under the Corporations Act 2001 (Cth) and best practices to ensure they are maintaining adequate cyber security systems, following ASIC's launch of an action against FIIG Securities (FIIG) for allegedly failing to have adequate cybersecurity measures, resulting in the theft of approximately 385GB of confidential data and clients' personal information.

The FIIG action comes in the wake of ASIC's concerns in respect tot RI Advice for cybersecurity failures in 2022, and demonstrates ASIC's ongoing scrutiny (aligned with its 2025 enforcement priorities) of licensees' cybersecurity systems.

Cybersecurity obligations of AFSL holders

The obligations of licensees under section 912A of the Corporations Act have again been utilised as the primary cause of action for the action against FIIG Securities. In particular, ASIC has asserted that FIIG's failures breached:

• Section 912A(1)(a) – an obligation to do all things necessary to ensure that the financial services covered by its licence are provided efficiently, honestly and fairly and also maintain adequate risk management systems;
• Section 912A(1)(d) – an obligation to have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
• Section 912A(1)(h) – an obligation to have adequate risk management systems.

ASIC expectations

ASIC's Concise Statement submitted for its action against FIIG provides some useful guidance on its standards and expectations of AFSL holders' cybersecurity compliance, drawn from ASIC's identification of "missing cybersecurity measures" and "missing risk management measures" in FIIG's business.

For FIIG to have met its obligations under section 912A(1)(a), ASIC asserts that it was required to have had in place adequate cybersecurity measures to protect its clients from the risks and consequences of a cyber intrusion. Those measures are described in detail in an annexure to ASIC's claim but, in summary, are:

• a cyber incident response plan tested at least annually;
• systems to manage privileged accounts on FIIG's networks;
• vulnerability scanning capabilities to identify threats/issues;
• up-to-date firewalls;
• regular software patching updates;
• multi-factor authentication for remote users; and
• mandatory security awareness training.

As for FIIG's obligations under sections 912A(1)(d) and 912A(1)(h), ASIC alleges FIIG's failure to have adequate cybersecurity measures also demonstrated that FIIG had failed to have adequate technological resources and an adequate risk management system.

Although licensees can use the list above as guidance for the types of cybersecurity measures that ASIC expected licensees to implement, it should not be used as an exhaustive list given the broadness of section 912A obligations. The adequacy of cybersecurity measures and risk management systems generally, appear to remain dependent on the size, scale and complexity of a licensee's business. It may be the case that the same cybersecurity measures required for FIIG may not be sufficient for your business in ASIC's eyes. Accordingly, licensees must assess their current cybersecurity systems/threats and ensure that their cybersecurity measures can adequately mitigate cybersecurity risks (including risks unique to their business).

That assessment of cybersecurity measures must be made by cybersecurity experts to satisfy obligations under section 912A(1)(a) of the Act which, as the court noted in RI Advice, involves consideration of "public expectations". For highly technical areas such as cybersecurity, the court in RI Advice noted that the threshold of "public expectations" would be assessed by reference to the standard of a reasonable person qualified in that area. For further guidance on best practices for implementing adequate cybersecurity measures, see ASIC's Cyber Resilience Good Practice guidance and the Australian Cyber Security Centre's "Strategies to mitigate cybersecurity incidents".

Be ready for continued regulator focus on risk management

Risk management remains a key issue for licensees to keep on top of, including outside the context of cybersecurity. In early 2024, Laterne Fund Services was fined $1.25 million for failing to have adequate risk management systems in an action brought by ASIC which included claims brought under the same section 912A obligations as seen in the action against FIIG. Additionally, for APRA-regulated entities, the introduction of CPS 230 will require further assessments of existing operational risk management systems to ensure compliance with new CPS 230 standards due to take effect in July 2025. Accordingly, regulated entities such as AFS licensees and APRA regulated entities will need to take a holistic approach to assess and improve existing risk management systems of their business to firmly align themselves with ASIC/APRA expectations, and to avoid investigative and/or enforcement action.

If you would like to further discuss the implications of ASIC's recent action against FIIG on your business or require assistance with the assessment of cybersecurity measures of your business (including from a compliance and/or technical perspective), please contact us.

Thanks to Jayden Hwang for his help in writing this article.