In this second instalment, we’ll dive into practical steps Australian financial services firms can take to strengthen their cyber defences. Using the FIIG Securities case as a cautionary tale, we’ll cover critical areas like vulnerability management, data encryption, access controls, and incident response planning.
Cybercrime isn’t just a tech issue, it’s now one of the biggest risks to your firm’s reputation, legal standing, and client trust. The recent FIIG Securities case shows just show how quickly things can spiral when cybersecurity is overlooked.
In Part 1 of our series, we explored the evolving cybersecurity risks facing Australian financial services firms, highlighting the growing threat of ransomware, phishing attacks, and supply chain vulnerabilities. For small and medium-sized businesses (SMBs) in the advisory sector, these risks are especially concerning due to the sensitive client data they manage.
The RI Advice case underscores that cybersecurity is no longer just an IT issue; it’s a crucial component of risk management with significant legal and reputational consequences. Relying on part-time approaches like cyber ‘attestations’ is increasingly risky and ineffective.
On March 12, 2025, ASIC initiated legal proceedings against FIIG Securities Limited in the Federal Court (Case QUD144/2025), accusing the firm of failing to implement adequate cybersecurity measures between March 2019 and June 2023. This lapse enabled a cyber-attack in May 2023, where malware exploited by an employee led to a breach, with 385GB of client data stolen—including personal details and financial information—and published on the dark web. ASIC claims this breach violated the Corporations Act, exposing both the firm and its clients to significant risks.
Cybercriminals often exploit known vulnerabilities in unpatched systems-a vulnerability that played a key role in the FIIG breach. ASIC alleges that FIIG lacked a patching plan and failed to promptly apply necessary updates, a mistake that contributed to the attack.
The ACSC’s 2023–2024 Cyber Threat Report highlights that unpatched systems are a top attack vector. FIIG’s failure to patch left it vulnerable for over four years, which is a risk no firm should tolerate.
The FIIG breach exposed 385GB of sensitive client data, underscoring the importance of encryption. While court documents don’t specify lapses in encryption, the scale of the breach indicates that encryption may not have been fully implemented.
Encryption renders stolen data unusable without the correct decryption keys, reducing the impact of a breach. Had FIIG employed encryption, the exposure of sensitive data on the dark web might have been mitigated.
The FIIG breach involved a compromised account and unauthorised escalation of privileges. ASIC’s filing links this to poor management of privileged access. Similarly, the RI Advice case highlighted vulnerabilities due to weak password practices.
Failure to secure privileged accounts allowed attackers to move laterally within FIIG’s network. Post-RI Advice, ASIC mandates strict controls for privileged accounts to prevent such movements and reduce potential damage.
FIIG’s delayed response, failing to act until June 8, 2023, despite early warnings from ACSC, worsened the impact of the breach. The firm did not have a cyber incident response plan, a critical gap that ASIC identifies as a major oversight.
A lack of detection allowed the FIIG attacker to operate undetected for over a week, exfiltrating vast amounts of data. A proactive incident response plan could have halted this breach much sooner.
The FIIG case, similar to the RI Advice case, shows that ignoring cybersecurity can result in severe consequences: legal penalties, reputational damage, and loss of client trust. In FIIG’s case, after the breach, their systems were offline for months, disrupting services significantly.
1) Appoint a Cybersecurity Lead
Designate a leader to oversee cybersecurity, ensuring focus and accountability in defense strategies.
2) Adopt a Cyber Framework
Align your firm with a recognised framework like the Essential 8 or CIS Controls to streamline and prioritise security measures.
3) Document Policies
Maintain clear, updated documentation of your cybersecurity policies to ensure compliance if reviewed by ASIC.
4) Regular Cyber Posture Assessments
Regularly assess your security posture to adapt to evolving configurations and new threats, reducing vulnerabilities in your environment.
The evolving threat landscape is underscored by the FIIG case’s estimated $2.89–$3.7 billion exposure. Proactive cybersecurity measures—managing vulnerabilities, encrypting data, securing access, and planning for incidents—are crucial to protecting clients and upholding fiduciary duties.
Don’t wait until it’s too late! Take proactive steps now to protect your business. Our experts can help you implement robust cybersecurity strategies tailored to your needs, from monitoring to incident response. VBP adheres to the highest standards, ensuring your sensitive data is safeguarded against evolving threats.
Contact our experts today to discover how we can empower your firm’s security!