In this second instalment, we’ll dive into practical steps Australian financial services firms can take to strengthen their cyber defences. Using the FIIG Securities case as a cautionary tale, we’ll cover critical areas like vulnerability management, data encryption, access controls, and incident response planning.
Cybercrime isn’t just a tech issue, it’s now one of the biggest risks to your firm’s reputation, legal standing, and client trust. The recent FIIG Securities case shows just show how quickly things can spiral when cybersecurity is overlooked. Â
In Part 1 of our series, we explored the evolving cybersecurity risks facing Australian financial services firms, highlighting the growing threat of ransomware, phishing attacks, and supply chain vulnerabilities. For small and medium-sized businesses (SMBs) in the advisory sector, these risks are especially concerning due to the sensitive client data they manage.
The RI Advice case underscores that cybersecurity is no longer just an IT issue; it’s a crucial component of risk management with significant legal and reputational consequences. Relying on part-time approaches like cyber ‘attestations’ is increasingly risky and ineffective.Â
On March 12, 2025, ASIC initiated legal proceedings against FIIG Securities Limited in the Federal Court (Case QUD144/2025), accusing the firm of failing to implement adequate cybersecurity measures between March 2019 and June 2023. This lapse enabled a cyber-attack in May 2023, where malware exploited by an employee led to a breach, with 385GB of client data stolen—including personal details and financial information—and published on the dark web. ASIC claims this breach violated the Corporations Act, exposing both the firm and its clients to significant risks.
1. Vulnerability Management: Stay Ahead of Exploits
Cybercriminals often exploit known vulnerabilities in unpatched systems-a vulnerability that played a key role in the FIIG breach. ASIC alleges that FIIG lacked a patching plan and failed to promptly apply necessary updates, a mistake that contributed to the attack.Â
Actionable Steps:
- Regular Vulnerability Scans: Conduct frequent vulnerability scans on both networks and endpoints to identify weaknesses. FIIG reportedly missed this crucial step.Â
- Timely Patching: Apply critical patches within 30 days and non-critical ones within 90 days to ensure that your systems remain secure and vendor-supported.Â
- Patching Schedule: Create a consistent patching schedule and monitor ACSC advisories for emerging threats relevant to your technology.Â
Why It Matters:
The ACSC’s 2023–2024 Cyber Threat Report highlights that unpatched systems are a top attack vector. FIIG’s failure to patch left it vulnerable for over four years, which is a risk no firm should tolerate.Â
2. Data Encryption: Protecting Information at Rest and in Transit
The FIIG breach exposed 385GB of sensitive client data, underscoring the importance of encryption. While court documents don’t specify lapses in encryption, the scale of the breach indicates that encryption may not have been fully implemented.Â
Actionable Steps:
- Encrypt Data: Encrypt sensitive data both at rest (e.g., in databases) and in transit (e.g., during communications) using industry-standard encryption methods like AES-256.Â
- Key Management: Store encryption keys separately from data and limit access to authorised personnel only.Â
- Third-Party Verification: Ensure third-party providers, such as sub-custodians (e.g., FIIG’s JP Morgan), adhere to Australian privacy standards for encryption.Â
- Secure Data Sharing: Use secure client portals to share data instead of email, which isn’t secure.Â
Why It Matters:
Encryption renders stolen data unusable without the correct decryption keys, reducing the impact of a breach. Had FIIG employed encryption, the exposure of sensitive data on the dark web might have been mitigated.Â
3. Access Controls: Limiting Who Can Access What
The FIIG breach involved a compromised account and unauthorised escalation of privileges. ASIC’s filing links this to poor management of privileged access. Similarly, the RI Advice case highlighted vulnerabilities due to weak password practices.Â
Actionable Steps:
- Multi-Factor Authentication (MFA): Implement MFA for all remote access. FIIG only adopted MFA in 2022.Â
- Privileged Account Management: Use separate accounts for administrative tasks and ensure these accounts aren’t used for everyday activities like checking email.Â
- Access Audits: Regularly audit account access, revoke unnecessary permissions, and ensure policies enforce strong, unique passwords, to maintain strict control over who can access sensitive data.Â
Why It Matters:
Failure to secure privileged accounts allowed attackers to move laterally within FIIG’s network. Post-RI Advice, ASIC mandates strict controls for privileged accounts to prevent such movements and reduce potential damage.Â
4. Incident Response Planning: Be Prepared for the Inevitable
FIIG’s delayed response, failing to act until June 8, 2023, despite early warnings from ACSC, worsened the impact of the breach. The firm did not have a cyber incident response plan, a critical gap that ASIC identifies as a major oversight.Â
Actionable Steps:
- Develop an Incident Response Plan: Draft, test, and update your incident response plan annually, outlining roles, containment procedures, and regulatory notification processes (e.g., the Notifiable Data Breaches scheme).Â
- Implement Security Monitoring Tools: Deploy Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) tools for proactive monitoring of suspicious activities.Â
- Establish Expert Contacts: Pre-arrange contacts with cybersecurity experts and legal advisors to facilitate a rapid, coordinated response when an incident occurs.Â
Why It Matters:
A lack of detection allowed the FIIG attacker to operate undetected for over a week, exfiltrating vast amounts of data. A proactive incident response plan could have halted this breach much sooner.Â
Cyber Security Takeaways for Financial Advisory Firms
The FIIG case, similar to the RI Advice case, shows that ignoring cybersecurity can result in severe consequences: legal penalties, reputational damage, and loss of client trust. In FIIG’s case, after the breach, their systems were offline for months, disrupting services significantly.Â
Key Actions to Prevent Cybersecurity Failures:
1) Appoint a Cybersecurity LeadÂ
Designate a leader to oversee cybersecurity, ensuring focus and accountability in defense strategies.Â
2) Adopt a Cyber Framework
Align your firm with a recognised framework like the Essential 8 or CIS Controls to streamline and prioritise security measures.
3) Document Policies
Maintain clear, updated documentation of your cybersecurity policies to ensure compliance if reviewed by ASIC.
4) Regular Cyber Posture Assessments
Regularly assess your security posture to adapt to evolving configurations and new threats, reducing vulnerabilities in your environment.
The High Stakes of Cybersecurity
The evolving threat landscape is underscored by the FIIG case’s estimated $2.89–$3.7 billion exposure. Proactive cybersecurity measures—managing vulnerabilities, encrypting data, securing access, and planning for incidents—are crucial to protecting clients and upholding fiduciary duties.Â
Strengthen Your Firm’s Cybersecurity Today
Don’t wait until it’s too late! Take proactive steps now to protect your business. Our experts can help you implement robust cybersecurity strategies tailored to your needs, from monitoring to incident response. VBP adheres to the highest standards, ensuring your sensitive data is safeguarded against evolving threats.
Contact our experts today to discover how we can empower your firm’s security!Â
