The recent lawsuit filed by ASIC against FIIG Securities Limited highlights critical cybersecurity failures that every business should learn from. Here are the key takeaways to help you strengthen your cybersecurity measures and protect your business from similar risks:
Summary of the Case
FIIG Securities Limited (FIIG) allegedly failed to maintain adequate cybersecurity measures for over four years, resulting in the theft of approximately 385GB of confidential data. This breach affected around 18,000 clients, whose personal information, including names, addresses, birth dates, driver’s licenses, passports, bank accounts, and tax file numbers, was compromised and released on the dark web. ASIC’s allegations include FIIG’s failure to:
- Update and patch software and operating systems to address security vulnerabilities.
- Configure and monitor firewalls to protect against cyber-attacks.
- Provide mandatory cybersecurity training to staff.
- Allocate adequate human, technological, and financial resources to manage cybersecurity.
Key Takeaways for Your Business
- Regularly Update and Patch Systems
- Ensure all software and operating systems are regularly updated.
- Implement patches as soon as they are released to address security vulnerabilities.
- Monitor and Configure Firewalls
- Configure firewalls to block unauthorised access.
- Continuously monitor firewall activity to detect and respond to suspicious behaviour.
- Conduct Mandatory Cybersecurity Training
- Provide regular training to all employees on cybersecurity best practices.
- Conduct simulations and drills to ensure staff can effectively respond to cyber incidents.
- Invest in Adequate Resources
- Allocate sufficient resources to cybersecurity, including hiring skilled personnel and investing in advanced technologies.
- Regularly review and adjust your cybersecurity budget to meet evolving threats.
- Proactive Incident Response
- Develop and implement a robust incident response plan.
- Regularly test the plan to ensure quick and effective responses to cyber incidents.
- Engage with Cybersecurity Experts
- Engage with external experts and cybersecurity organisations for regular assessments and advice.
- Stay informed about the latest threats and best practices through continuous learning and collaboration.
New Ransomware Payment Reporting Rules
The Cyber Security (Ransomware Payment Reporting) Rules 2025 mandate that businesses report any ransomware payments to the Australian Cyber Security Centre (ACSC) within 24 hours. Key points include:
- Mandatory Reporting: Businesses must report ransomware payments, including the amount paid, the cryptocurrency used, and the recipient’s details.
- Penalties for Non-Compliance: Failure to report can result in significant fines and penalties.
- Purpose: The rules aim to gather data on ransomware attacks to understand better and combat this growing threat.
By implementing these key takeaways and adhering to the new ransomware payment reporting rules, your business can significantly reduce the risk of cybersecurity failures and protect sensitive data from potential breaches. Remember, cybersecurity is an ongoing process that requires vigilance, investment, and proactive measures.
Federal Register of Legislation – Cyber Security (Ransomware Payment Reporting) Rules 2025
25-035MR ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures | ASIC
