Cyber Security Failures Are No Longer an Option for Financial Services

Find Out More
Cyber Security Failures Are No Longer an Option for Financial Services
7:45

Key Insights

  • ASIC’s legal action against FIIG Securities signals a clear warning: prolonged cybersecurity failures now carry regulatory consequences.
  • Super funds were breached on March 29–30, 2025, exposing how weak passwords and missing MFA still plague the financial sector.
  • Financial services must act now—cybersecurity is no longer optional, especially for cloud platforms like Microsoft 365.

Cybersecurity Failures Are No Longer an Option for Financial Services 

Financial services in Australia are under increasing pressure to harden their cybersecurity posture. In recent months, three significant events have exposed a systemic weakness across the sector: the legal action against FIIG Securities, the coordinated credential stuffing attacks on superannuation funds, and the Australian Signals Directorate's national alert on brute-force attacks. These are not isolated incidents. They are connected by a shared pattern—failure to implement and enforce basic cyber hygiene. 

Cybersecurity failures are no longer just technical issues. They are legal liabilities, reputational risks, and breaches of trust. 

What Happened at FIIG 

In March 2025, ASIC launched legal action against FIIG Securities. The allegations? Years of cybersecurity neglect led to a breach of over 385GB of sensitive client data. The data of 18,000 individuals was exposed. The breach was not detected internally. ASIC argues that FIIG failed to meet its obligations under sections 912A(1)(a), (d), and (h) of the Corporations Act—specifically, to act efficiently, manage risk, and maintain adequate systems. 

Division 3Obligations of financial services licensees

912A  General obligations

 (1) A financial services licensee must:

 (a) do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and

 (aa) have in place adequate arrangements for the management of conflicts of interest that may arise wholly, or partially, in relation to activities undertaken by the licensee or a representative of the licensee in the provision of financial services as part of the financial services business of the licensee or the representative; and

 (b) comply with the conditions on the licence; and

 (c) comply with the financial services laws; and

 (ca) take reasonable steps to ensure that its representatives comply with the financial services laws; and

 (cb) if the licensee is the operator of an Australian passport fund, or a person with responsibilities in relation to an Australian passport fund, comply with the law of each host economy for the fund; and

 (d) subject to subsection (4)—have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and

 (e) maintain the competence to provide those financial services; and

 (f) ensure that its representatives are adequately trained (including by complying with section 921D), and are competent, to provide those financial services; and

 (g) if those financial services are provided to persons as retail clients:

 (i) have a dispute resolution system complying with subsection (2); and

 (ii) give ASIC the information specified in any instrument under subsection (2A); and

 (h) subject to subsection (5)—have adequate risk management systems; and

 (j) comply with any other obligations that are prescribed by regulations made for the purposes of this paragraph.

This case marks a line in the sand: regulators will now hold firms accountable for prolonged cybersecurity failures. 

 

Super Funds Also Under Attack 

Just weeks later, attackers used credential stuffing tactics to target Australian Super, Rest Super, and Australian Retirement Trust. These attacks exploited customers who reused passwords. Pensioners had accounts accessed without authorisation. Financial data was stolen. Trust was eroded. These were not sophisticated exploits—they were preventable. 

The takeaway is clear: no financial institution is immune. Even well-funded, well-resourced firms are exposed when basic controls are missing. 

What the ASD Is Warning About Now 

The Australian Signals Directorate has warned of an increase in brute-force attacks across the financial sector:

  • Credential stuffing — using stolen login details from previous breaches to access new accounts.
  • Password spraying — using common passwords across multiple accounts. 

    The targets? Customer-facing portals. Legacy systems. Weak identity controls. The method is simple, and it works—because too many businesses still do not enforce strong passwords or enable multi-factor authentication. 

What Financial Services Firms Need to Do 

If you are operating in this sector, there are no shortcuts left. The bar has been raised. You need to:
  • Require phishing-resistant multi-factor authentication across all systems
  • Enforce strong password policies and block reused or common credentials
  • Rate-limit login attempts and alert on unusual login behaviour
  • Verify sensitive changes through separate channels
  • Monitor logs in real time and correlate signals across systems 

This is not theory. These are the exact failings that allowed FIIG and the super funds to be compromised. 

EMERGING IT_LOGO_LONG-BLUE-RGB

What Happens If You Fail To Comply

The consequences are no longer hypothetical:
  • ASIC may pursue legal action
  • Customers may suffer financial loss
  • Client data may be published or sold
  • Insurance providers may deny coverage if controls are missing
  • Your reputation may not recover 

This is not just about loss of data. It is about loss of trust, loss of confidence, and loss of your ability to do business. 

A Message to Leaders 

Leadership is no longer about just responding to threats. It is about anticipating them. The cost of doing nothing is now measurable—in legal risk, in financial damage, and in reputational harm. 

If you are not sure whether your business is prepared, now is the time to act. Review your policies. Test your controls. Speak with a provider who understands what regulators expect and what attackers exploit. 

Need Support? 

Cloud-based environments are now central to how financial services operate. But they also introduce new risks—especially around identity, data access, and misconfigured permissions. Emerging IT offers dedicated cloud security solutions to protect your Microsoft 365 environment, monitor threats in real time, and secure client data at scale. 

Cloud security is not just about defence. It's about visibility, control, and compliance—all in one place. 

If you rely on Microsoft 365 or have cloud-first infrastructure, our 365 Cloud Secure service can help you: 
  • Detect identity-based attacks before they spread 
  • Contain breaches faster with real-time alerts 
  • Maintain compliance with Essential 8 and ISO 27001 
  • Provide clear audit trails for regulators and insurers 
Emerging IT supports financial services firms across Australia to: 
  • Harden their Microsoft 365 environments 
  • Comply with ASIC and ASD guidance 
  • Protect customer data through real-time monitoring 
  • Implement clear plans for detection, response, and reporting 
We help you reduce exposure before it becomes a headline. 

Regulators have raised the bar. Customers expect better protection. The risks are real. We are here to help you meet them.

Ready to get started?

CONTACT US