You’d be forgiven for thinking that the regulators only have eyes for the headline makers, those big financial organisations with sprawling IT departments and terrifyingly complex risk profiles. But the latest move by ASIC against FIIG Securities (referenced here) is a pointed reminder, in the world of cybersecurity, size is no excuse.
The headlines might trumpet the shortcomings of a large investment house but dig below the surface and there’s a message aimed as much at your 25 person accountancy or law firm as at the boardrooms of one of the big 4 banks. So, what’s happened, and why should professional services businesses take note?
What Did FIIG Securities Get Wrong , and Does It Apply to You?
Let’s start with the facts. ASIC alleges that FIIG Securities, an investment services firm, suffered from “systemic and prolonged” cybersecurity failures. The claim isn’t about a single slip up, but rather repeated, unresolved problems over a period of years. Things like inadequate controls, poor incident response plans, and gaps in basic IT hygiene.
You might be thinking: surely they’re judged to a different standard? Well, yes and no. Financial firms operate in a particularly regulated environment, but the principle ASIC is driving at, that businesses must take “reasonable steps” to protect client data and systems, is universal and enshrined in law under the Privacy Act and the Corporations Act.
In plain English: Neglecting your security basics because you’re “not a bank” won’t wash if client data is compromised. Regulators have made it painfully clear: doing nothing, or winging it, is not a valid defence.
“Systemic Failures”. What Does That Look Like in Small and Medium Enterprise (SME) Land?
You might not have sprawling server farms or a sea of workstations, but the vulnerabilities that tripped up FIIG are just as relevant at a smaller scale. Here’s what systemic failure often looks like in professional services firms:
- Outdated or missing policies: Security is the responsibility of ‘someone in IT’, with no senior ownership. Documented policies may not exist and if they do, are not followed or reviewed.
- Inadequate controls: Think unsecured remote access, weak passwords, or ‘temporary’ admin privileges that never get revoked. MFA that hasn't been applied to all applications or all users. Non existent or inadequate monitoring of users, services and systems. "Shadow" IT systems that aren't managed by your IT staff but are subscribed to by staff members (think ChatGPT and the like). The list go's on and on.
- Slow or ineffective incident response: Breaches are discovered by accident, and chaos ensues when deciding what to do next.
- Lack of staff security training: Either training is non existent or carried out once (usually when staff are hired) and then forgotten 2 weeks later.
- Poor or missing patching and vulnerability management: Software and operating systems require constant monitoring and updates for vulnerabilities. Many firms assume that if automatic Windows updates are enabled, they're fine. Unfortunately, they're not.
The lesson? These aren’t exotic or sophisticated risks: just the garden variety best practices that often tumble down the to do list.
Why ASIC’s Action Should Jolt SMEs Into Action
If you’re in the business of handling sensitive information, whether that’s client files, financial records, or legal documents, you cannot afford to treat cybersecurity as an afterthought. ASIC’s action signals an increased willingness to test “reasonable steps” in court and SME's need to ensure that they can justify their actions (or inactions) if required. Some of the more serious risks exposed in this example are:
- Reputational risk: Word gets around fast; clients are increasingly asking about security practices, and a public breach can mean years rebuilding trust.
- Legal exposure: ASIC isn’t shy about using the courts to set examples, and the Privacy Commissioner is showing similar resolve.
- Commercial disadvantage: As major clients begin making security a non negotiable in tenders, poor posture can genuinely cost you business.
Practical Takeaways: What Should Professional Services Firms Be Doing?
Not every business needs a bank’s security budget, but there are non-negotiables all the same. Here’s what “reasonable” looks like for most SMEs:
- Assign ownership: Security isn’t just an IT issue. Someone at the executive level needs to be accountable.
- Risk assessment: Know what your risk profile is. Talk to your IT provider about where you sit on the security spectrum and ask if it is appropriate.
- Basic controls: Get your house in order. Apply MFA and strong password policies everywhere. Undertake vulnerability and patch management across all operating systems and software packages. Make sure you are backing up data wherever it resides (including Microsoft 365).
- Training: Your people are your first line of defence. Phishing and social engineering remain among the most common breach vectors.
- Look at security certification: If you ever need to prove that you take security seriously, a third party certification or framework will go a long way. Consider the SMB1001 certification or Essential 8 framework as best practice that are achievable by SME's.
Summing Up: The Road to Compliance (and Peace of Mind)
The writing is on the wall, regulators are expecting more, and the courts may soon be too. The best time to get your cybersecurity house in order was last year, the second best time is now.
Professional services firms, however small or unassuming, need to treat cybersecurity as a core business risk. That means proper oversight, strong controls, and a willingness to invest in both technology and education. After all, no one wants to be the next cautionary tale.
If you aren’t sure where to start, get in touch. We can help you assess your risks and build a roadmap, before ASIC, or anyone else, decides to do the assessment for you.
