Australian Federal Court Fines FIIG Securities Over Cyber Failures That Exposed Client Data

Key Takeaways

• Court-Imposed Cyber Penalty: FIIG Securities was ordered to pay $1.77 million USD (AUD 2.5 million) after the Federal Court found the firm failed to meet its cyber security obligations under its AFS licence.
• Costs and Compliance Mandated: The court also required FIIG to pay $354,000 USD (AUD 500,000) toward ASIC’s costs and to implement a court-supervised cyber compliance programme involving an independent expert.
• Data Breach Impact: FIIG’s cyber security failures worsened a 2023 cyber-attack that resulted in 385 gigabytes of sensitive client data being stolen and leaked on the dark web, affecting around 18,000 clients.
• First-of-Its-Kind Penalty: ASIC said this marks the first time civil penalties have been imposed for cyber security failures under general AFS licensee obligations, setting a clear regulatory benchmark.

Deep Dive

Australia’s Federal Court has ordered FIIG Securities Limited to pay $1.77 million USD (AUD 2.5 million) after regulators found the fixed-income specialist failed for years to adequately protect client data from cyber threats, shortcomings that intensified the impact of a major data breach in 2023.

The ruling follows enforcement action by the Australian Securities and Investments Commission, which said FIIG’s cyber security controls were not fit for purpose given the size of its business and the sensitivity of the information it held.

In addition to the penalty, the Federal Court of Australia ordered FIIG to pay $354,000 USD (AUD 500,000) toward ASIC’s legal costs and to undertake a court-mandated compliance program. That program will require the engagement of an independent expert to review and uplift the firm’s cyber security and cyber resilience arrangements.

ASIC said FIIG’s failures exacerbated a 2023 cyber-attack in which approximately 385 gigabytes of confidential data were stolen and later published on the dark web. The compromised material included highly sensitive client information such as passports, driver’s licenses, bank account details and tax file numbers.

Following the incident, FIIG notified around 18,000 clients that their personal information may have been exposed.

According to ASIC, FIIG admitted it breached its Australian Financial Services license obligations by failing to maintain adequate cyber security measures over a period spanning March 2019 to June 2023. The firm acknowledged that controls appropriate to its operations, including adherence to its own internal policies, could have enabled earlier detection of the breach and may have prevented some or all of the data from being downloaded.

ASIC Deputy Chair Sarah Court said the case reflected the growing regulatory consequences of weak cyber governance in the financial services sector.

“Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” Court said. “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t and they put thousands of clients at risk.”

She noted that the financial and reputational consequences of the breach far exceeded what it would have cost FIIG to implement proper controls in the first place.

“This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations,” Court said, describing the decision as setting a clear license-to-operate expectation for robust cyber resilience.

ASIC detailed a range of cyber security failings during the period of non-compliance, including FIIG’s failure to allocate sufficient financial, technological and human resources to manage cyber risks. The regulator said the firm did not implement baseline protections such as multi-factor authentication, strong access controls for privileged accounts, or appropriately configured firewalls and security software.

ASIC also found that FIIG lacked regular penetration testing and vulnerability scanning, had no structured plan to ensure critical software was kept up to date, failed to maintain qualified staff monitoring threat alerts, and did not provide mandatory cyber security training to employees. In addition, the firm did not have an incident response plan that was tested at least annually.

“Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation,” Court said.

FIIG provides retail and wholesale investors with access to fixed-income investments and bond financing and plays a custodial role by holding funds and maintaining records on behalf of clients. At the time of the non-compliance, the firm held approximately $2.13 billion USD (AUD 3 billion) in client assets under management.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.