FIIG Securities Faces $2.5M Penalty After Cyber Attack Exposes Weak Incident Response

SYDNEY (Azat TV) – Australia’s Federal Court has ordered FIIG Securities to pay $2.5 million in pecuniary penalties, marking a landmark decision as the first time civil penalties have been imposed for cybersecurity failures under the general Australian Financial Services (AFS) licence obligations. The ruling, stemming from action initiated by the Australian Securities and Investments Commission (ASIC), highlights the critical importance of robust cybersecurity measures, particularly a well-defined and tested incident response plan, in protecting client data.

The fixed income specialist firm was found to have failed in protecting thousands of clients from cyber security threats for more than four years, from March 13, 2019, to June 8, 2023. These failures significantly worsened a 2023 cyber-attack, which resulted in the theft of approximately 385 gigabytes of confidential information and the leakage of highly sensitive client data, including driver’s licenses, passport information, bank account details, and tax file numbers, onto the dark web. FIIG Securities subsequently notified some 18,000 clients that their personal information may have been compromised.

Regulatory Landmark and Financial Repercussions

The Federal Court’s order mandates FIIG Securities to pay a $2.5 million penalty, alongside an additional $500,000 towards ASIC’s legal costs. Beyond the financial penalties, the Court also ordered the firm to undertake a comprehensive compliance program. This program requires the engagement of an independent expert to ensure that FIIG’s cyber security and cyber resilience systems are managed to a reasonable standard, reflecting the gravity of the firm’s past shortcomings.

FIIG Securities, which provides retail and wholesale investors with access to fixed income investments and bond financing, held approximately $3 billion in client assets under management at the time of its non-compliance. The substantial penalty underscores the regulatory expectation that firms of this size, handling sensitive client data, must allocate appropriate resources and implement rigorous controls.

Failures Exacerbate 2023 Cyber Attack

FIIG admitted that it failed to comply with its AFS licence obligations and that adequate cyber security measures, tailored to the firm’s size and the sensitivity of the client data it held, would have enabled it to detect and respond to the data breach much sooner. The company also conceded that adhering to its own policies and procedures could have supported earlier detection and potentially prevented some or all of the client information from being downloaded by malicious actors.

ASIC detailed several critical cybersecurity failures by FIIG Securities during the specified period. These included a lack of necessary financial and technological resources to manage cyber security effectively, the absence of adequate cyber security measures such as multi-factor authentication for remote access users, strong passwords, access controls for privileged accounts, and appropriate configuration of firewalls and security software. The firm also failed to conduct regular penetration testing and vulnerability scanning, lacked a structured plan for software updates, did not have qualified IT personnel monitoring threat alerts, and failed to provide mandatory cyber security awareness training to staff. Crucially, FIIG did not possess an appropriate cyber incident response plan that was tested at least annually, a deficiency that significantly hampered its ability to manage the 2023 breach.

ASIC Sets New Standard for Cyber Resilience

Commenting on the outcome, ASIC Deputy Chair Sarah Court emphasized the escalating scale and sophistication of cyber-attacks and data breaches. She stated that inadequate controls place both clients and companies at significant risk. “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk,” Court said. She highlighted that the consequences for FIIG far exceeded the cost of implementing adequate controls in the first place.

Court underscored the precedent set by this ruling, stating, “This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.” ASIC now expects all AFS licensees to prioritize cyber-resilience and invest in people, systems, and governance that are fit-for-purpose for their entity size and the sensitivity of client information they hold.

FIIG’s Response and Client Trust

Patrick Sallis, chief executive of AUSIEX, stated that FIIG Securities accepts the Federal Court’s ruling and will comply with all obligations. He affirmed the company’s full cooperation throughout the process and its continued efforts to strengthen its systems, governance, and controls. Sallis also noted that no client funds were impacted and reiterated the firm’s focus on supporting clients and maintaining high standards of information security. However, the incident serves as a stark reminder of the responsibilities that come with clients entrusting licensees with sensitive and confidential information.

The Federal Court’s decision against FIIG Securities establishes a clear and significant precedent, signaling that robust cybersecurity, particularly a well-practiced incident response plan, is no longer merely a best practice but a fundamental regulatory requirement for financial services licensees in Australia. This ruling underscores that the financial and reputational costs of neglecting cyber resilience can be substantial, transforming incident response planning from an operational concern into a strategic imperative for maintaining a ‘licence-to-operate’ in the digital age.