Australian fixed-income specialist FIIG Securities has been ordered to pay $2.5 million in penalties after cyber security failures exposed 18,000 clients to a data breach that saw 385 gigabytes of confidential information stolen.

The Federal Court penalty marks the first time civil penalties have been imposed for cyber security failures under general Australian Financial Services licence obligations, setting new compliance expectations for the financial services sector.

ASIC brought the case against FIIG Securities Limited for failing to protect clients from cyber security threats between March 2019 and June 2023. The company's inadequate controls worsened a 2023 cyber-attack that leaked driver's licences, passport information, bank account details and tax file numbers onto the dark web.

FIIG admitted it failed to comply with its AFS licence obligations and that adequate cyber security measures would have enabled earlier detection and response. The company also admitted complying with its own policies could have prevented some or all client information from being downloaded.

The Court ordered FIIG to pay $500,000 towards ASIC's costs and undertake a compliance programme involving an independent expert approved by ASIC to ensure its cyber security and cyber resilience systems are reasonably managed.

FIIG's cyber security failures included not allocating necessary financial resources for suitably qualified personnel or adequate technological resources. The company did not implement multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, or appropriate firewall and security software configuration.

The firm also lacked regular penetration testing and vulnerability scanning, had no structured plan for software security updates, no qualified IT personnel monitoring threat alerts, and no mandatory cyber security awareness training for staff. FIIG did not have an appropriate cyber incident response plan tested at least annually.

Regulatory Expectations

"Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk," ASIC Deputy Chair Sarah Court said.

"ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn't - and they put thousands of clients at risk."

Court noted the consequences far exceeded what it would have cost FIIG to implement adequate controls initially.

"This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience," she said.

"Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation."

Law firm Herbert Smith Freehills Kramer recommends that “organisations review their cybersecurity settings against the cybersecurity measures steps that were agreed to be “adequate” in this case to consider their appropriateness in their setting.”