Australian fixed-income specialist FIIG Securities has been issued with a AU$2.5m penalty for failing to protect thousands of clients from cyber security threats for more than four years.
The fines mark the first time the Federal Court has imposed civil penalties for cyber security failures under the general Australian Financial Services (AFS) licensee obligations.
The Federal Court also ordered FIIG to pay $500,000 towards ASIC’s enforcement costs and stipulated FIIG must undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.
In 2023 a cyber attack saw around 385 gigabytes of confidential information stolen from FIIG and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers. FIIG notified some 18,000 clients that their personal information may have been compromised.
FIIG admitted that it failed to comply with its AFS licence obligations and that adequate cyber security would have enabled it to detect and respond to the data breach sooner. It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented much of the client information from being downloaded.
ASIC deputy chair Sarah Court said: “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk. In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
