Australian fixed-income specialist, FIIG Securities Limited, has been ordered to pay $2.5 million in pecuniary penalties after the Australian Securities and Investments Commission (ASIC) brought a case against the firm for failures to protect thousands of clients from cyber security threats for more than four years.

FIIG’s failures worsened a 2023 cyber-attack which saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.

FIIG notified some 18,000 clients that their personal information may have been compromised.

FIIG admitted that it failed to comply with its Australian Financial Services (AFS) licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner. It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.

The Federal Court today ordered FIIG to pay a $2.5 million penalty and pay $500,000 towards ASIC’s costs. The Court also ordered FIIG to undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.

FIIG’s cyber security failures between 13 March 2019 to 8 June 2023 included examples where it did not:

• allocate the necessary financial resources to have suitably qualified and experienced people available, or implement adequate technological resources to manage cyber security
• implement adequate cyber security measures, including multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, appropriate configuration of firewalls and security software, regular penetration testing and vulnerability scanning
• have a structured plan to ensure key software systems were being updated to address security vulnerabilities
• have qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks
• provide mandatory cyber security awareness training to staff, and
• have an appropriate cyber incident response plan that was tested at least annually.

FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients.

At the time of non-compliance, FIIG held approximately $3 billion in client assets under management.