Fixed-income specialist FIIG Securities has been penalised $2.5 million for failing to protect confidential client data over more than four years. 

The Federal Court has also ordered the investment company to undertake a compliance program with an independent expert to ensure its cybersecurity and resilience systems are reasonably managed.  

The court delivered the ruling last week after the Australian Securities and Investments Commission launched legal action alleging FIIG failed to have adequate cyber protections, breaching its licence obligations. 

“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk,” deputy chair Sarah Court said.

“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.  

“This is the first time the Federal Court has imposed civil penalties for cybersecurity failures under the general [Australian financial services] licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.”

The failures occurred between March 13 2019 and June 8 2023.  

ASIC says the failures “worsened a 2023 cyberattack, which saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web – including drivers’ licences, passport information, bank account details and tax file numbers”.

Aon Australia head of specialty Alistair Clarke says the ASIC case against FIIG “marks a turning point for Australian organisations. ASIC has made it clear that boards and executives are accountable for ensuring cybersecurity controls keep pace with the scale and sensitivity of the data they hold.

“Cyber risk is business risk, and failure to manage it appropriately now carries real financial and regulatory consequences.”