Australian Securities & Investments Commission wins Federal Court orders requiring FIIG Securities to pay AUD 2.5 million for prolonged cyber security failures

The Australian Securities & Investments Commission (ASIC) secured Federal Court orders requiring FIIG Securities Limited to pay AUD 2.5 million in civil penalties after the firm admitted breaches of its Australian Financial Services (AFS) licence obligations relating to cyber security over more than four years. ASIC said the failures worsened a 2023 cyber-attack in which around 385 gigabytes of confidential information was stolen and sensitive client data was leaked to the dark web, with FIIG notifying about 18,000 clients that their personal information may have been compromised. Alongside the penalty, the Court ordered FIIG to pay AUD 500,000 towards ASIC’s costs and to undertake a compliance programme, including engaging an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed. ASIC set out specific control gaps between 13 March 2019 and 8 June 2023, including inadequate resourcing and expertise, lack of multi-factor authentication and other access controls, weak patching and update planning, insufficient monitoring of threat alerts, отсутствие mandatory staff awareness training, and no appropriately tested incident response plan. ASIC noted this is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations.