Fixed income manager FIIG Securities has been ordered by the Federal Court to pay $2.5 million in penalties over serious cybersecurity shortcomings. The ruling follows findings that the firm failed to adequately safeguard client data over a four-year period, culminating in a significant cyberattack in 2023.
The breach impacted approximately 18,000 clients and resulted in the theft of around 385 gigabytes of sensitive data. Information exposed on the dark web included driver’s licences, passport details, bank account information and tax file numbers.
According to the court, between 13 March 2019 and 8 June 2023, FIIG failed to implement essential cybersecurity safeguards. These failures included insufficient allocation of financial and technological resources, lack of qualified cybersecurity personnel, absence of multi-factor authentication for remote access, weak password and privileged account controls, inadequate firewall and software configurations, and failure to conduct regular penetration testing and vulnerability scans.
The firm also lacked a structured software update process to address security vulnerabilities, did not have properly trained IT staff monitoring threat alerts, failed to provide mandatory cybersecurity awareness training to employees, and did not maintain or regularly test an appropriate cyber incident response plan.
In addition to the $2.5 million penalty, the court ordered FIIG to contribute $500,000 toward ASIC’s legal costs. The company must also undertake a compliance program, including appointing an independent expert to review and strengthen its cybersecurity and cyber resilience frameworks.
This marks the first instance in which the Federal Court has imposed civil penalties for cybersecurity breaches under general Australian Financial Services (AFS) licence obligations.
“FIIG admitted that it failed to comply with its AFS licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner.
“It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.”
ASIC deputy chair Sarah Court emphasised the regulator’s stance on cybersecurity compliance: “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.
“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
Responding to the ruling, FIIG stated: “FIIG accepts the Federal Court’s ruling related to a cybersecurity incident that occurred in 2023 and will comply with all obligations. We cooperated fully throughout the process and have continued to strengthen our systems, governance and controls. No client funds were impacted, and we remain focused on supporting our clients
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: