Federal Court Imposes Penalties on FIIG Securities for Cybersecurity Breaches
In a significant legal development, the Federal Court has mandated FIIG Securities, a fixed income management firm, to pay a hefty penalty of $2.5 million due to egregious deficiencies in its cybersecurity infrastructure.
This ruling stems from a determination that the firm inadequately protected client information over a sprawling four-year period, culminating in a substantial cyber assault in 2023.
The fallout from this security breach compromised the data of nearly 18,000 clients, resulting in the expropriation of approximately 385 gigabytes of sensitive information.
Among the data exposed on the dark web were driver’s licenses, passport numbers, banking details, and tax file identifiers.
Investigations revealed that between March 13, 2019, and June 8, 2023, FIIG neglected to implement critical cybersecurity measures. The court identified several shortcomings, including:
- Insufficient allocation of financial and technological resources
- Lack of qualified cybersecurity personnel
- Absence of multi-factor authentication for remote access
- Weak password management and privileged account controls
- Inadequate firewall and software configurations
- Failure to conduct regular penetration testing and vulnerability assessments
Additionally, the firm was criticized for lacking a systematic approach to software updates to mitigate security vulnerabilities, insufficiently trained IT staff overseeing threat alerts, and neglecting to provide essential cybersecurity awareness training for employees.
Moreover, there was no appropriate plan to regularly test or maintain a cyber incident response strategy.
Beyond the financial penalty, FIIG is ordered to contribute $500,000 towards the legal expenses incurred by the Australian Securities and Investments Commission (ASIC).
Furthermore, the firm is mandated to initiate a compliance program, which includes appointing an independent expert tasked with reviewing and fortifying its cybersecurity protocols and resilience frameworks.
This decision marks a pivotal moment as it is the first instance where the Federal Court has levied civil penalties related to cybersecurity deficiencies under general Australian Financial Services (AFS) licence obligations.
“FIIG has acknowledged its breach of AFS licence obligations, admitting that appropriate cybersecurity protocols, tailored for its operational scale and the sensitivity of client information, could have allowed for earlier detection and response to the data breach,” stated the court.
ASIC’s Deputy Chair, Sarah Court, highlighted the ongoing threat posed by escalating cyber-attacks and data breaches.
“Inadequate cybersecurity controls expose both clients and institutions to tangible risks. We expect financial services licensees to proactively safeguard their clientele, and FIIG’s negligence put thousands at risk,” she asserted.
Responding to the court’s decision, FIIG issued a statement acknowledging the ruling. The firm asserted that FIIG accepts the Federal Court’s judgment concerning the cybersecurity incident of 2023 and is committed to fulfilling all mandated obligations.
We have fully cooperated throughout the inquiry and will continue to enhance our systems, governance, and controls. There has been no compromise of client funds, and we remain devoted to our client support initiatives.
Source link: Itsecuritynews.info.
