Protecting $2B of Investor Trust at Income Asset Management

About Income Asset Management

Income Asset Management Group (ASX: IAM) is one of Australia's specialist fixed income houses. With more than 14 years in the market and over $2 billion in assets under administration, IAM gives wholesale investors, advisers, government organisations, NFPs and custodians direct access to bonds, syndicated loans and managed discretionary accounts.

billion in assets under administration, IAM gives wholesale investors, advisers, government organisations, NFPs and custodians direct access to bonds, syndicated loans and managed discretionary accounts.

Behind the offering sits a deliberately lean internal technology team and a cloud-native environment across AWS and Microsoft Azure, serving a national hybrid workforce in a market where trust and operational continuity are the product.

A Lean Fintech Built on Trust

IAM has evolved from term deposit broking into a broader fixed income offering. With that evolution came higher expectations on the platform behind it. Wholesale investors and institutional clients expect fast, clean execution. Regulators expect credible evidence that the money and data moving through IAM are well governed.

That tension is familiar for a modern fintech. IAM's internal technology team is intentionally small and senior, which meant building a 24/7 in-house security operations centre was never the right answer. At the same time, continuous coverage of the cloud environment wasn't optional.

When Nick May stepped into the CTO role, one of his first priorities was a full review of IAM's cybersecurity posture. AFSL obligations and cyber insurance renewals both require clear evidence of active monitoring and response. IAM needed a partner who could deliver the standard of protection a much larger institution expects, without turning IAM into a security company.

"In our business, trust is the product. We look after money and data that our clients rely on us to protect, and the cost of one bad incident can easily outlast years of good work. That is why I wasn't prepared to have hours in the week where nobody was watching our environment."

Nick May, Chief Technology Officer, Income Asset Management

IAM already had a strong managed service provider handling day-to-day IT. What the business needed alongside that was a dedicated security operations layer monitoring the cloud estate around the clock, acting as a genuine extension of the internal team.

What We Deliver

We partner with IAM to deliver 24/7 managed detection and response from our sovereign Australian SOC. Lumara SecOps Cloud ingests firewall telemetry and cloud logs from IAM's AWS and Azure environments, while SentinelOne XDR runs on every endpoint. Our analysts handle threat hunting and response in close coordination with IAM's MSP, so nothing falls between the two teams.

Around the platform sits a governance rhythm IAM can rely on. Monthly posture reviews feed directly into board-ready reporting. Incident response is planned against a shared severity and communications matrix co-designed with IAM and their MSP, so every party knows its role before something happens rather than during it. CVE advisories are sized to what the team needs to act on, not noise they have to wade through. Quarterly awareness training and realistic phishing simulations keep staff ready for the tactics most likely to land.

Enterprise-grade security without building a SOC

For IAM, the shift is never about adding more tools. It is about giving the business the confidence to keep growing. That looks like continuous monitoring and fast escalation across the cloud estate, backed by a joint response process between IAM's MSP and our SOC that removes any ambiguity about ownership. The security culture inside the business has strengthened alongside it, with staff now flagging suspicious activity in real time, often before alerting picks it up.

In practice, that means:

• Continuous monitoring across IAM's AWS and Azure environments, with rapid escalation any time something doesn't look right.

• A joint MSP and SOC response model where ownership is agreed in advance, not negotiated mid-incident.

• A security culture inside IAM where staff flag suspicious activity in real time, often before tooling does.

Confidence at the board

Three years in, a live security event put that joint response model to the test. Every party stayed calm and worked the agreed severity matrix through to a clean resolution.

That governance cadence shapes how Nick talks about security with the board. AFSL cyber attestations are straightforward to evidence when regulators or auditors come asking, and cyber insurance renewals run cleanly end to end. In Nick's words, "green ticks through the thing all the way to board approval."

Built for what's next

IAM's next chapter focuses on the products where the business differentiates, particularly syndicated loans and managed discretionary accounts, and on meeting the expectations of a security-conscious wholesale investor base. That brings serious security questions forward, from responsible AI governance in a regulated fintech to incident response playbooks maturing through realistic simulation. Our role is to make sure the security partnership scales with IAM rather than becoming friction.

Security That Protects Investor Trust

Three years on, we deliver 24/7 threat detection and response across IAM's cloud environment, along with the governance and reporting rhythm that keeps security visible at the board level. That means evidence rather than reassurance when regulators or insurers ask the hard questions, and an internal team that stays focused on the products and services that differentiate the business rather than on watching alerts overnight.

As Nick puts it:

"When the board asks me how I know our environment is secure, I can now point to a pattern of evidence rather than an opinion. That is the shift Secure ISS has made, and for a regulated fintech it changes what my job actually looks like."

Nick May, Chief Technology Officer, Income Asset Management

At Secure ISS, we believe Australian organisations deserve to be defended by people who understand this country and the regulated markets our clients operate in. Our SOC is sovereign and local, with rapid escalation when it matters.

Looking for a security partner who understands your environment? Learn how Secure ISS can support you.