The outcome of ASICs action against FIIG Securities has resulted in orders to pay a $2.5M penalty following findings that it failed to comply with its AFS licence obligations to maintain adequate cyber security measures.
The case reflects ASIC’s growing focus on cyber risk as a risk management obligation for AFS licensees and is the first time the Federal Court has imposed civil penalties for a cyber security failure under the general Australian Financial Services licensee obligations.
The 2023 cybersecurity breach
FIIG Securities Limited (FIIG) is the holder of an Australian Financial Services Licence (AFSL) providing fixed income investment products. As detailed here, in 2023, a cyber-attack on FIIG resulted in the theft of around 385 gigabytes of client information, including driver’s licence and passport details, bank account information, Medicare cards, and tax file numbers. FIIG notified approximately 18,000 clients that their personal information may have been impacted.1
In March 2025 ASIC commenced proceedings against FIIG alleging it failed to have adequate cybersecurity measures for a period of more than four years. Some of the particulars of ASICs allegations were that FIIG:
- Did not have multi factor authentication (MFA) for any of its remote access users
- Did not have SIEM software on its network
- Did not test its cyber incident response plan
- Recorded passwords for privileged accounts in files on FIIG’s network rather than storing them via secure methods
- Did not have a patching plan across its systems and applications to identify available patches and software updates
- Did not update end point threat signatures daily
- Did not provide mandatory security awareness training to employees which addressed the organisation’s key cybersecurity risks and the behaviour expected of employees in respect of those risks.
Outcome of Federal Court action
The Federal Court ordered FIIG to:
- Pay a $2.5M penalty;
- Pay $500,000 towards ASIC’s legal costs; and
- Implement a compliance programme, including the appointment of an independent expert to review and strengthen its cybersecurity and cyber-resilience systems.
FIIG admitted that it failed to meet its Australian Financial Services (AFS) licence obligations and acknowledged that appropriate cybersecurity measures commensurate with its size and the sensitivity of the client data it held would have allowed it to detect and respond to the breach sooner.
FIIG also accepted that adherence to its own policies and procedures may have enabled earlier detection and prevented some or all of the client information from being downloaded.
Implications for Financial Services Licensees
ASIC Deputy Chair Sarah Court said cyber-attacks and data breaches were increasing in both scale and sophistication, warning that weak controls exposed clients and companies to significant risk stating – “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t- and they put thousands of clients at risk.”2
The Deputy Chair said the cost of the breach far exceeded what it would have taken for FIIG to implement adequate controls in the first place, noting that the case marked the first time the Federal Court had imposed civil penalties for cybersecurity failures under the general AFS licence obligations. This was ASIC’s second cyber security enforcement action, following the landmark RI Advice decision.3
ASIC reiterates expectations
ASIC expects AFS licensees to prioritise cyber-resilience and invest in people, systems and governance which are fit-for-purpose, for entity size and, the sensitivity of client information held. ASIC have reinforced this in their recently released 2026 Key Issues Outlook which noted cyber-attacks, data breaches, and/or inadequate operational resilience and crisis management were their key concerns for this year.
The regulator recommends that organisations and investors consider guidance from the Australian Signals Directorate’s Australian Cyber Security Centre to support cybersecurity practices.4
Summary
This case is a stark reminder that investing in cybersecurity and resilience now, is far cheaper than paying a penalty for a breach down the line.
The allegations detailed in ASICs originating process also set out the expectations of AFS Licensees (with due consideration for your firm’s respective size and maturity) with respect to specific cyber security measures, policies and ongoing training.
1 ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures
2 ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures
3 ASIC’s top enforcement priorities for 2025
4 Key issues outlook 2026
