FIIG Fined $2.5m by ASIC: What can we learn?

Brisbane based fixed-income specialist, FIIG Securities Limited (FIIG), was ordered by the Federal Court to pay $2.5 million in pecuniary penalties after ASIC brought a case against the firm (which holds an Australian Financial Services Licence) for failing to adequately protect thousands of clients from cyber security threats over a period exceeding four years. We covered the initial action previously here.

As a quick reminder, in 2023, FIIG suffered a cyber-attack resulting in the theft of approximately 385 gigabytes of confidential information. Highly sensitive client data—including driver’s licences, passport details, bank account information, and tax file numbers—was leaked onto the dark web. FIIG notified around 18,000 clients that their personal information might have been compromised, though the notification came somewhat belatedly (and only after FIIG had been independently notified of the leak).

The FIIG decision

The Federal Court imposed a $2.5 million penalty on FIIG, alongside an order to pay $500,000 towards ASIC’s legal costs. Additionally, the Court mandated FIIG to undertake a compliance programme, requiring the engagement of an independent expert to ensure the reasonable management of its cyber security and cyber resilience systems.

Central to the Court’s decision was FIIG’s admission of failure to comply with its Australian Financial Services (AFS) licence obligations. FIIG acknowledged shortcomings includig:

• Not taking all necessary steps to ensure its financial services were delivered efficiently, honestly, and fairly, including lacking adequate measures to protect clients from the risks and consequences of a cyber incident.
• Failing to maintain sufficient financial, technological, and human resources to meet its obligations and support robust cyber security measures.
• Neglecting to implement an adequate risk management system to manage or mitigate cyber security risks affecting FIIG and its clients.

FIIG also conceded that appropriate cyber security measures, tailored to a firm of its size and the sensitivity of client data held, would have enabled it to detect and respond to the breach more swiftly. Compliance with its own policies and procedures may have facilitated earlier detection and prevented some or all client information from being downloaded.

The first civil penalties for cybersecurity failures

This case marks the first instance in which the Federal Court has imposed civil penalties for cybersecurity failures under the general obligations of an AFS licence. According to ASIC’s media release, the decision sets a clear expectation for robust cyber resilience as a licence-to-operate requirement for AFS licence holders.

In its assessment of damages, ASIC emphasised that the cost of implementing necessary cyber controls would have been significantly lower than the damages incurred as a result of the breach. ASIC also highlighted the responsibility of organisations that hold personal data to ensure its protection, thereby retaining client trust.

At the time of the breach, FIIG managed roughly $3 billion in client assets.

FIIG’s cyber security failures between 13 March 2019 and 8 June 2023 included:

• Not allocating sufficient financial resources to employ suitably qualified personnel or implement adequate technological solutions for cyber security.
• Failing to put in place core cyber security measures such as multi-factor authentication for remote access, strong password protocols, access controls for privileged accounts, proper firewall and security software configuration, regular penetration testing, and vulnerability scanning.
• Neglecting to have a structured plan for updating key software systems to address security vulnerabilities.
• Lacking qualified IT staff to monitor threat alerts and respond to cyber-attacks.
• Not providing mandatory cyber security awareness training to staff.
• Failing to establish and annually test a comprehensive cyber incident response plan.

The Deputy ASIC Chair warned, “Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation.”

One of the most concerning aspects of this case was FIIG’s failure to discover the breach independently. Even after being warned about the exfiltration of client data, FIIG waited another six days before initiating a formal internal investigation.

Other ASIC Cyber Enforcement

ASIC is increasingly active in cyber enforcement. The FIIG case was ASIC’s second cyber security enforcement action. In May 2022, the Federal Court found that AFS licensee RI Advice breached its licence obligations to act efficiently and fairly by failing to have adequate risk management systems for cyber security risks (22-104MR). Our previous coverage of the initial action is here, with the final decision here.

In July 2025, ASIC initiated civil proceedings against Fortnum Private Wealth Limited, alleging inadequate management and mitigation of cyber security risks (25-143MR).

ASIC Expectations and Resources

ASIC expects AFS licensees to prioritise cyber resilience and invest in people, systems, and governance that are fit-for-purpose according to the entity’s size and sensitivity of client information.

Cyber-attacks, data breaches, and insufficient operational resilience were identified as key issues in ASIC’s 2026 key issues outlook. ASIC expects AFS licensees to prioritise investments in systems that protect customers and uphold the integrity of the financial system.

ASIC’s regulatory resources include further information about cyber security and cyber resilience:  

• Cyber resilience good practices
• Cyber risk: Be prepared
• Resources on cyber resilience

ASIC also recommends organisations and investors to consider advice from the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre.     The ASD provides easy to understand advice about what to do when organisations and investors suffer a data breach via their Report and recover webpage.

 

Article References

ASIC Media Release