Peter A Clarke

ASIC has successfully obtained a fine of $2.5 million, plus legal costs of $500,000, against Fiig Securities for cyber security failures over 4 years and a data breach in 2023 which resulted in the loss of 385GB of data effecting 18,000 of its clients. ASIC is, needless to say, very satisfied with the outcome. Not only is the fine and costs order totalling $3 million painful but there is also the reputational damage. The legal action has been reported widely including by cyber daily, itnews and financial standards.

The action highlights the changing litigation landscape.  Cyber attacks will not be considered “one of those things” or acts of god or the cost of doing business.  If, as they do, regulators look at the systems, protocols and training of organisations hity by cyber attacks and find inadequacies there is a real chance they will be the subject of civil proceedings, whether by ASIC or the Privacy Commissioner.  The best solution is to have proper, up to date cyber protection and a decent regime of training to properly handle data.  Even if there is a cyber attack having a good system will counter a regulator looking for a scalp.

The story is covered by Information Age:

Fiig Securities has become the first financial services licensee to be hit with penalties for cybersecurity failures, with the broker ordered to pay $2.5 million after a prolonged series of security lapses exposed client data.

In 2023, Fiig suffered a cyberattack which saw the now-defunct ransomware outfit AlphV Blackcat boast the theft of an alleged 385GB of data across approximately 18,000 of the firm’s clients.

In March 2025, corporate regulator Australian Securities and Investments Commission (ASIC) alleged the firm “failed to have adequate cybersecurity measures” for more than four years leading up to the attack, and ultimately decided to sue the firm.

On Monday, nearly three years after Fiig’s cyberattack, Australia’s Federal Court officially ordered the firm to pay a $2.5 million pecuniary penalty.

“Cyberattacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” said ASIC deputy chair Sarah Court.

Fiig will also need to pay $500,000 towards?ASIC’s?costs in the case, while the court further ordered the firm to undertake a compliance programme involving an “independent expert” to ensure its cybersecurity and cyber-resilience systems are “reasonably managed”.?

In a public statement, Fiig said it both acknowledged and accepted the outcomes of the Federal Court proceedings.

“Fiig has continued to strengthen its governance, leadership and cybersecurity defences to better protect customer data and will continue to do so with the support of its parent company AUSIEX (Australian Investment Exchange Limited),” the company said.

In a statement given to Information Age, AUSIEX chief executive Patrick Salis said the company “cooperated fully” throughout the court process.

“No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security,” said Salis.

Sarah Court noted the case marked the “first time” Australia’s Federal Court has imposed civil penalties for cybersecurity failures under general Australian Financial Services (AFS) licence obligations.

Security blunders put thousands at risk

ASIC said Fiig failed to protect “thousands of clients” from cybersecurity threats between 13 March 2019 to 8 June 2023, most notably by neglecting to “allocate the necessary financial resources to have suitably qualified and experienced people available”.

According to ASIC, the company also failed to “implement adequate technological resources to manage cybersecurity”.

Among other cybersecurity failures, ASIC highlighted examples where the firm failed to adopt strong passwords and access controls for privileged accounts, did not implement multi-factor authentication for remote access users, and skimped on regular penetration testing and vulnerability scanning.

In other examples, firewalls and security software were set up without “appropriate configuration”, while ASIC further noted the company did not have qualified IT staff monitoring threat alerts to “identify and respond to cyberattacks”.

“Entities that fail to maintain proper cybersecurity controls risk regulatory action by ASIC and exposure to malicious exploitation,” said Sarah Court.

‘In this case, the consequences far exceeded what it would have cost Fiig to implement adequate controls in the first place.”

Passports, tax file numbers stolen

According to an update shared by Fiig, the types of personal information “accessed and stolen” from its current and former clients included names, addresses, dates of birth, telephone numbers and email addresses.

More notably, the firm also lost clients’ driver’s licence details, passport information, bank account details (including account numbers and BSBs) and tax file numbers.

For Fiig’s institutional clients, the firm believed “other personal information” that may have been included in documentation provided to Fiig had been accessed – such as company directors’ names and identity documents.

ASIC clamps down on AFS licensees

Fiig falls under Australia’s general AFS licence obligations, which mandate licensees adopt “adequate risk management systems” and technical resources, among other requirements.

According to ASIC, the firm admitted it failed to comply with AFS obligations and that adequate cybersecurity measures would have “enabled it to detect and respond to the data breach sooner”.

Fiig further conceded that following its own security policies and procedures could have supported earlier detection and potentially prevented “some or all” of the client data being stolen.

At the time of its non-compliance, Fiig held approximately $3 billion in client assets under management.

Following the court outcome, ASIC reiterated it expects AFS licensees to “prioritise and invest” in systems that “protect their customers and maintain integrity in the financial system”.

“ASIC expects financial services licensees to be on the front foot every day to protect their clients,” said Sarah Court.

“Fiig wasn’t – and they put thousands of clients at risk.

“Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”

In 2022, ASIC sued financial services company RI Advice for $750,000 over poor cybersecurity practices.

The regulator again took legal action against financial advice business Fortnum Private Wealth last July, alleging the firm exposed clients to “an unacceptable level” of cybersecurity risk after customer data reportedly appeared on the dark web.

Fortnum’s next hearing is expected in mid-July.

Not surprisingly ASIC issued a very bullish media release, as it should.  It was a very good and significant win in an industry where cyber security has traditionally been put a long way down the list of priorities.  And where the Privacy Commissioners, previous ones not the current one, were very timid regulators.  The media release relevantly provides:

Australian fixed-income specialist, FIIG Securities Limited (FIIG), has been ordered to pay $2.5 million in pecuniary penalties after ASIC brought a case against the firm for failures to protect thousands of clients from cyber security threats for more than four years.

FIIG’s failures worsened a 2023 cyber-attack which saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.

FIIG notified some 18,000 clients that their personal information may have been compromised.

FIIG admitted that it failed to comply with its Australian Financial Services (AFS) licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner. It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.   

The?Federal Court today ordered FIIG to pay a $2.5 million penalty and pay $500,000 towards?ASIC’s?costs. The Court also ordered FIIG to undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.? 

ASIC Deputy Chair Sarah Court said, ‘Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.  

‘ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk. 

‘In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place. 

‘This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.

‘Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities. 

FIIG’s cyber security failures between 13 March 2019 to 8 June 2023 included examples where it did not: 

• • allocate the necessary financial resources to have suitably qualified and experienced people available, or implement adequate technological resources to manage cyber security
  • implement adequate cyber security measures, including multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, appropriate configuration of firewalls and security software, regular penetration testing and vulnerability scanning
  • have a structured plan to ensure key software systems were being updated to address security vulnerabilities
  • have qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks
  • provide mandatory cyber security awareness training to staff, and 
  • have an appropriate cyber incident response plan that was tested at least annually. 

‘Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation,’ the Deputy Chair said.

ASIC expects AFS licensees to prioritise cyber-resilience and invest in people, systems and governance which are fit-for-purpose for entity size and the sensitivity of client information held.

Background

FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients. At the time of non-compliance, FIIG held approximately $3 billion in client assets under management.

ASIC identified cyber-attacks, data breaches and/or inadequate operational resilience and crisis management within its 2026 key issues outlook, and expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.

This case was ASIC’s second cyber security enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks (22-104MR).

ASIC filed civil proceedings against financial advice business Fortnum Private Wealth Limited in July 2025, alleging it failed to properly manage and mitigate cyber security risks (25-143MR).

FIIG has admitted it failed to comply with its AFS licence obligations by:

• • failing to take all necessary steps to ensure its financial services were provided efficiently, honestly and fairly, including by not having adequate measures in place to protect clients from the risks and consequences of a cyber incident
  • failing to have available adequate financial, technological and human resources to comply with its obligations and support adequate cyber security measures, and 
  • failing to have an adequate risk management system manage or mitigate cyber security risks to FIIG and its clients. 

The Fiig Securities formal response is as purse lipped as it is possible to be.  It provides:

FIIG acknowledges the outcome of the Federal Court proceedings brought by ASIC in relation to the historical cybersecurity incident in 2023 and accepts the outcomes.