Australian fixed-income specialist, FIIG Securities Limited (FIIG), has been ordered to pay $2.5 million in pecuniary penalties after ASIC brought a case against the firm for failures to protect thousands of clients from cyber security threats for more than four years.
FIIG's failures worsened a 2023 cyber-attack which saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web - including driver's licences, passport information, bank account details and tax file numbers.
FIIG notified some 18,000 clients that their personal information may have been compromised.
FIIG admitted that it failed to comply with its Australian Financial Services (AFS) licence obligations and that adequate cyber security measures- suited to a firm of its size and the sensitivity of client data held - would have enabled it to detect and respond to the data breach sooner. It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.
The Federal Court today ordered FIIG to pay a $2.5 million penalty and pay $500,000 towards ASIC's costs. The Court also ordered FIIG to undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.
ASIC Deputy Chair Sarah Court said, 'Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.
'ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn't - and they put thousands of clients at risk.
'In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.
'This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.
'Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.
FIIG's cyber security failures between 13 March 2019 to 8 June 2023 included examples where it did not:
- allocate the necessary financial resources to have suitably qualified and experienced people available, or implement adequate technological resources to manage cyber security
- implement adequate cyber security measures, including multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, appropriate configuration of firewalls and security software, regular penetration testing and vulnerability scanning
- have a structured plan to ensure key software systems were being updated to address security vulnerabilities
- have qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks
- provide mandatory cyber security awareness training to staff, and
- have an appropriate cyber incident response plan that was tested at least annually.
'Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation,' the Deputy Chair said.
ASIC expects AFS licensees to prioritise cyber-resilience and invest in people, systems and governance which are fit-for-purpose for entity size and the sensitivity of client information held.
Background
FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, FIIG plays an important role in providing custodial and trading services, maintaining records of client investments, and holding funds and fixed income investments on behalf of its clients. At the time of non-compliance, FIIG held approximately $3 billion in client assets under management.
ASIC identified cyber-attacks, data breaches and/or inadequate operational resilience and crisis management within its 2026 key issues outlook, and expects AFS licensees to prioritise and invest in systems that protect their customers and maintain integrity in the financial system.
This case was ASIC's second cyber security enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks (22-104MR).
ASIC filed civil proceedings against financial advice business Fortnum Private Wealth Limited in July 2025, alleging it failed to properly manage and mitigate cyber security risks (25-143MR).
FIIG has admitted it failed to comply with its AFS licence obligations by:
- failing to take all necessary steps to ensure its financial services were provided efficiently, honestly and fairly, including by not having adequate measures in place to protect clients from the risks and consequences of a cyber incident
- failing to have available adequate financial, technological and human resources to comply with its obligations and support adequate cyber security measures, and
- failing to have an adequate risk management system manage or mitigate cyber security risks to FIIG and its clients.
ASIC's regulatory resources include further information about cyber security and cyber resilience:
ASIC also recommends organisations and investors to consider advice from the Australian Signals Directorate's (ASD) Australian Cyber Security Centre.
The ASD provides easy to understand advice about what to do when organisations and investors suffer a data breach via their Report and recover webpage.
