ASIC was successful in its case against FIIG Securities Limited (FIIG), a financial services licensee. It was alleged that FIIG committed systemic failures to comply with several core obligations under s912A of the Corporations Act (Act). These failures became apparent after FIIG suffered a major cyberattack in May 2023, during which approximately 385GB of sensitive client data affecting about 18,000 clients was exfiltrated.

Key Takeaways

• Financial services providers must implement adequate cyber security measures relative to their size and the sensitivity of data held
• Obligations include implementing appropriate technological and organisational measures, investing in cyber security resources and appropriately training staff
• The cyber security obligations on financial services providers are a fundamental and core part of the business of providing financial services and holding an Australian Financial Services Licence (AFSL)
• A failure to comply with these obligations can result in action from the financial regulator, significant financial penalties and the implementation of compliance programs being imposed by the Federal Court.

Background

In 2023, FIIG suffered a cyber-attack. Approximately 385GB of personal information regarding 18,000 clients was stolen and leaked onto the dark web. The information included drivers’ licences, passport information, bank account details and tax file numbers.

During the period between 13 March 2019 and 8 June 2023, the value of assets under FIIG’s control for its clients ranged between approximately $2.99 billion and $3.7 billion and the value of funds under advice ranged between $4.7 billion and $7.6 billion.

ASIC, the financial regulator, commenced proceedings in the Federal Court. The proceedings raised the issue of whether FIIG had complied with its obligations as a holder of an AFSL.

As a holder of an AFSL, an entity has obligations under the Act to:

• Do all things necessary to provide financial services efficiently, honestly and fairly
• Maintain adequate technological, human, and financial resources to provide financial services
• Implement adequate risk management systems.

FIIG admitted that it failed to comply with its AFSL obligations by not having implemented adequate cyber security measures suited to a firm of its size, the type of personal information it held, the value of the funds under advice and the assets held by it on behalf of clients, the potential consequences of a breach and its contractual obligations to clients. Had adequate cyber security measures been implemented, FIIG would have been able to detect and respond to the data breach sooner and mitigate its effects.

Issues

The Court emphasised that cybersecurity is an essential element of AFSL obligations and is not an optional or peripheral issue.

The Court found that between 13 March 2019 and 8 June 2023 FIIG did not have:

• An adequate cyber incident response plan in place
• Appropriate established protocols for user access and tasks, and privileges and access rights
• Appropriate methods of testing vulnerabilities
• Adequate external penetration testing
• Appropriate configuration on firewalls and group policy
• Up to date software to monitor alerts and threats
• An appropriate patching plan for all applications, operating systems and firmware
• Up to date operating systems
• Security patches installed for known security vulnerabilities
• Effective multi-factor authentication for remote access users
• Adequate monitoring of threat alerts
• Sufficient staff training, including mandatory annual cyber security training
• A process or processes to review and evaluate the effectiveness of existing technical cyber security controls and cyber resilience
• Adequate investment in cybersecurity relative to the size of the business.

The Court held that FIIG:

1. Breached s912A(1)(a) of the Act, as it failed to do all things necessary to provide financial services efficiently, honestly and fairly due to inadequate cybersecurity protections
2. Breached s912A(1)(d) of the Act, as it failed to maintain adequate technological, human, and financial resources to provide financial services
3. Breached s912A(1)(h) of the Act, as it failed to implement adequate risk management systems.

The Court approved the jointly proposed penalty and ordered FIIG to:

1. Pay a pecuniary penalty of $2.5 million within 30 days
2. Pay ASIC’s costs of $500,000
3. Implement a compliance program with oversight by an independent expert to improve cybersecurity and cyber‑resilience.

The penalty represented approximately 20% of FIIG’s net assets and around 8% of its turnover for the 2025 financial year.

Summary

This is the first case in Australia that involved the imposition of civil penalties for cybersecurity failures under general AFSL obligations.

The case demonstrates ASIC’s increased focus on cyber security risk management and establishes a new compliance benchmark for all AFSL holders.

It confirms that ASIC will treat cybersecurity failings by AFSL holders as breaches of core financial services obligations, even in the absence of intentional misconduct.

This significant penalty should act as a strong incentive for not only financial services providers but all organisations to proactively implement and review their cyber security and information management practices.

Should you wish to discuss this decision, cyber security and privacy law obligations, please do not hesitate to contact us. We also deliver presentations and training to our clients on privacy laws and the implications of privacy law reforms.

Further information / assistance regarding the issues raised in this article is available from the author, Bill Fragos, Special Counsel, Christina Segaan, Senior Associate, or your usual contact at Moray & Agnew.