ASIC Action Against FIIG Securities Is a Line in the Sand for Cybersecurity in Australia

-
ASIC cyber enforcement action

$2.5 million.
That’s what ASIC has now forced FIIG Securities Limited (FIIG) to pay not simply for suffering a breach, but for failing to maintain adequate cybersecurity controls for more than four years.

This isn’t just another breach headline. It’s a regulatory turning point for every Australian Financial Services (AFS) licensee and a warning shot for boards and exec teams still treating cyber as an “IT problem”.

In 2026, ASIC has made the message clear:
Cyber resilience is now a licence-to-operate issue.

What Actually Happened at FIIG

FIIG cyber breach impact

According to ASIC, FIIG’s cyber security failures occurred between 13 March 2019 and 8 June 2023. Those failures worsened the impact of a 2023 cyber attack that saw around 385GB of confidential data stolen and sensitive client information leaked on the dark web.

The compromised data included:

  • Driver’s licences
  • Passport information
  • Bank account details
  • Tax File Numbers (TFNs)

FIIG notified around 18,000 clients that their personal information may have been compromised.

Critically, FIIG admitted that:

  • Adequate cyber controls would have enabled earlier detection and response.
  • Complying with its own policies may have prevented some or all of the data exfiltration.

This wasn’t bad luck. This was governance, resourcing, and execution falling behind reality.

Why ASIC’s Action Matters (This Is the Shift)

ASIC Federal Court penalty

The Federal Court ordered FIIG to pay:

  • $2.5 million in pecuniary penalties
  • $500,000 towards ASIC’s costs

The Court also ordered FIIG to undertake a compliance program involving an independent expert to uplift its cyber security and resilience.

“Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.”

“The consequences far exceeded what it would have cost FIIG to implement adequate controls.”

This is the first time civil penalties have been imposed for cyber failures under general AFS licence obligations.

Cyber resilience is no longer a recommendation. It’s enforceable.

The Failures Were Basic And That’s the Point

ASIC’s findings weren’t about exotic attacks. They were about fundamentals.

  • Insufficient skilled cyber personnel
  • No MFA for remote access
  • Poor firewall and security configuration
  • No structured patching program
  • No active threat monitoring
  • No mandatory cyber awareness training
  • No tested incident response plan

In 2026, these are baseline expectations especially for firms holding highly sensitive client data.

This Case Isn’t Just About FIIG

At the time of non-compliance, FIIG held approximately $3 billion in client assets.

ASIC’s position is clear: cyber investment must be fit-for-purpose based on size, risk profile, and data sensitivity.

“We’re not big enough to be a target” is no longer a defence it’s negligence.

The Real Lesson: Cyber Failures Are Governance Failures

  • Policies exist but aren’t enforced
  • Cyber ownership is unclear
  • Spend goes to tools, not capability
  • Risk posture can’t be articulated

Most organisations know what to do. They just don’t do it consistently.

What Boards and Executives Should Do Now

  • Can we clearly articulate our cyber risk posture?
  • Are controls aligned to data sensitivity?
  • Do we have accountable ownership?
  • Have we tested incident response in the last 12 months?
  • Would ASIC consider our controls “reasonable” today?

Final Takeaway

Cybersecurity is now a regulatory, financial, and trust obligation.

ASIC has shown it’s prepared to enforce it.

Next Steps

If you’re spending on cyber but not reducing risk, you’re exposed.

๐Ÿ“ฉ DM me on LinkedIn or visit thecyberguyau.com

Written by Ateeq Sheikh TheCyberGuyAU
Head of Cyber Business Development @ AUCyber 

Comments

Post a Comment

Most Viewed

Qantas Breach: 6 Million Customers at Risk in Major Cyber Attack

-
Image
Date: July 2nd 2025 By: | TheCyberGuyAU Qantas has confirmed a cyber attack has exposed the personal data of millions of its customers — a stark reminder that no brand, no matter how trusted, is immune. What happened? On Monday, Qantas detected unusual activity on a third-party system used by its call centre . That system, now confirmed as compromised, held records for 6 million customers . The initial investigation suggests that a “significant proportion” of the data has been stolen. Names Email addresses Phone numbers Dates of birth Frequent flyer numbers The good news? Qantas says no credit card data, passport numbers, or login credentials were involved. “Our customers trust us with their personal information and we take that responsibility seriously.” — Qantas CEO Vanessa Hudson Who’s behind it? While Qantas has not officially confirmed the group responsible, cybersecurity analysts at CyberCX say the attack has the hallmarks of Scatt...
Read more

Key Reforms Under the Privacy and Other Legislation Amendment Act 2024

-
Image
  Key Reforms Under the Privacy and Other Legislation Amendment Act 2024 1. New Statutory Tort for Serious Invasions of Privacy The Act introduces a new statutory tort , allowing individuals to sue for serious privacy invasions . This includes: Physical privacy violations and misuse of personal information The invasion must be intentional or reckless and serious The individual must have had a reasonable expectation of privacy A public interest test balancing privacy against competing interests Action Steps for Organisations: ✅ Review and update internal privacy policies to address both data breaches and broader privacy concerns , including physical privacy violations. ✅ Conduct regular privacy impact assessments for new projects involving personal data. ✅ Train employees on what constitutes intentional or reckless privacy invasions and how to prevent them. 2. Stronger Enforcement Powers for the OAIC (Office of the Australian Information Commissioner) The OAIC now has enhanced ...
Read more

Why Penetration Testing Is No Longer Optional for Australian Businesses (Even Small Ones)

-
Image
From Superannuation Breaches to Ransomware – Why Pen Testing Is a Must for Aussie Businesses You’re not too small to be a target. And you’re not too “secure” to be breached. One of the most effective ways to take control of your cybersecurity posture is through penetration testing (also called "pen testing"). But many SMBs still see it as something only for banks or ASX-listed giants. That thinking? It’s outdated, risky, and costly in the long run. What Is Penetration Testing, Really? Penetration testing simulates a real cyberattack on your business — without the actual damage. A skilled ethical hacker (or “red team”) tries to break into your systems, apps, or cloud services the same way a malicious actor would. But instead of stealing your data, they show you exactly how they got in and how to fix it. To identify real-world weaknesses before someone else does. Why It Matters More Now — Especially in Australia Cyber attacks against Australian businesses a...
Read more

Penetration Testing for Small Businesses in Australia

-
Image
A Practical Guide for Companies Under $2 Million Turnover Why Pen Testing Isn’t Just for Big Business If you're running a growing business, you might assume cybercriminals are only interested in the big guys — banks, government, multinationals. But here’s the reality: Small businesses are targeted more often — and hit harder. Why? Because attackers know smaller teams often: ๐Ÿ” Reuse passwords ⏰ Skip regular patching ๐Ÿ‘จ‍๐Ÿ’ป Don’t have a full-time IT or cyber team ๐Ÿงช Aren’t testing their defences proactively And that’s where Penetration Testing comes in. What Is Penetration Testing? Penetration testing (or pen testing) is the process of simulating a real-world cyberattack on your systems — not to break things, but to uncover your weak spots before an attacker does . A good pen tester will: ๐Ÿ•ต️ Mimic the tactics of real hackers ๐Ÿšช Attempt to bypass your existing security controls ๐Ÿ“„ Report back with clear insights on what could be exploit...
Read more