ASIC v FIIG Securities – AFSL Holders on Notice for Cyber Failures

The Australian Securities and Investments Commission (ASIC) has initiated enforcement proceedings in the Federal Court against financial service provider FIIG Securities Limited (FIIG) for allegedly failing to implement adequate cybersecurity measures over a four year period, exposing itself and its clients to unreasonable risk of cyber intrusion.

This is ASIC’s second enforcement proceedings against an Australian Financial Service Licensee (AFSL) for failing to maintain adequate cybersecurity protections – the first was against RI Advice Group in 2022, which we wrote about here – and aligns with ASIC’s 2025 enforcement priority of investigating and prosecuting “licensee failures to have adequate cyber-security protections”. The case is particularly relevant in light of several Australian superannuation providers suffering coordinated cyberattacks in early April 2025, which resulted in thousands of super accounts being compromised.

What happened?

FIIG is an AFSL specialising in providing fixed income financial products and services to retail and wholesale clients, as well as custodial services. During the period of the alleged breach, FIIG’s assets under management ranged between $2.89 billion and $3.7 billion. In providing its services, FIIG collected personal information of its clients, including names, addresses, dates of birth, contact details, copies of identification, tax file numbers, and account details.

Timeline of the cybersecurity incident

What is ASIC’s claim?

On 12 March 2025, ASIC launched proceedings against FIIG in the Federal Court alleging that, over a four year period between 12 March 2019 and 8 June 2023, FIIG failed to take adequate steps to protect itself and its clients against cybersecurity risks, thereby exposing itself and them to those risks to a heightened and unreasonable extent.

As an AFSL, FIIG is required to comply with certain obligations under section 912A of the Corporations Act 2001 (Cth) (the Act). ASIC alleges FIIG’s conduct contravened sections 912A(1)(a), (d) and (h) of the Act, which mandate that AFSLs must:

1. do all things necessary to ensure that the financial services covered by its licence were provided efficiently, honestly and fairly (section 912A(1)(a));
2. have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by its licence (section 912A(1)(d)); and
3. have adequate risk management systems (section 912A(1)(h)).

What measures should FIIG have had in place?

In Annexure A of ASIC’s Concise Statement, ASIC sets out a list of the missing cybersecurity measures which it considers FIIG should have had in place in order to comply with its obligations under section 912A(1)(a) of the Act (the Missing Cybersecurity Measures). At a high level those measures include:

• an annually tested cyber incident response plan, approved by FIIG and communicated and accessible to employees;
• systems to manage access to privileged accounts on FIIG’s networks;
• daily monitoring of the security incident events management software by personnel who are appropriately skilled to identify and respond to unusual activity;
• regularly updating and patching software applications;
• multi-factor authentication requirements for remote users; and
• mandatory security awareness training delivered to all employees upon induction and repeated on an annual basis.

ASIC also alleges that FIIG did not meet its obligations under section 912A(1)(d) (which required FIIG to have adequate financial, technological and human resources in place enable it to maintain adequate security systems) because:

• Human resources: FIIG failed to employ or outsource sufficient human resources to enable it to maintain those measures, relying too heavily on its COO and IT infrastructure team who were stretched too thin to ensure adequacy;
• Financial resources: FIIG failed to provision sufficient financial resources to enable it to have the Missing Cybersecurity Measures, the necessary human resources, or to implement the necessary risk management measures; and
• Technological resources: FIIG failed to have many or all of the Missing Cybersecurity Measures.

In relation to section 912A(1)(h), ASIC alleges that FIIG failed to have adequate risk management systems, because it did not put in place the Missing Cybersecurity Measures, which would have enabled FIIG to manage or mitigate risk to an acceptable level.

Importantly, ASIC notes that although FIIG did have an IT Information and Security Policy and a Cyber and Information Security Policy, it failed to implement the measures identified in those policies.

The relevant risk management measures FIIG failed to implement are set out in Annexure B of ASIC’s Concise Statement.

What outcomes are being sought by ASIC?

ASIC is seeking:

• declarations regarding FIIG’s alleged contraventions of sections 912A(1)(a), (d), and (h), and 912A(5A) of the Act;
• a pecuniary penalty in respect of each of FIIG's alleged contraventions of the Act (and where, for each contravention, the maximum penalty for companies is the greater of: (i) 50,000 penalty units ($13.75 million at the time), (ii) three times the benefit obtained and detriment avoided, and (iii) 10% of annual turnover, capped at 2.5 million penalty units ($687.5 million at the time));
• a compliance order that FIIG complete a compliance program involving review of its cybersecurity measures and commission an independent expert to report on those measures to ASIC; and
• that FIIG pay ASIC's costs.

Key takeaways

• Interestingly, ASIC has not made allegations against FIIG’s directors that they breached their directors’ duties as a result of FIIG’s failure to take reasonable steps to prevent risk to the business.

  At the 2023 Australian Financial Review Cyber Summit ASIC Chair Joe Longo stated that “for all boards, cyber resilience has to be a top priority” and that ASIC would be looking for “the right case where company directors and boards failed to take reasonable steps or make reasonable investments proportionate to the risks that their business poses”.

  At this stage, ASIC has not taken any direct legal action against boards of directors in relation to cyber failures. In any case, directors should be aware that their duty of care and diligence (as set out in section 180 of the Act) is relevant in the context of cybersecurity, and that directors must take reasonable steps to address foreseeable risks, and implement and comply with cybersecurity standards, or they could be held personally liable.

• The ‘missing security measures’ in Annexure A to the Concise Statement are useful guidance for AFSLs on the regulator’s expectations around what cybersecurity measures they should have in place for compliance with section 912A of the Act. However, the obligations in section 912A are broad, and AFSLs should note that what is expected by the regulator will vary depending on the nature, size and complexity of the business as well as any risks that are unique to their business.

Please contact Nick Boyle or Jasper O’Donnell for any more information on the above.