Australian fixed-income specialist FIIG Securities Limited (FIIG) has been ordered to pay $2.5 million in penalties after ASIC brought a case against the firm for failures to protect thousands of clients from cyber security threats for more than four years.
In addition to the $2.5 million penalty, the Federal Court today also ordered FIIG to pay $500,000 towards ASIC’s costs, as well as undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.
"FIIG accepts the Federal Court’s ruling related to a cybersecurity incident that occurred in 2023 and will comply with all obligations," Patrick Salis, the chief executive of FIIG's parent company AUSIEX, said in a statement provided to techpartner.news.
"We cooperated fully throughout the process and have continued to strengthen our systems, governance and controls. No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security."
FIIG also issued a statement on their website, accepting the outcomes.
According to ASIC, a 2023 cyber-attack of FIIG saw around 385 GBs of confidential information stolen and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.
FIIG notified some 18,000 clients that their personal information may have been compromised.
FIIG admitted that it failed to comply with its Australian Financial Services (AFS) licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner.
It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.
ASIC deputy chair Sarah Court said cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.
"ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk," she said.
"In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.
"This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.
"Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities."
This case was ASIC’s second cyber security enforcement action. In May 2022, the Federal Court ruled AFS licensee, RI Advice, had breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.
ASIC also filed civil proceedings against financial advice business Fortnum Private Wealth Limited in July 2025, alleging it failed to properly manage and mitigate cyber security risks.
.jpg&h=142&w=230&c=1&s=1)
_(21).jpg&h=142&w=230&c=1&s=1)
_(27).jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
