Cybersecurity in Financial Services: The FIIG Securities Case

In March 2025, ASIC commenced legal action against FIIG Securities Limited, a fixed-income investment specialist, for systemic and prolonged cybersecurity failures that spanned a four-year period from 2019 to 2023. The case provides a clear signal to Australian financial services licensees: cybersecurity governance is now an enforceable requirement under the Corporations Act.

Summary of the Case

ASIC alleges that FIIG Securities failed to maintain adequate cyber risk management controls, leading to a significant data breach in which approximately 385GB of sensitive data—including personal information of over 18,000 clients—was exfiltrated. According to ASIC, the breach went undetected for nearly three weeks, indicating serious deficiencies in detection and response capabilities.

The regulator is pursuing civil penalties under section 912A of the Corporations Act, which requires AFS licensees to have adequate risk management systems in place. Penalties for breaches may exceed $13 million per contravention or 10% of annual turnover, whichever is greater.

Key Areas of Alleged Non-Compliance

According to ASIC’s media release and supporting documentation, the key failings cited in the case include:

• Governance Failures: Lack of board-level accountability for cybersecurity risks, with no integration of cyber into governance frameworks.

• Technical Deficiencies: Misconfigured firewalls, outdated software, unpatched vulnerabilities, and poor privileged access controls.

• Incident Response Gaps: No formal, tested incident response plan and a delayed investigation timeline following the breach.

• Operational Resourcing Issues: Insufficient internal cyber capability, no dedicated cybersecurity personnel, and a lack of staff training.

Implications for Financial Services Licensees

The FIIG case is a reminder that cybersecurity obligations are not limited to technical operations teams. Under the Corporations Act, AFS licensees must ensure that their risk management systems—including those for cyber—are both adequate and actively maintained. This includes:

• Documented governance frameworks that assign cyber risk responsibility to the board and senior management.

• Proactive monitoring and detection measures that are fit for purpose.

• Adequate resourcing of cyber functions, including staff, systems, and incident response readiness.

• Alignment with industry standards such as ISO 27001, NIST, or ASIC’s own guidance.

ASIC’s Position

ASIC has made it clear that enforcement in relation to cyber risk is a priority. The regulator expects licensees to demonstrate not only awareness of cyber risks, but evidence of an ongoing program of work to manage those risks.

The FIIG Securities case is one of the most substantial enforcement actions taken in the cyber domain under Australian corporate law, and is likely to set a benchmark for how other AFS licensees will be assessed going forward.

Key Questions for Licensees to Consider

• Is cybersecurity formally integrated into board-level risk reporting?

• Are cyber defences subject to regular third-party testing?

• Does the organisation have a tested and resourced incident response plan?

• Has the business conducted a cyber risk assessment aligned with ASIC’s guidance?