A major data breach that exposed thousands of investors’ personal details has led to a $2.5 million penalty against FIIG Securities Limited, after the Federal Court found the firm breached its Australian Financial Services (AFS) licence obligations in relation to cyber security.
The case followed a 2023 cyberattack in which about 385 gigabytes of confidential information were stolen. The data included driver’s licence and passport details, bank account information and tax file numbers. Some of the material was later published on the dark web. FIIG notified around 18,000 clients that their personal information may have been affected.
Proceedings were brought by the Australian Securities and Investments Commission (ASIC). FIIG admitted it breached its AFS licence obligations by failing to provide services efficiently, honestly and fairly, and by not maintaining adequate financial, technological and human resources or an effective cyber risk management framework.
The Federal Court ordered FIIG to pay a $2.5 million penalty and $500,000 towards ASIC’s legal costs. It also required the company to undertake a compliance programme, including appointing an independent expert to review and oversee improvements to its cyber security and cyber resilience systems.
ASIC found that between March 2019 and June 2023, FIIG failed to implement and maintain basic cyber controls. These included multi-factor authentication, proper access and password protections, effective firewall and security configurations, regular testing for vulnerabilities, structured software updates, ongoing IT monitoring, mandatory staff training and a tested incident response plan.
FIIG also admitted that following its own policies and procedures could have led to earlier detection and prevented some or all of the client information from being downloaded.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t—and they put thousands of clients at risk. In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place,” ASIC deputy chair Sarah Court said.
“This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience. Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”
FIIG provides retail and wholesale investors with access to fixed income investments and bond financing. As an AFS licensee, it offers custodial and trading services, keeps records of client investments and holds funds and fixed income assets on behalf of clients. At the time of the non-compliance, the firm managed about $3 billion in client assets.
The action forms part of ASIC’s broader focus on cyber resilience and operational risk, which it identified as key issues in its 2026 outlook. The FIIG case is ASIC’s second enforcement action centred on cyber security.
