Australian fixed-income firm FIIG Securities has been fined AU$2.5 million after the Federal Court found it failed to adequately protect client data from cybersecurity threats over a period exceeding four years. The penalty follows a major FIIG cyberattack in 2023 that resulted in the theft and exposure of highly sensitive personal and financial information belonging to thousands of clients.
It is the first time the Federal Court has imposed civil penalties for cybersecurity failures under the general obligations of an Australian Financial Services (AFS) license.
In addition to the fine, the court ordered FIIG Securities to pay AU$500,000 toward the Australian Securities and Investments Commission’s (ASIC) enforcement costs. FIIG must also implement a compliance program, including the engagement of an independent expert to ensure its cybersecurity and cyber resilience systems are reasonably managed going forward.
FIIG Cyberattack Exposed Sensitive Client Data After Years of Security Gaps
The enforcement action stems from a ransomware attack that occurred in 2023. ASIC alleged that between March 2019 and June 2023, FIIG Securities failed to implement adequate cybersecurity measures, leaving its systems vulnerable to intrusion. On May 19, 2023, a hacker gained access to FIIG’s IT network and remained undetected for nearly three weeks.
During that time, approximately 385 gigabytes of confidential data were exfiltrated. The stolen data included names, addresses, dates of birth, driver’s licences, passports, bank account details, tax file numbers, and other sensitive information. FIIG later notified around 18,000 clients that their personal data may have been compromised as a result of the FIIG cyberattack.
Alarmingly, FIIG Securities did not discover the breach on its own. The company became aware of the incident only after being contacted by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on June 2. Despite receiving this warning, FIIG did not launch a formal internal investigation until six days later.
FIIG admitted it had failed to comply with its AFS licence obligations and acknowledged that adequate cybersecurity controls would have enabled earlier detection and response. The firm also conceded that adherence to its own policies and procedures could have prevented much of the client information from being downloaded.
Regulatory Action Against FIIG Securities Sets Precedent for Cybersecurity Enforcement
ASIC Deputy Chair Sarah Court said the case highlights the growing risks posed by cyber threats and the consequences of inadequate controls. “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” she said. “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.”
ASIC Chair Joe Longo described the matter as a broader warning for Australian businesses. “This matter should serve as a wake-up call to all companies on the dangers of neglecting cybersecurity systems,” he said, emphasizing that cybersecurity is not a “set and forget” issue but one that requires continuous monitoring and improvement.
ASIC alleged that FIIG Securities failed to implement basic cybersecurity protection, including properly configured firewalls, regular patching of software and operating systems, mandatory cybersecurity training for staff, and sufficient allocation of financial and human resources to manage cyber risk.
Additional deficiencies cited by ASIC included the absence of an up-to-date incident response plan, ineffective privileged access management, lack of regular vulnerability scanning, failure to deploy endpoint detection and response tools, inadequate use of multi-factor authentication, and a poorly configured Security Information and Event Management (SIEM) system.
Lessons From the FIIG Cyberattack for Australia’s Financial Sector
Cybersecurity experts have pointed out that the significance of the FIIG cyberattack lies not only in the breach itself but in the prolonged failure to implement reasonable protections. Annie Haggar, Partner and Head of Cybersecurity at Norton Rose Fulbright Australia, noted in a LinkedIn post that ASIC’s case provides clarity on what regulators consider “adequate” cybersecurity. Key factors include the nature of the business, the sensitivity of stored data, the value of assets under management, and the potential impact of a successful attack.
The attack on FIIG Securities was later claimed by the ALPHV/BlackCat ransomware group, which stated on the dark web that it had stolen approximately 385GB of data from FIIG’s main server. The group warned the company that it had three days to make contact regarding the consequences of what it described as a failure by FIIG’s IT department.
According to FBI and Center for Internet Security reports, the ALPHV/BlackCat group gains initial access using compromised credentials, deploys PowerShell scripts and Cobalt Strike to disable security features, and uses malicious Group Policy Objects to spread ransomware across networks.
The breach was discovered after an employee reported being locked out of their email account. Further investigation revealed that files had been encrypted and backups wiped. While FIIG managed to restore some systems, other data could not be recovered.
