ASIC action costs FIIG Securities $2.5m

Mike Taylor

Managing Editor/Publisher, Financial Newswire

9 February 2026

FIIG Securities has been ordered to pay $2.5 million in pecuniary penalties as a result of Federal Court action initiated by the Australian Securities and Investments Commission (ASIC).

The regulator said that fixed income specialist FIIG Securities had been penalised for failures to protect thousands of clients from cyber security threats for more than four years.

It had been alleged FIIG’s failures worsened a 2023 cyber-attack which saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.

FIIG notified some 18,000 clients that their personal information may have been compromised.

ASIC said FIIG admitted that it failed to comply with its Australian Financial Services (AFS) licence obligations and that adequate cyber security measures– suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner. It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.

The Federal Court ordered FIIG to pay a $2.5 million penalty and pay $500,000 towards ASIC’s costs. The Court also ordered FIIG to undertake a compliance programme involving the engagement of an independent expert to ensure its cyber security and cyber resilience systems are reasonably managed.

Commenting on the outcome, ASIC Deputy Chair Sarah Court said, “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.

“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.

“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.

“This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.

“Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities,” Court said.

FIIG’s cyber security failures between 13 March 2019 to 8 June 2023 included examples where it did not:

• Allocate the necessary financial resources to have suitably qualified and experienced people available, or implement adequate technological resources to manage cyber security,

• Implement adequate cyber security measures, including multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, appropriate configuration of firewalls and security software, regular penetration testing and vulnerability scanning,

• Have a structured plan to ensure key software systems were being updated to address security vulnerabilities,

• Have qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks,

• Provide mandatory cyber security awareness training to staff, and

• Have an appropriate cyber incident response plan that was tested at least annually.

“Entities that fail to maintain proper cyber security controls risk regulatory action by ASIC and exposure to malicious exploitation,” she said.

ASIC expects AFS licensees to prioritise cyber-resilience and invest in people, systems and governance which are fit-for-purpose for entity size and the sensitivity of client information held.

AUSIEX chief executive, Patrick Sallis said FIIG Securities accepts the Federal Court’s ruling and will comply with all obligations.

“We cooperated fully throughout the process and have continued to strengthen our systems, governance and controls. No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security,” he said.