FIIG Securities faces $2.5m fine following 2023 cyber attack

On top of the $2.5 million fine, FIIG Securities was ordered to pay $500,000 to the Australian Securities and Investments Commission (ASIC), the agency that originally launched the case against them.

ASIC first announced it was pursuing legal action against FIIG Securities in March last year.

“ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place,” ASIC said in a 13 March press release, referring to documents filed with the Federal Court of Australia.

At the time, ASIC chair Joe Longo said in a statement: “This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems.

“Cyber security isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’s ACSC.”

FIIG was warned of a potential intrusion by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) on 2 June, but it was not aware of any network compromise prior to that date. FIIG’s own investigations did not occur until 8 June.

VIEW ALL

ASIC deputy chair Sarah Court said the case marked the first time that civil penalties had been imposed by the Federal Court for cyber failure under Australian Financial Services licensee obligations.

“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk,” she said.

“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.

“Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”