The Federal Court handed down a $2.5 million fine to financial firm FIIG Securities last week following a 2023 ransomware incident that saw client personal details published to the dark web in the wake of an ALPHV ransomware attack.
The hackers stole and published data, including passport details, tax file numbers, and bank account information, and the court found that FIIG had failed to adequately protect its customers’ data over a four-year period between March 2019 and June 2023.
FIIG Securities was also ordered to pay $500,000 to the Australian Securities and Investments Commission (ASIC), after ASIC launched the case against them in March 2025.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk,” ASIC deputy chair Sarah Court said last week.
“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
However, while the penalty is no doubt a poor outcome for FIIG – and no doubt a well-deserved one – the situation points to a wider issue for the entire financial sector in Australia, according to Trend Micro’s field CISO, ANZ, Andrew Philp.
“The Federal Court’s $2.5 million penalty against FIIG is a clear warning to all financial organisations: regulators will not tolerate poor cyber risk governance or preventable security failure,” Philp (pictured) told Cyber Daily.
“Cyber security is not an IT issue; it is a board-level governance obligation. Financial services organisations are expected to implement and maintain mature, well-resourced security programs, or face significant legal, financial, and reputational consequences.”
Philp noted that many of the cyber security basics – multifactor authentication, timely patching, secure password practices, network monitoring, and ongoing security awareness training – were no longer nice-to-haves, but had become essential elements of cyber resilience.
“In today’s threat landscape, failing to implement these measures is indefensible,” Philp said.
“This ruling sets a clear benchmark for the industry. Directors and executives are accountable for ensuring cyber risk is actively managed, continuously reviewed and embedded into enterprise risk frameworks.”
Philp added that baseline cyber controls are not just regulatory obligations. “They form the foundation on which organisations can build genuine resilience and, ultimately, competitive advantage,” he said.
“Those that prioritise cyber security governance and invest in robust risk management not only protect clients and stakeholders, they position themselves to operate with greater trust and stability in an increasingly adversarial cyber environment.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.