Fiig Securities has become the first financial services licensee to be hit with penalties for cybersecurity failures, with the broker ordered to pay $2.5 million after a prolonged series of security lapses exposed client data.
In 2023, Fiig suffered a cyberattack which saw the now-defunct ransomware outfit AlphV Blackcat boast the theft of an alleged 385GB of data across approximately 18,000 of the firm’s clients.
In March 2025, corporate regulator Australian Securities and Investments Commission (ASIC) alleged the firm “failed to have adequate cybersecurity measures” for more than four years leading up to the attack, and ultimately decided to sue the firm.
On Monday, nearly three years after Fiig’s cyberattack, Australia’s Federal Court officially ordered the firm to pay a $2.5 million pecuniary penalty.
“Cyberattacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk,” said ASIC deputy chair Sarah Court.
Fiig will also need to pay $500,000 towards ASIC’s costs in the case, while the court further ordered the firm to undertake a compliance programme involving an “independent expert” to ensure its cybersecurity and cyber-resilience systems are “reasonably managed”.
In a public statement, Fiig said it both acknowledged and accepted the outcomes of the Federal Court proceedings.
“Fiig has continued to strengthen its governance, leadership and cybersecurity defences to better protect customer data and will continue to do so with the support of its parent company AUSIEX (Australian Investment Exchange Limited),” the company said.
In a statement given to Information Age, AUSIEX chief executive Patrick Salis said the company “cooperated fully” throughout the court process.
“No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security,” said Salis.
Sarah Court noted the case marked the “first time” Australia’s Federal Court has imposed civil penalties for cybersecurity failures under general Australian Financial Services (AFS) licence obligations.
Security blunders put thousands at risk
ASIC said Fiig failed to protect “thousands of clients” from cybersecurity threats between 13 March 2019 to 8 June 2023, most notably by neglecting to “allocate the necessary financial resources to have suitably qualified and experienced people available”.
According to ASIC, the company also failed to “implement adequate technological resources to manage cybersecurity”.
Among other cybersecurity failures, ASIC highlighted examples where the firm failed to adopt strong passwords and access controls for privileged accounts, did not implement multi-factor authentication for remote access users, and skimped on regular penetration testing and vulnerability scanning.
In other examples, firewalls and security software were set up without “appropriate configuration”, while ASIC further noted the company did not have qualified IT staff monitoring threat alerts to “identify and respond to cyberattacks”.
“Entities that fail to maintain proper cybersecurity controls risk regulatory action by ASIC and exposure to malicious exploitation,” said Sarah Court.
‘In this case, the consequences far exceeded what it would have cost Fiig to implement adequate controls in the first place.”
Passports, tax file numbers stolen
According to an update shared by Fiig, the types of personal information “accessed and stolen” from its current and former clients included names, addresses, dates of birth, telephone numbers and email addresses.
More notably, the firm also lost clients’ driver’s licence details, passport information, bank account details (including account numbers and BSBs) and tax file numbers.
For Fiig’s institutional clients, the firm believed “other personal information” that may have been included in documentation provided to Fiig had been accessed – such as company directors’ names and identity documents.
ASIC clamps down on AFS licensees
Fiig falls under Australia’s general AFS licence obligations, which mandate licensees adopt “adequate risk management systems” and technical resources, among other requirements.
According to ASIC, the firm admitted it failed to comply with AFS obligations and that adequate cybersecurity measures would have “enabled it to detect and respond to the data breach sooner”.
Fiig further conceded that following its own security policies and procedures could have supported earlier detection and potentially prevented “some or all” of the client data being stolen.
At the time of its non-compliance, Fiig held approximately $3 billion in client assets under management.
Following the court outcome, ASIC reiterated it expects AFS licensees to “prioritise and invest” in systems that “protect their customers and maintain integrity in the financial system”.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients,” said Sarah Court.
“Fiig wasn’t – and they put thousands of clients at risk.
“Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”
In 2022, ASIC sued financial services company RI Advice for $750,000 over poor cybersecurity practices.
The regulator again took legal action against financial advice business Fortnum Private Wealth last July, alleging the firm exposed clients to “an unacceptable level" of cybersecurity risk after customer data reportedly appeared on the dark web.
Fortnum’s next hearing is expected in mid-July.
