ASIC v FIIG: Lessons to be learnt from cybersecurity enforcement action taken by ASIC

Co-authored by Michael Park, Partner, Jamie Griffin, Managing Associate and Renata Panozzo, Law Graduate

Home
Knowledge
ASIC v FIIG: Lessons to be learnt from cybersecurity enforcement action taken by ASIC

ASIC v FIIG: Lessons to be learnt from cybersecurity enforcement action taken by ASIC

Co-authored by Michael Park, Partner, Jamie Griffin, Managing Associate and Renata Panozzo, Law Graduate

{855A1462-7E71-4515-A6A2-702308E8310A}

April 9, 2025

Key points

On 12 March 2025, ASIC commenced civil penalty proceedings against FIIG Securities, alleging that FIIG had breached its duties under the Corporations Act as an Australian Financial Services Licensee in connection with a cybersecurity incident that occurred in May 2023.
While ASIC has been emphasising the importance of cyber risk management in its public statements for several years now, this is only the second time that ASIC has alleged that an AFSL holder has breached the Corporations Act in connection with the occurrence of a cybersecurity incident.
In a similar fashion to the OAIC’s civil penalty proceedings against Medibank arising from the 2022 cybersecurity incident, ASIC’s Concise Statement sets out a number of ‘missing cybersecurity measures’ that it alleges FIIG should have taken to protect its clients from the risks of a cybersecurity incident. While these steps should not be taken as an exhaustive list of cybersecurity measures, this list does provide some helpful guidance to AFSL holders on ASIC’s minimum expectations for cybersecurity and cyber resilience.

Background to ASIC’s proceedings against FIIG

FIIG Securities Limited (FIIG) is the holder of an Australian Financial Services Licence (AFSL) and provides financial advisory services, particularly in relation to fixed income investments. As part of its business, FIIG collected and maintained significant quantities of personal information about its clients, including names, addresses, dates of birth, phone numbers, email addresses, copies of driver’s licenses, passports and Medicare cards, tax file numbers and bank account details (Personal Client Information).

The Australian Securities and Investments Commission (ASIC) alleges that from 13 March 2019 to 8 June 2023, FIIG failed to take adequate steps to protect itself and its clients against cybersecurity threats, which ultimately culminated in the occurrence of a cybersecurity incident in May 2023 that affected approximately 18,000 of FIIG’s clients.

ASIC claims that FIIG’s alleged poor cybersecurity practices amounted to breaches of the following provisions of the Corporations Act 2001 (Cth):

section 912A(1)(a): the obligation to ensure that financial services are provided efficiently, honestly and fairly;
section 912A(1)(d): the obligation to have available adequate resources (including financial, technological and human resources) to provide the financial services; and
section 912A(1)(h): the obligation to have adequate risk management systems.

ASIC has published copies of its Concise Statement and Originating Process relating to its proceedings against FIIG, which provide an insight into ASIC’s allegations against FIIG.

This is the second time that ASIC has alleged that the holder of an AFSL has contravened several of these provisions in the Corporations Act in relation to cybersecurity obligations. In 2022, the Federal Court of Australia found (on the basis of an agreed statement of facts) that RI Advice had contravened sections 912A(1)(a) and 912A(1)(h) as a result of its failure to have adequate documentation and controls in respect of cybersecurity and cyber resilience in place that were appropriate to manage risk in respect of cybersecurity and cyber resilience across its authorised representative network.

What happened? A timeline of the FIIG incident

ASIC’s Concise Statement provides some key details about, and a timeline of, the cybersecurity incident that affected FIIG:

on 19 May 2023, a FIIG employee inadvertently downloaded a zip file containing malware, which allowed a malicious third party to remotely access FIIG’s network;
the malicious third party was subsequently able to gain access to a privileged user account on or about 23 May 2023. Between 23 May and 30 May 2023, the third party was then able to download 385 gigabytes of data (including Personal Client Information) relating to approximately 18,000 individuals;
a number of email alerts were apparently generated by FIIG’s systems to flag that suspicious activity was occurring on its network (although it is not clear from ASIC’s Concise Statement who these email alerts were to be sent to and why the alerts were not reviewed by FIIG);
on 2 June 2023, the Australian Cyber Security Centre (part of the Australian Signals Directorate) alerted FIIG that FIIG’s systems may have been compromised;
despite this, it was only on 8 June 2023 that FIIG (with the assistance of external cybersecurity consultants) inspected the relevant employee’s laptop and discovered the compromise to FIIG’s network;
on 9 June 2023, FIIG took its network offline; and
on 10 June 2023, the malicious third party published two screenshots of documents containing Personal Client Information on the dark web.

ASIC’s Concise Statement alleges that if adequate cybersecurity measures had been put in place by FIIG, these measures would have enabled FIIG to detect the malicious activity on its network shortly after the initial compromise on 19 May 2023 and to respond promptly, with the result that the malicious third party would have been prevented from downloading some or all of the Personal Client Data and sharing it on the dark web.

As a result of FIIG allegedly failing to have adequate cybersecurity measures (including some or all of the ‘missing cybersecurity measures’ identified in the Concise Statement), ASIC’s Concise Statement claims that:

FIIG did not comply with its obligation under section 912A(1)(a) of the Corporations Act to do all things necessary to ensure that FIIG’s financial services were provided efficiently, honestly and fairly;
FIIG did not have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by its AFSL in contravention of section 912A(1)(d) (including as a result of FIIG substantially relying on FIIG’s Chief Operating Officer and IT infrastructure team in relation to cybersecurity matters when those individuals had a wide range of other responsibilities as well); and
FIIG did not have adequate risk management systems, in contravention of section 912A(1)(h).

What lessons can be learnt by other AFSL holders?

Interestingly, the approach taken by ASIC in setting out the ‘missing cybersecurity measures’ that it considers should have been implemented by FIIG is similar to the approach recently taken by the Office of the Australian Information Commissioner (OAIC) in the civil penalty proceedings commenced by the OAIC against Medibank last year. In that proceeding, the OAIC’s Concise Statement set out a number of steps that the OAIC alleged should have been taken by Medibank to protect the personal information that it held. For more details, please see our earlier articles on these proceedings and insights that can be drawn from the OAIC’s approach.

While the facts of these two proceedings differ, there is a reasonable degree of overlap in the measures identified by the OAIC and ASIC in their respective Concise Statements:

Recommended measure	ASIC v FIIG	OAIC v Medibank
Key similarities
Multi-Factor Authentication (MFA)	Organisations should implement MFA for all remote access users.	Organisations should implement MFA for users of a VPN or who access sensitive or critical information assets.
Privileged Access Management	Organisations should implement management procedures to ensure that privileged access administrative accounts are used exclusively for privileged tasks, complex passwords are enforced and securely stored for these accounts, and access is promptly revoked when no longer needed.	Organisations should implement privileged access management controls to restrict access to role-based access and ensure that privileged accounts are not provided unnecessarily and are monitored for suspicious activity.
Security Monitoring	Organisations should implement Endpoint Detection and Response software on all network endpoints and servers and ensure that security detection software is monitored daily, and security logs monitored every 90 days by appropriate personnel.	Organisations should implement appropriate security monitoring processes and procedures to detect and respond to information security incidents in a timely manner.
Areas of difference
Cyber Incident Response Plan	Organisations should have a detailed cyber incident response plan that: • addresses key roles, actions, responsibilities of personnel and outlines notification requirements in the event of a cybersecurity event; • covers incident detection and analysis; and • is tested annually.	Not addressed (potentially because the OAIC’s Concise Statement identified a number of Medibank policies and standards that were in place).
Cybersecurity Awareness Training	Organisations should implement mandatory security awareness training for all employees upon commencement and repeated annually thereafter that addresses key cybersecurity risks and employee responsibilities in relation to cybersecurity.	Not specifically addressed (potentially due to this incident being caused by the actions of a third party contractor), although the OAIC did separately identify contractor assurance measures as a necessary step.
Password Complexity and Monitoring	Not addressed (potentially because the circumstances of the FIIG incident did not specifically relate to password management practices).	Organisations should implement appropriate password complexity requirements and implement controls and monitoring to prevent the use of insecure or common passwords and the re-use of passwords across multiple accounts.

What steps should organisations be taking now?

In Australia, regulators have typically tended to refrain from recommending or mandating particular cybersecurity measures or practices. In light of this, it is helpful for organisations to see some more concrete measures being identified by ASIC in these proceedings (and by the OAIC in the earlier Medibank proceedings). Nevertheless, organisations should be cautious in treating these measures as any type of exhaustive list of the cybersecurity measures that they must implement. As the analysis above demonstrates, there is some degree of variability in the views of the two different regulators in these proceedings. We also acknowledge that the different factual background to the FIIG and Medibank incidents is likely to have resulted in different minimum standards being identified by ASIC and the OAIC respectively for the purposes of demonstrating an alleged failure to implement those minimum prudent cybersecurity measures.

With that note of caution in mind, it is still possible to identify some basic common steps that we recommend organisations take. These are:

ensuring that there is active monitoring and oversight of systems, networks and technology to ensure that these systems remain secure and are operating in accordance with specified controls or policies. Good cybersecurity practice is not a ‘set and forget’ activity;
implementing systems and procedures to identify, triage and escalate potential malicious activity and cybersecurity vulnerabilities. The effectiveness of any monitoring and oversight activities can be undermined if they are not supported by an adequate number of trained personnel to review and respond to alerts and possible incidents; and
ensuring that your organisation has put in place, and regularly tests, cybersecurity incident response plans and procedures to help it be ready to respond to potential incidents in a timely and effective manner. An incident response plan that has not been tailored for an organisation and which has not been tested (and updated, if required as a result of such testing) will only be of limited effectiveness in guiding an organisation on how to effectively respond to a cybersecurity incident.