Investment manager FIIG Securities has been hit with a AUD 2.5 million regulatory penalty following failures to protect clients from cyber security threats and comply with its Australian Financial Services (AFS) licence obligations.
FIIG offers issuers and investors direct access to more than 1,000 bonds. It reports AUD 4.5 billion in funds under advice.
It was acquired by Nomura Research Institute’s wholesale trading and clearing business AUSIEX last year.
This is the second time that the Australian Securities and Investments Commission (ASIC) has made a cyber security enforcement action, and the first time that the Federal Court has imposed civil penalties in such a situation.
Between 13 March 2019 and 8 June 2023, FIIG had insufficient financial resources, staff and technology allocated to cyber security and did not implement adequate cyber security measures, ASIC found. No structured plan was in place to ensure software systems were sufficiently updated, cyber security threats were not monitored by qualified personnel, and staff were not given mandatory cyber securities awareness training. The firm also did not have or annually test a cyber incident response plan.
FIIG’s insufficient cyber security measures worsened a 2023 cyber attack that may have compromised approximately 18,000 clients, ASIC said.
Sarah Court, ASIC deputy chair, commented, ”The consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
A further AUD 500 thousand will be paid directly to ASIC to contribute to legal costs.
In a statement, FIIG stated, “FIIG acknowledges the outcome of the Federal Court proceedings brought by ASIC in relation to the historical cybersecurity incident in 2023 and accepts the outcomes.
“FIIG has continued to strengthen its governance, leadership and cyber security defences to better protect customer data and will continue to do so with the support of its parent company AUSIEX.”
©Markets Media Europe 2025
