In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in penalties plus $500,000 in ASIC's costs. FIIG admitted the breaches. The reason this case matters more than the dollar figure is that ASIC named the specific controls that were missing and argued, successfully, that their absence was a licence breach.
What happened at FIIG
FIIG Securities is a fixed income broker. ASIC filed suit in February 2025 for cyber security failures running from March 2019 to June 2023, roughly four years. During a twenty-day window between 19 May and 8 June 2023, a hacker moved through FIIG's network undetected and took approximately 385GB of confidential data from around 18,000 clients.
FIIG admitted breaching three provisions of section 912A of the Corporations Act 2001: s912A(1)(a), requiring services to be provided efficiently, honestly and fairly; s912A(1)(d), requiring adequate financial, technological and human resources; and s912A(1)(h), requiring adequate risk management systems.
The legal argument ASIC ran was straightforward. Failing to resource basic cyber security controls breaches the obligation to maintain adequate technological and human resources. Not a new or separate obligation. The same licence condition that has always applied.
The seven controls ASIC named
ASIC did not allege sophisticated failures. It identified seven absent controls:
- A tested plan
- Privileged account management
- scanning
- Up-to-date, properly configured firewalls
- A regular software patching schedule
- for remote users
- Mandatory for staff
A competent managed services provider would include most of these without being asked. The question FIIG could not answer is why they were absent for four years.
Why four years matters
The breach ran for twenty days. The failures ASIC prosecuted ran for four years.
ASIC treated the prolonged absence of controls as the heart of the case, not the incident itself. Its position is that AFSL holders must maintain adequate cyber security on an ongoing basis. A firm that suffers an incident despite reasonable controls is in a different position to one that simply never invested in the basics.
The exposure does not start when the attacker arrives. It starts whenever the controls were last adequate.
The 20-day dwell time
Twenty days undetected. When there is no endpoint detection, no continuous monitoring and no alerting infrastructure, that timeline is not surprising. The attacker had time to find the data, stage it and move 385GB before anyone noticed anything was wrong.
Dwell time is the gap between access and detection. Continuous monitoring, , and privileged account visibility are the controls that reduce it. They are in the because they work.
When FIIG eventually identified the breach, the damage was done.
What this means for your licence
RI Advice Group in May 2022. Fortnum Private Wealth in 2025. FIIG in 2026. The legal framework is consistent across all three. ASIC is treating cyber security as a licence condition and enforcing it through civil penalty proceedings. That is not a trend. It is settled.
The seven controls from FIIG are the floor. Commissioner Simone Constant confirmed in May 2026 that cyber resilience is a core licensing obligation. ASIC's 2025 key issues outlook put directors on personal notice and flagged active investigations.
Dealer groups carry additional exposure
The Fortnum case covers ground FIIG does not. ASIC sued Fortnum for allegedly failing to mandate minimum cyber training for its authorised representatives and for not supervising cyber risk management across its AR network. ASIC Chair Joe Longo said the alleged failure exposed the company, its representatives and their clients to "an unacceptable level of risk."
For dealer groups with large AR networks, the oversight obligation now extends across the full network. Whether each AR has completed awareness training, and whether the licensee can demonstrate it, are the questions ASIC is now asking.
Documentation matters as much as implementation
ASIC does not take a firm's word that controls exist. REP 776, published in November 2023, noted gaps in how regulated entities were documenting their cyber practices. Having controls and being able to show them are different things.
Patch management logs, MFA configuration records, training completion registers, incident response test dates, access control review records. ASIC requires all regulated entities to formally table its cyber correspondence at the ultimate board and risk governance committee. That is the minimum starting point.
Frequently asked questions
What did FIIG Securities specifically do wrong?
Seven baseline controls were absent for approximately four years: a tested incident response plan, privileged account management, vulnerability scanning, up-to-date firewalls, regular software patching, MFA for remote users and mandatory staff security awareness training. A hacker used those gaps to spend twenty days on the network and take 385GB of client data.
How much was the FIIG penalty?
$2.5 million in pecuniary penalties plus $500,000 in ASIC's costs. FIIG admitted the breaches rather than contesting them.
Does this apply to smaller financial services firms?
Yes. Section 912A applies to all AFSL holders. The controls should be proportionate to the size and complexity of the business, but the seven controls from FIIG apply at every scale. A sole adviser and a mid-market broker both need MFA, regular patching and a tested incident response plan.
What is the connection between FIIG and Fortnum Private Wealth?
FIIG is about control failures inside the licensee's own environment. Fortnum is about supervision failures across an AR network. Different exposures, and ASIC is pursuing both.
What should I do first?
Work through the seven FIIG controls and check each one against your environment. MFA on all remote access is the highest-return action for most firms and does not take long to implement. After that: confirm your incident response plan has been tested recently, your patching schedule is actually being followed, and your firewall configurations are current.
IronSights works with Australian financial services firms on the controls ASIC measures against. A penetration test shows where the gaps are. Fortify closes them.
