A Brisbane broker called FIIG Securities got hit with a $2.5 million fine from the Federal Court last month. Not because they suffered a cyber attack. That happened too, but that's not what the fine was for. They got fined because they had cybersecurity policies and didn't follow them. For over four years.
FIIG had about 18,000 customers, roughly $3 billion in client assets under management. They had cybersecurity listed as a material risk. They had written policies and frameworks covering it.
What They Weren't Doing
When ASIC dug into what was actually happening, it turned out almost none of it was being done. Remote access had no multi-factor authentication. Nobody with the right qualifications was watching the security alerts. Staff had never been given mandatory cyber training. Nobody had ever run a penetration test, and the incident response plan, which did exist, on paper, had never once been tested or rehearsed. On top of that, firewalls were misconfigured and admin accounts were being used for everyday work.
In 2023, someone on staff downloaded a malicious file. The firewall actually picked it up and generated alerts, but there was nobody watching, so the ransomware crew AlphV/BlackCat had the run of the place. They made off with 385 gigabytes of data —and it wasn't even FIIG who noticed. The Australian Cyber Security Centre had to tell them.
Driver's licences, passports, bank accounts, tax file numbers for 18,000 people. All of it ended up on the dark web.
The Numbers Are Grim
FIIG admitted that following their own policies could have stopped this, or at least caught it much earlier. The cost of actually doing the work over those four years would have been around $1.2 million. Instead they copped $2.5 million in fines, $500,000 in ASIC's legal costs, about $1.5 million in remediation, and reputational damage that's harder to quantify but probably worse than all of it. They're still exposed to claims from every one of those 18,000 clients, too.
Justice Derrington was direct about it. The penalty was meant to warn businesses that underinvest in cybersecurity. He also pointed out that ASIC doesn't expect perfection. They accept you can't stop everything. But they do expect you to take reasonable steps and then actually do them.
ASIC Isn't Stopping Here
This was the first time the Federal Court has handed down civil penalties for cyber failures under a financial services licence, but it's the third time ASIC has gone after a licensee on this. RI Advice in 2022 settled without a penalty. Fortnum Private Wealth got sued last year after 9,000 clients' data ended up on the dark web, that one's still going. Each case has been more serious than the one before, and ASIC's 2026 Key Issues Outlook names cyber risk as one of ten systemic threats to the financial system.
Even if you're not in financial services, the same thinking applies. The Privacy Act covers any business over $3 million turnover, the Cyber Security Act 2024 brought in mandatory ransomware payment reporting, and insurers are getting a lot nosier about security posture before they'll write you a policy. After any incident, the question is always the same: you said you had this covered. Was it actually working?
So, Where Does That Leave You?
Most of what FIIG got done for, no MFA, nobody watching alerts, untested backups, no training, is stuff we run into regularly with new clients. It drifts. Someone sets up the firewall when the business moves office, and three years later nobody's looked at it. The IT guy who understood the backup system left eighteen months ago and his replacement assumed it was sorted. That kind of thing.
The difference is that now there's a Federal Court judgment saying that drift has consequences. If you've got a cybersecurity policy gathering dust, or a disaster recovery plan you've never actually walked through, it's worth sorting out while it's still your idea and not a regulator's.
We've been looking after Sydney businesses for over 20 years. If you want us to take a look at where things stand, get in touch. No sales pitch, just a straight conversation.
WhatsApp 