ASIC vs FIIG: Another Wake Up Call for Australian Businesses
Snapshot
- ASIC’s case against FIIG Securities signals increased regulatory scrutiny and the serious consequences of failure to maintain adequate cyber security posture.
- Lack of basic cyber hygiene — such as regular patching, staff awareness training, and robust firewall configurations — can result in legal, financial and reputational consequences for a business.
- A strong cyber posture not only strengthens cyber resilience but also supports insurability and positions an organisation more favourably in the market.
Australian Securities and Investments Commission (ASIC) has launched civil proceedings against the investment firm FIIG Securities alleging that FIIG failed to maintain adequate cyber security posture during a period of more than four years.[1] The alleged failures allowed threat actors to steal approximately 385 gigabytes of confidential data, affecting some 18,000 clients — a stark reminder of the risks organisations face when cyber security is not treated as high priority. ASIC’s action highlights the serious and long-term consequences of organisational inaction towards implementing a robust cyber security posture.
“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems,” said ASIC Chair Joe Longo. It’s a warning that should resonate across all industries — not just in financial services — and one that Aon’s cyber risk specialists are encouraging clients to take seriously. The case against FIIG highlights not only the regulatory risks but also the reputational and financial consequences of failing to implement adequate cyber security controls.
What Went Wrong — and Why it Matters
ASIC’s case centres on FIIG’s failure to implement and maintain several key cyber security controls. According to the regulator, the firm did not appropriately configure or monitor its firewall — a fundamental safeguard that helps prevent unauthorised access to company network and systems.
“Firewall configuration and monitoring are fundamental controls,” says Salman Khokhar, Client Manager Cyber Solutions Group Aon Australia. “Cyber risk management needs to be treated as a strategic priority—not just an operational concern.” It has also been suggested the investment firm were behind schedule in implementing updates and security patches to their software and operating systems, which can expose known vulnerabilities to attackers. Khokhar explains that unpatched systems are effectively “sitting ducks,” and this includes software that is no longer supported by the vendor. “It’s like running outdated machinery — eventually it will break, and when it does, the consequences can be significant.”
Further, ASIC noted the absence of regular cyber awareness training for staff, a control that Khokhar describes as “a basic and necessary measure.” Employees play a critical role in protection against threats like phishing and social engineering attacks. Without proper education, staff are not equipped with the right skills and mindset to identify phishing emails.
Perhaps most telling, however, was the finding that FIIG had not allocated sufficient human, technical or financial resources to manage its cyber security risk. “A lack of dedicated resources—whether human, technical or financial — highlights a gap in capacity for following recommended cybersecurity protocols at the enterprise level,” Khokhar said. “And increasingly, that’s something regulators — and insurers — will not overlook.”
Back to Basics: Why Cyber Hygiene is Essential
The FIIG case is a timely reminder that basic cyber hygiene is now a mandatory requirement, not just a best practice, and that directors will be scrutinised more keenly on decisions surrounding cyber security. It consists of fundamental controls that help reduce cyber security risk and demonstrate due diligence in the face of growing regulatory and insurance market expectations.
Cyber Key Controls – Marketplace Minimum Expectations
Khokhar notes that failure to implement these controls not only increases the risk of a cyber incident but also impacts insurability. “The cyber insurance market views the majority of these measures as non-negotiable. Without them, businesses are likely to face reduced coverage or significantly higher premiums — if they can obtain cover at all.”
This is not just about compliance, Khokhar added. “These are the minimum steps an organisation should take to protect its financial viability, reputation, and the trust of its customers.”
Regulatory Enforcement is Intensifying
Recent legislative amendments have expanded ASIC’s enforcement powers, allowing for more thorough investigations, the ability to issue civil penalties, and even the use of search warrants to access systems following a breach.[2]
“ASIC now has the authority to go beyond simply responding to a reported incident,” said Khokhar. “They can proactively investigate the causes of a breach, assess whether adequate controls were in place, and hold directors and organisations accountable.”
Mandatory reporting obligations have also tightened, particularly for ransomware-related incidents, making it more difficult for organisations to quietly manage events behind closed doors.
While financial services entities like FIIG are under particular scrutiny, Khokhar warns that all industries should be alert to these developments. “Any business handling sensitive data — from legal to healthcare to logistics — should consider this a sign of what’s to come.”
Supporting Clients at Every Stage of the Cyber Journey
Aon helps clients take a proactive approach to managing cyber risk — from identifying exposures to ensuring they are well positioned in the insurance market.
“We want to be part of our clients’ cyber uplift journey,” said Khokhar. “That means helping them understand where their risks lie, advising on which controls are well perceived by cyber underwriters, and offering insights such as emerging risks, claims trends, and industry specific trends.”
Aon also supports clients in quantifying their potential cyber exposure by helping them understand the financial impact of their cyber risk. This includes estimating potential losses from a major incident and determining appropriate insurance coverage levels based on specific loss scenarios.
In addition to insurance placement and risk quantification, Aon can provide proactive and reactive cyber services including vulnerability management, penetration testing, threat intelligence, and incident response — all designed to improve resilience and support business continuity.
Hackers Aren’t Going Anywhere
Perhaps the most sobering takeaway is this: hackers can afford to fail a hundred times — but an organisation only needs to fail once.
“One vulnerability is all it takes to suffer a data breach, lose customer trust, and face serious regulatory and financial consequences,” said Khokhar. “Investing in your cyber posture won’t guarantee you’ll never be attacked, but it does demonstrate that you took your responsibility seriously — and in today’s landscape, that could make all the difference.”
[1] Australian Securities and Investments Commission, ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures, 13 March 2025
[2] Australian Securities and Investments Commission, ASIC investigations and enforcement, December 2024
