ASIC vs FIIG: Another Wake Up Call for Australian Businesses

Australian Securities and Investments Commission (ASIC) has launched civil proceedings against the investment firm FIIG Securities alleging that FIIG failed to maintain adequate cyber security posture during a period of more than four years.[1] The alleged failures allowed threat actors to steal approximately 385 gigabytes of confidential data, affecting some 18,000 clients — a stark reminder of the risks organisations face when cyber security is not treated as high priority. ASIC’s action highlights the potential serious and long-term consequences of organisational inaction towards implementing a robust cyber security posture.

“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems,” said ASIC Chair Joe Longo. It’s a warning that should resonate across all industries — not just in financial services — and one that Aon’s cyber risk specialists are encouraging clients to take seriously. The case against FIIG highlights not only the regulatory risks but also the potential reputational and financial consequences of failing to implement adequate cyber security controls.

What Went Wrong — and Why it Matters

ASIC’s case centres on allegations FIIG failed to implement and maintain several key cyber security controls. According to the regulator, the firm did not appropriately configure or monitor its firewall — a fundamental safeguard that helps prevent unauthorised access to company network and systems.

“Firewall configuration and monitoring are fundamental controls,” says Salman Khokhar, Client Manager Cyber Solutions Group Aon Australia. “Cyber risk management needs to be treated as a strategic priority — not just an operational concern.” It has also been suggested the investment firm were behind schedule in implementing updates and security patches to their software and operating systems, which can expose known vulnerabilities to attackers. Khokhar explains that unpatched systems are effectively “sitting ducks,” and this includes software that is no longer supported by the vendor. “It’s like running outdated machinery — eventually it will break, and when it does, the consequences can be significant.”

Further, ASIC alleges the absence of regular cyber awareness training for staff, a control that Khokhar describes as “a basic and necessary measure.” Employees play a critical role in protection against threats like phishing and social engineering attacks. Without proper education, staff are not equipped with the right skills and mindset to identify phishing emails.

Perhaps most telling, however, was the allegation that FIIG had not allocated sufficient human, technical or financial resources to manage its cyber security risk. “A lack of dedicated resources — whether human, technical or financial — highlights a gap in capacity for following recommended cybersecurity protocols at the enterprise level,” Khokhar said. “And increasingly, that’s something regulators — and insurers — will not overlook.”

Back to Basics: Why Cyber Hygiene is Essential

The FIIG case is a timely reminder that basic cyber hygiene is now a mandatory requirement, not just a best practice, and that directors will be scrutinised more keenly on decisions surrounding cyber security. It consists of fundamental controls that help reduce cyber security risk and demonstrate due diligence in the face of growing regulatory and insurance market expectations.

Cyber Key Controls – Marketplace Minimum Expectations

Khokhar notes that failure to implement these controls not only increases the risk of a cyber incident but also impacts insurability. “The cyber insurance market views the majority of these measures as non-negotiable. Without them, businesses are likely to face reduced coverage or significantly higher premiums — if they can obtain cover at all.”

This is not just about compliance, Khokhar added. “These are the minimum steps an organisation should take to protect its financial viability, reputation, and the trust of its customers.”

Regulatory Enforcement is Intensifying

Recent legislative amendments have expanded ASIC’s enforcement powers, allowing for more thorough investigations, the ability to issue civil penalties, and even the use of search warrants to access systems following a breach.[2]

“ASIC now has the authority to go beyond simply responding to a reported incident,” said Khokhar. “They can proactively investigate the causes of a breach, assess whether adequate controls were in place, and hold directors and organisations accountable.”

Mandatory reporting obligations have also tightened, particularly for ransomware-related incidents, making it more difficult for organisations to quietly manage events behind closed doors.

While financial services entities like FIIG are under particular scrutiny, Khokhar warns that all industries should be alert to these developments. “Any business handling sensitive data — from legal to healthcare to logistics — should consider this a sign of what’s to come.”

Supporting Clients at Every Stage of the Cyber Journey

Aon helps clients take a proactive approach to managing cyber risk — from identifying exposures to ensuring they are well positioned in the insurance market.

“We want to be part of our clients’ cyber uplift journey,” said Khokhar. “That means helping them understand where their risks lie, advising on which controls are well perceived by cyber underwriters, and offering insights such as emerging risks, claims trends, and industry specific trends.”

Aon also supports clients in quantifying their potential cyber exposure by helping them understand the financial impact of their cyber risk. This includes estimating potential losses from a major incident and determining appropriate insurance coverage levels based on specific loss scenarios.

In addition to insurance placement and risk quantification, Aon can provide proactive and reactive cyber services including vulnerability management, penetration testing, threat intelligence, and incident response — all designed to improve resilience and support business continuity.

Hackers Aren’t Going Anywhere

Perhaps the most sobering takeaway is this: hackers can afford to fail a hundred times — but an organisation only needs to fail once.

“One vulnerability is all it takes to suffer a data breach, lose customer trust, and face serious regulatory and financial consequences,” said Khokhar. “Investing in your cyber posture won’t guarantee you’ll never be attacked, but it does demonstrate that you took your responsibility seriously — and in today’s landscape, that could make all the difference.”

[1] Australian Securities and Investments Commission, ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures, 13 March 2025

[2] Australian Securities and Investments Commission, ASIC investigations and enforcement, December 2024

The information contained in this communication is general in nature and should not be relied on as advice (personal or otherwise) because your personal needs, objectives and financial situation have not been considered. Before deciding whether a particular product is right for you, please consider your personal circumstances, as well as the relevant Product Disclosure Statement (if applicable), Target Market Determination and full policy terms and conditions available from Aon on request. All representations in this communication in relation to the insurance products Aon arranges are subject to full terms and conditions of the relevant policy. Please contact Aon if you have any queries.