The cost of failure to discharge privacy and cyber governance is real

Australian based financial firm FIIG Securities has received a $2.5 million dollar fine following a cyber attack on it in 2023, which resulted in the theft of in order of 385 gigabytes of confidential data.  The data included passport details, tax file numbers, bank accounts, and driver’s licences.

Background

The Australian Securities and Investments Commission (ASIC) commenced proceedings in the Federal Court of Australia against FIIG Securities (FIIG) for breaches of its obligations under the Corporations Act (ASIC v FIIG Securities Limited [2026] FCA 92]. Judgment was delivered on 13 February 2026.

FIIG holds a Financial Services Licence.  It provided a client custody agreement, the terms and conditions of which promised its clients that it had the necessary capacity to perform the custodial services it offered, inclusive of having computer systems which are secure.

As an Australian Financial Services Licence holder, FIIG was subject to provisions of Section 912A(1) of the Corporations Act.  Breach of the obligations under the section may constitute a civil penalty offence.

Court findings

Under the legislation FIIG was required to do all things necessary to ensure that the financial services it provided, were provided efficiently, honestly and fairly.  This, FIIG conceded, required it to have adequate measures in place to protect the clients against cyber security.

However, it was found that FIIG had not taken appropriate measures to discharge the standard.  For example, there were the following failures: insufficient staff training, the absence of multi factor authentication for its remote access users, lack of IT personnel with appropriate skills and knowledge to deliver cyber threat alerts, and failure to provide mandatory security awareness training for employees or have in place systems to ensure that that training occurred on an annual basis.

As a result, it was found by the Court that FIIG cyber security measures fell short of the required standard to comply with its licence.

The consequence was that FIIG was ordered to pay a substantial penalty.  In addition, FIIG was also required to make a payment of $500,000.00 towards ASIC’s costs of the proceedings.

Additionally, FIIG was ordered to undertake a compliance programme with a series of mandated steps, including the engagement of independent experts, to be paid by FIIG.

Lavan comment

The case is a further illustration, notwithstanding that this was in relation to an AFSL licensee, that the courts and regulators require organisations, particularly those who hold sensitive information, to take all proper steps to guard against the risk of cyber attacks in an environment where such attacks are becoming far more common.

There is little doubt that the regulators and the courts have moved from education to enforcement in this and many other privacy related areas.

It behoves companies to ensure that they understand their obligations and not only put into place written programmes and policies that accurately reflect their obligations, but also follow through and implement them. This will require the policies, programmes and implementation to be reviewed and tested from time to time to ensure that they are both legally current and effective.

It again illustrates, as we have been noting for some period of time in our various publications, that these are serious matters for corporations and need to be taken seriously from a governance level downwards.

Lavan is available to advise clients on their obligations and to assist clients in discharging them.

Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.