A warning to AFSL holders – ASIC sues for alleged inadequate cyber security systems

FIIG offers fixed income investment and bond financing services to both retail and wholesale clients. It is required at all times to be the holder of an AFSL and comply with the licensee obligations under section 912A of the Corporations Act 2001 (Cth).

On 19 May 2023, FIIG was the victim of a cyber incident that culminated in the theft of approximately 385GB of data, including confidential client information. The stolen data, which included personal information, was subsequently released on the dark web. It was widely reported that Russian cybercriminal group AlphaV, also known as BlackCat, claimed responsibility for the attack. AlphaV have been rumoured to be responsible for some of the largest cyber attacks against Australian organisations.

On 12 March 2025, ASIC commenced proceedings against FIIG in the Federal Court of Australia.

ASIC alleges in its Concise Statement that, between 12 March 2019 and 8 June 2023, FIIG failed to implement adequate cyber security measures that may have prevented the cyberattack. ASIC alleges that FIIG is in contravention of sections 912A(1)(a), (d) and (h) of the Corporations Act. These provisions require all holders of an AFSL to:

• do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (section 912A(1)(a));
• have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements (section 912A(1)(d)); and
• have adequate risk management systems (section 912A(1)(h)).

The alleged contraventions, which ASIC refers to as the ‘missing cyber security measures’, include a failure to have the following systems implemented:

• a cyber incident response plan, approved by FIIG and accessible to all staff;
• management of privileged access to accounts on FIIG’s networks and systems to ensure that separate administrator accounts were used for privileged access;
• a daily practice of monitoring of the ‘security incident events management software by personnel with the knowledge, skills, experience and capacity to identify and respond to any unusual activity’;
• a practice of ensuring patches and software updates were applied to all applications used by FIIG;
• multi-factor authentication requirements for all remote access users; and
• mandatory security awareness training delivered to all employees upon starting at FIIG, and on an ongoing annual basis.

ASIC seeks the following relief from the Court:

• declarations in relation to FIIG’s alleged failures to maintain adequate cyber security protections which allowed the attack to occur, including that FIIG breached its duties as an AFSL holder under section 912A of the Corporations Act;
• an order that FIIG pay a pecuniary penalty for its breaches of section 912A; and
• an order that FIIG must complete a compliance review of its cyber security measures and procure an independent expert report on those measures for ASIC.

This is similar to the relief sought in ASIC v RI Advice Group Pty Ltd.^[1] However, the RI Advice matter settled prior to hearing on liability, with ASIC ultimately agreeing not to seek pecuniary penalties in that case. This time around, ASIC may well look to send a message to AFS licensees by seeking the imposition of a substantial civil penalty.

We will provide a further update on the proceeding in due course. 

There are several key takeaways from the commencement of this proceeding. 

Firstly, the requirement of a licensee to provide financial services efficiently, honestly and fairly under section 912A(1)(a) of the Corporations Act is broad. It does not relate solely to the provision of services by staff directly to the end consumer. This proceeding reaffirms that ASIC expects licensees to have adequate cyber security measures as part of its obligations of efficiency, honesty and fairness. Even simple measures such as those highlighted above (eg requiring staff to log-in remotely using multi-factor authentication, or regularly applying software updates) are captured by the requirements of section 912A(1)(a).

Secondly, the above obligation is intrinsically linked with the requirement to have adequate financial, technological and human resourcing in the case of cyber security. This is because not all licensee employees will hold the requisite skills and expertise to assess, implement and maintain the licensee’s cyber security plan. This proceeding demonstrates ASIC’s expectation that a licensee employs or outsource personnel with the appropriate experience to manage and monitor their cyber security systems. Licensees should also ensure that the technology in use is up-to-date and that sufficient annual budgeting is afforded to cyber risk mitigation and strategy.

Thirdly, ASIC considers that cyber security risk management practices reduce potential harm to end consumers and expects licensees to implement and evolve their risk management systems to counter cyber security threats. In the media release referred to above, Joe Longo set expectations by saying that ‘cyber security isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC (the Australian Cyber Security Centre)’. 

Active management of cyber risks and regular improvement to existing risk management systems should be a routine operation at licensees to minimise exposure to attacks. The more sensitive the information held by the licensee, the more robust the risk management framework must be.

Lastly, it is clear even at this early stage in the proceeding that ASIC will be taking cyber security failings seriously in 2025. Enforcement action from ASIC could come as a direct consequence of a cyber breach if the licensee is considered to have failed to take steps to protect its systems from infiltration.

[1] [2021] FCA 1193.