Australian firm FIIG Securities has been ordered to pay a $2.5 million penalty by the Federal Court following ASIC action over significant cybersecurity failures that led to a major data breach in 2023. The landmark case sets a new precedent for cyber resilience obligations for AFS licensees.
Artificial Labs has raised $45M in Series B funding to expand its AI-driven underwriting platform across global insurance markets. Backed by CommerzVentures, the London insurtech aims to modernise specialty insurance through automation, data intelligence, and scalable digital trading.
Victoria's largest not-for-profit private hospital group, Epworth HealthCare, has been targeted by a fake ransomware group known as 0APT. The group claims to have stolen 920GB of patient data, but evidence suggests it is a bluff designed to extort money through psychological warfare.
Australian firm FIIG Securities has been ordered to pay a $2.5 million penalty by the Federal Court following ASIC action over significant cybersecurity failures that led to a major data breach in 2023. The landmark case sets a new precedent for cyber resilience obligations for AFS licensees.
Cyber News Centre's cyber update for 11th February 2026: Australian fixed-income specialist FIIG Securities has been ordered by the Federal Court to pay a $2.5 million penalty for major cybersecurity failures that persisted for over four years.
FIIG Securities, an Australian financial services firm established in 1998, provides bond and fixed-income investment services to thousands of retail and wholesale clients. The company, which held approximately $3 billion in client assets under management at the time of the breach, was acquired by AUSIEX after the incident.
Update: The Federal Court has imposed a $2.5 million fine on FIIG Securities, alongside a $500,000 payment towards the Australian Securities and Investments Commission's (ASIC) costs, following a significant 2023 data breach. The breach, carried out by the ALPHV/BlackCat ransomware group, exposed 385GB of sensitive data from 18,000 clients, including passport details, tax file numbers, and bank account information. The court found FIIG's cybersecurity measures were inadequate for over four years, from March 2019 to June 2023.
The initial intrusion occurred when an employee downloaded a malicious .zip file, with the firm failing to act on subsequent firewall alerts. Specific failures cited by ASIC included the lack of multi-factor authentication for remote access, no qualified personnel monitoring threat alerts, and the absence of mandatory cybersecurity training for staff.
The firm also failed to conduct regular penetration testing or maintain an adequate, tested incident response plan. FIIG admitted that complying with its own policies could have prevented the data exposure. The court has mandated an independent expert review of FIIG's cybersecurity compliance program.
Why it Matters: This ruling is a landmark event, marking the first time the Federal Court has imposed civil penalties for cybersecurity failures under the general obligations of an Australian Financial Services (AFS) licence.
The decision sends a clear and costly warning to all AFS licensees that inadequate investment in cyber resilience is no longer acceptable. ASIC Deputy Chair Sarah Court stated the consequences "far exceeded what it would have cost FIIG to implement adequate controls in the first place," highlighting the financial and reputational damage that stems from neglecting cybersecurity.
The case establishes a new, enforceable benchmark for cyber risk management in Australia's financial sector, shifting cybersecurity from an IT issue to a core compliance and governance obligation.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Victoria's largest not-for-profit private hospital group, Epworth HealthCare, has been targeted by a fake ransomware group known as 0APT. The group claims to have stolen 920GB of patient data, but evidence suggests it is a bluff designed to extort money through psychological warfare.
A critical 9.8‑rated flaw (CVE-2025-40551) in SolarWinds Web Help Desk is under active exploitation, letting unauthenticated attackers execute remote code and prompting urgent patch orders for government and enterprise users worldwide.
German insurance major HanseMerkur has been targeted by the Russia-aligned Dragonforce ransomware gang, which claims to have stolen 97GB of data. The attack on the €3 billion firm highlights the escalating threat of ransomware to the global financial services and insurance sectors.
Ivanti has confirmed actively exploited, pre‑authentication remote code‑execution flaws in its Endpoint Manager Mobile platform, allowing attackers to hijack internet‑facing MDM servers, push malicious device profiles, and exfiltrate sensitive mobile data at enterprise scale
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
