Fixed income manager FIIG Securities has been ordered by the Federal Court to pay $2.5 million in penalties over serious cybersecurity shortcomings. The ruling follows findings that the firm failed to adequately safeguard client data over a four-year period, culminating in a significant cyberattack in 2023.
The breach impacted approximately 18,000 clients and resulted in the theft of around 385 gigabytes of sensitive data. Information exposed on the dark web included driver’s licences, passport details, bank account information and tax file numbers.
According to the court, between 13 March 2019 and 8 June 2023, FIIG failed to implement essential cybersecurity safeguards. These failures included insufficient allocation of financial and technological resources, lack of qualified cybersecurity personnel, absence of multi-factor authentication for remote access, weak password and privileged account controls, inadequate firewall and software configurations, and failure to conduct regular penetration testing and vulnerability scans.
The firm also lacked a structured software update process to address security vulnerabilities, did not have properly trained IT staff monitoring threat alerts, failed to provide mandatory cybersecurity awareness training to employees, and did not maintain or regularly test an appropriate cyber incident response plan.
In addition to the $2.5 million penalty, the court ordered FIIG to contribute $500,000 toward ASIC’s legal costs. The company must also undertake a compliance program, including appointing an independent expert to review and strengthen its cybersecurity and cyber resilience frameworks.
This marks the first instance in which the Federal Court has imposed civil penalties for cybersecurity breaches under general Australian Financial Services (AFS) licence obligations.
“FIIG admitted that it failed to comply with its AFS licence obligations and that adequate cyber security measures – suited to a firm of its size and the sensitivity of client data held – would have enabled it to detect and respond to the data breach sooner.
“It also admitted that complying with its own policies and procedures could have supported earlier detection and prevented some or all of the client information from being downloaded.”
ASIC deputy chair Sarah Court emphasised the regulator’s stance on cybersecurity compliance: “Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.
“ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk.
“In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
Responding to the ruling, FIIG
stated: “FIIG accepts the Federal Court’s ruling related to a cybersecurity incident that occurred in 2023 and will comply with all obligations. We cooperated fully throughout the process and have continued to strengthen our systems, governance and controls. No client funds were impacted, and we remain focused on supporting our clients and maintaining the highest standards of information security.”
ASIC Steps Up Cyber Enforcement
The case underscores ASIC’s growing focus on cybersecurity enforcement within the financial services sector.
In July 2025, ASIC initiated civil proceedings against Fortnum Private Wealth Limited, alleging failures to appropriately manage and mitigate cybersecurity risks. Earlier, in May 2022, the Federal Court determined that AFS licensee RI Advice had breached its obligations by failing to maintain adequate risk management systems to address cybersecurity threats.
The Court stated: “Clients entrust licensees with sensitive and confidential information, and that trust carries clear responsibilities.”
In its 2026 key priorities document, ASIC identified cyberattacks, data breaches and weak operational resilience as major risks capable of undermining market integrity and harming consumers.
“Digitisation, legacy systems, reliance on third parties, and evolving threat actor capability continue to elevate cyber risk in ASIC’s view. ASIC is urging directors and financial services license holders to maintain robust risk management frameworks, test their operational resilience and crisis responses, and address vulnerabilities with their third-party service providers.”
Smartphone Restrictions Gain Momentum in Schools
Separately, debate over smartphone use in schools continues to intensify as institutions adopt phone-free policies to improve learning outcomes and student wellbeing.
Addressing concerns about the cost and necessity of phone restrictions, one advocate explained:
"Yes it can seem an expensive way of keeping phones out of schools, and some people question why they can't just insist phones remain in a student's bag," he explains.
"But smartphones create anxiety, fixation, and FOMO - a fear of missing out. The only way to genuinely allow children to concentrate in lessons, and to enjoy break time, is to lock them away."
Supporters argue that schools introducing phone-free systems have seen tangible improvements.
"There have been notable improvements in academic performance, and headteachers also report reductions in bullying," he explains.
Vale of York Academy implemented phone pouches in November. Headteacher Gillian Mills told the BBC:
"It's given us an extra level of confidence that students aren't having their learning interrupted.
"We're not seeing phone confiscations now, which took up time, or the arguments about handing phones over, but also teachers are saying that they are able to teach."
The political landscape is also responding. Conservative leader Kemi Badenoch has pledged to enforce a nationwide smartphone ban in schools if elected, while the Labour government has opted to leave decisions to headteachers and launched a consultation on limiting social media access for under-16s.
As part of broader measures, Ofsted will gain authority to assess school phone policies, with ministers signalling expectations that schools become “phone-free by default”.
Some parents, however, prefer their children to carry phones for safety during travel.
"The first week or so after we install the system is a nightmare," he adds. "Kids refuse, or try and break the pouches open. But once they realise no-one else has a phone, most of them embrace it as a kind of freedom."
The broader societal debate continues as smartphone use expands alongside social media and AI-driven content ecosystems.
"We're getting so many enquiries now. People want to ban phones at weddings, in theatres, and even on film sets," he says.
"Effectively carrying a computer around in your hand has many benefits, but smartphones also open us up to a lot of misdirection and misinformation.
"Enforcing a break, especially for young people, has so many positives, not least for their mental health."
Dugoni believes society may be approaching a critical moment:
"We're getting close to threatening the root of what makes us human, in terms of social interaction, critical thinking faculties, and developing the skills to operate in the modern world," he explains.
