ASIC's $2.5M Penalty: Why Security Controls Are No Longer Optional for Australian Businesses

ASIC just imposed its first major cybersecurity penalty: $2.5 million against FIIG Securities Limited for failing to maintain adequate security controls between 2019 and 2023. The penalty represents 20% of FIIG’s net assets and 8% of its turnover—a significant financial hit that should make every Australian business take notice. Note, FIIG did not have a breach, they were found to not be adequately protecting themselves.

What Went Wrong

ASIC found FIIG failed to implement basic security practices:

No multi-factor authentication. User accounts relied solely on passwords, making credential theft trivial for attackers.

Weak access controls. The company couldn’t properly manage who had access to what systems or data.

No vulnerability management. Systems were not patched, leaving known security holes exploitable.

Inadequate incident response plans. FIIG had no structured process to contain damage or investigate root causes.

No mandatory security training. Staff had limited training about what to look out for.

Inconsistent network monitoring. The company couldn’t detect suspicious activity or unauthorized access in real-time.

The Legal Basis

ASIC’s action wasn’t based on a specific data breach or consumer loss. Instead, it invoked Section 912A of the Corporations Act, which requires financial services licensees to provide services “efficiently, honestly and fairly” and maintain “adequate” technological and human resources.

The key word is adequate. ASIC made clear that having security policies on paper isn’t enough—businesses must actively implement, resource, and review their cybersecurity controls. Failure to do so breaches your licensing obligations.

This Applies Beyond Financial Services

While FIIG is a financial services firm, the principle extends to any Australian business handling sensitive data. The Privacy Act requires entities to take reasonable steps to protect personal information. Under the Notifiable Data Breaches scheme, failing to implement basic security controls like MFA or access management could demonstrate negligence if a breach occurs.

ASIC’s penalty signals that regulators now consider cybersecurity a core operational requirement, not an optional IT concern.

What Businesses Should Do

Implement MFA everywhere. Start with email, admin accounts, and any system touching customer data.

Manage access properly. Know who has access to what, remove access when staff leave, and follow least-privilege principles.

Patch regularly. Establish a vulnerability management process to identify and remediate security weaknesses.

Train your staff. Make security awareness training mandatory, not optional.

Build an incident response plan. Know what to do when (not if) a security incident occurs.

Document and review. Security isn’t set-and-forget. Regular reviews and updates demonstrate due diligence.

The FIIG penalty proves that regulators will hold businesses accountable for cybersecurity failures even without a major breach. Proactive security isn’t just about preventing attacks—it’s about meeting your legal obligations and avoiding penalties that could threaten your business.

If your organization hasn’t reviewed its security controls recently, now is the time. Contact Eviant to assess your security posture and ensure you meet Australian regulatory expectations.