The Australian Securities and Investments Commission's (ASIC) recent lawsuit against FIIG Securities Limited serves as a stark reminder to Australian businesses that cybersecurity is not merely an IT problem, but a significant business issue. By alleging systemic and prolonged cybersecurity failures, ASIC's action underscores the increasing seriousness with which Australian regulatory bodies are addressing cyber threats. This development acts as a clarion call for businesses nationwide to prioritise cybersecurity and reassess and strengthen their cybersecurity controls. Furthermore, top-down buy-in, endorsement, and visibility are essential to ensure that cybersecurity is perceived as a business-wide concern and not just a technical issue for the IT department alone.
In contrast to Australia's evolving stance, Europe and the United States have long established stringent cybersecurity frameworks. The European Union's General Data Protection Regulation (GDPR) mandates rigorous data protection protocols, imposing severe penalties for non-compliance. Similarly, the United States enforces robust regulations and has proactively sanctioned entities that fail to protect critical infrastructure. Australia, historically perceived as lagging, is now intensifying its regulatory approach, signalling to organisations that complacency in cybersecurity is no longer tenable.
Immediately during a cyber attack or data breach we usually see one of the following two statements from company’s management
These sound like a broken record from companies’ management to try to deflect on their failure to protect customer data under their custody.
My professional opinion is:
Reading into the ASIC briefing, and diving into basic failures of FIIG security, we can only assume that that neither is true for FIIG nor for many breaches in the past 18 months.
As Australian regulatory bodies like ASIC and the Office of the Australian Information Commissioner (OAIC) adopt a more assertive enforcement posture, businesses must proactively enhance their cybersecurity strategies, programmes, and projects to ensure they have an effective cybersecurity risk management process aligned with business objectives and secure top buy-in from executives and the senior leadership team.
ASIC's allegations against FIIG Securities are serious. They highlight failures such as inadequately configured firewalls, outdated software, insufficient staff training, and a lack of necessary resources to manage cybersecurity risks. These lapses supposedly facilitated a cyber intrusion, resulting in the theft of approximately 385GB of confidential data affecting around 18,000 individuals.
Incidents like this not only jeopardise the general public’s trust in Australian organisations but also expose the organisation to significant legal and financial repercussions. If we attempt to conduct a root cause analysis, we see that cybersecurity is often perceived as merely an IT issue, and FIIG Securities failed to acknowledge that it is a business responsibility. The FIIG Securities case serves as a reminder that cybersecurity is integral to business risk management practices and should be managed in the same way as financial, operational, and other related business risks.
Drawing lessons from the stringent enforcement observed in Europe and the USA, Australian organisations must work seriously to improve their defences against cyber threats and show real commitments to cybersecurity risk through top leadership buy-in and endorsement.
Failure to do so risks substantial penalties, as well as the loss of customer trust, the business's bottom line, and future customer retention.
The ASIC case against FIIG Securities is a good example for all Australian businesses: cybersecurity negligence is no longer an option. Regulatory scrutiny is intensifying, and organisations that fail to implement robust security controls risk severe financial, legal, and reputational consequences. Beyond compliance, cybersecurity must be ingrained in the organisation’s risk management framework, championed by executive leadership, and treated as a fundamental business priority.
Spartans Security can help businesses navigate this evolving regulatory landscape by providing expert cyber advisory services, including security assessments, roadmap development, vCISO services, and cybersecurity program implementation aligned with frameworks such as ISO27001, NIST CSF, and APRA CPS 234. Now is the time to act—contact Spartans Security today to strengthen your cybersecurity posture and safeguard your business from emerging threats.
