Authors
Lucy Adamson
Omeed Eshraghi
ASIC’s recent pursuit of penalties against an AFSL holder presents a timely reminder to Australian financial service businesses to review their cybersecurity measures and comply with obligations or face potentially serious repercussions.
Background
The Australian Securities and Investments Commission (ASIC) allege that FIGG Securities Limited (FIGG) failed to implement and uphold proper cybersecurity measures and systems within its business.
ASIC, on 12 March 2025, filed with the Federal Court seeking declaratory, and pecuniary penalties for FIGG’s alleged failures over a four-year period. Importantly, ASIC purports that these failures are what allowed for a data breach in May 2023, causing significant harm to its clients.
FIGG is an Australian Financial Services Licensee (AFSL) that offers wholesale and retail investors access to bond financing and fixed income investments.
Data Breach
From 19 May 2023 until 8 June 2023 a hacker remained undetected within FIGG’s IT network, resulting in the theft of 385GB of personal information, which was later released onto the dark web. The information included sensitive customer data, such as passports, tax file numbers, and bank accounts.
FIGG was not aware of the breach until the Australian Signals Directorate’s Australian Cyber Security Centre notified them of a potential incident, to which FIGG took almost a week to respond.
ALLEGED FAILURES
ASIC alleges that FIGG has contravened ss 912A(1)(a), (d) and (h) and 912A(5A) of the Corporations Act 2001 (Cth) (the Act). The primary obligation relevant to these circumstances, was the responsibility to implement adequate cybersecurity measures, resources, and risk management systems.
Adequate cybersecurity measures
ASIC notes that during the respective four-year period, FIGG failed in its obligations to have either an adequate level of cybersecurity measures, or, in some instances, any measures at all.
ASIC alleges that this constitutes a breach of its obligations under s 912A(1)(a) of the Act—to provide its financial services effectively, honestly, and fairly.
Lack of resources
ASIC draws three specific types of resources from the Act that FIGG failed to provide in meeting its obligations: human resources, financial resources, and technological resources.
ASIC drew relevant connections between the lack of resource types and their impact on each other. The lack of financial resources impeded the ability to organise technological and human resources, whilst the lack of human resources impeded the ability to establish proper technological resources.
Overall, ASIC alleges that the lack of resources led FIGG to be in contravention of s 912A(1)(d) of the Act which places an obligation on financial services licensees to ensure they have adequate resources to both provide their financial service and supervise the arrangement.
Omitted risk management system
ASIC acknowledges that FIGG did have an existing risk management system, via an established company policy, however, during the period, it failed to implement any of the measures outlined within the policy.
Further, ASIC claims that regardless of the policy, FIGG still failed in their obligations to establish controls to mitigate and manage potential risks.
As a result, ASIC alleges contraventions under s 912(1)(h) of the Act which requires a financial services licensee implement an adequate risk management systems.
Alleged failures - Conclusion
ASIC claims that FIGG’s failures to properly meet the aforementioned cybersecurity obligations, resulted in the contravention of s 912A(5A) of the Act, which imposes a civil penalty if the above provisions are contravened.
These failure ASIC alleges, were responsible for the data breach and subsequent harm to its clients.
ASIC’S REQUIRED CYBERSECURITY MEASURES
Useful guidance is contained within an Annexure of ASIC’s filed documents where it has provided a detailed list of cybersecurity measures that were missing from FIGG’s internal systems—measures that would have assisted the business in meeting its obligations under the Act—summarised in the table below.
It is important to note, that this is not an exhaustive list, but it can act as useful guidance for financial services businesses in order to review against their existing measures.
If you would like to know further information regarding how ASIC’s decision to move against FIGG may impact your business, or, how you can better prepare your business to meet its cybersecurity obligations under the Corporations Act, please reach out to our expert team Hugh Griffin and Lucy Adamson.
Material in this article is available for information purposes only and is a high-level summary of the subject matter. It is not, and is not intended to be, legal advice. Hazelbrook does not guarantee the accuracy of the information provided. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: enquiry@hazelbrooklegal.com
