When a client recently forwarded us an ASIC announcement and asked, “Are we compliant with this?” — it highlighted a growing concern among Australian Financial Services Licence (AFSL) and Wholesale Australian Financial Services Licence (SFSL) holders: are your cyber controls up to scratch?
Thankfully, in this case, the answer was a confident yes.
But ASIC’s latest legal action shows that not everyone is getting it right.
🚨 What Happened?
In February 2025, ASIC commenced proceedings against FIIG Securities Limited, a wholesale fixed income dealer, for what it described as “systemic and prolonged cybersecurity failures.” According to ASIC’s media release, the company:
- Failed to implement adequate cybersecurity risk management procedures
- Did not act on known security vulnerabilities
- Failed to follow internal and external recommendations
- Left its systems and client data exposed over a multi-year period
⚖ Why It Matters to AFSL/SFSL Holders
Under s912A of the Corporations Act 2001, licensees must operate efficiently, honestly and fairly — and that now clearly includes managing cyber risk effectively.
ASIC reinforced in its action against FIIG that cybersecurity is not optional — it’s a core part of your licensing obligation. In its own words:
“We expect all entities we regulate to prioritise cyber security and put in place the processes and controls needed to protect their customers and systems.”— ASIC, INFO 269
✅ What You Should Be Doing
ASIC doesn’t provide a rigid checklist, but it does expect licensees to take a proactive and structured approach. That includes:
- A cyber risk management framework appropriate to your size and complexity
- Clear cyber governance roles and responsibilities
- Regular patching and vulnerability management
- Backups and disaster recovery planning
- Incident response procedures and testing
- Ongoing staff awareness training
- Alignment with frameworks like the ACSC Essential Eight (Maturity Level 2 or higher)
- Oversight of third-party IT vendors and service providers
If you’re unsure whether your current controls measure up, ASIC’s expectation is that you find out and act.
🔧 How MSP Blueshift Helps
We tailor our services to meet the specific needs of AFSL and SFSL holders, with solutions that align to both regulatory and operational expectations:
- Fully managed cybersecurity stack aligned with the ACSC Essential Eight
- ISO 27001-aligned policies and procedures
- Ongoing vulnerability management & remediation
- End-user training, phishing simulation, and awareness campaigns
- Backup and disaster recovery readiness
- Regular compliance reporting and incident response planning
- Assistance with ASIC audits, questionnaires, and board-level reporting
So when clients ask us if they’re compliant — we don’t just say “yes,” we show them how and why.
👋 Final Word
If you’re unsure whether your current IT setup would stand up to ASIC scrutiny, you’re not alone. But as the FIIG case shows, “we didn’t know” isn’t going to cut it anymore.
Get in touch today and we’ll help you assess where you stand — and what needs to happen next to ensure compliance, resilience, and peace of mind. Click here to schedule your FREE Cyber Security Assessment today
