Spotlight on ESG in Australia: ASIC secures a civil penalty in its third greenwashing case and pursues a second target for inadequate cybersecurity measures

31 March 2025

This month, the Federal Court fined LGSS Pty Ltd (LGSS) $10.5M for greenwashing, and the Australian Securities and Investments Commission (ASIC) sued FIIG Securities Limited (FIIG) for inadequate cybersecurity and risk management measures.

ASIC's recent actions highlight the importance of ESG compliance, including avoiding greenwashing and ensuring adequate cybersecurity and risk management protections are in place. ASIC has also identified these as regulatory priorities to manage ESG risks and protect the public.

ASIC's recent greenwashing actions:

ASIC now has three greenwashing wins under its belt, against Mercer Superannuation Limited (Mercer),^[1] Vanguard Investments Australia Ltd (Vanguard, which we previously discussed here), and now, LGSS.^[2]

Each of these cases involved breaches of sections 12DB and 12DF of the Australian Securities and Investments Commission Act 2001 (Cth) which concerned false and misleading representations and conduct that was likely to mislead the public.

The Federal Court found that these sections of the Act were contravened in circumstances where:

Mercer and LGSS falsely represented that their products excluded investments in alcohol, gambling, the extraction or sale of carbon-intensive fossil fuels and/or entities based in Russia.
Vanguard falsely represented that an independent fund provided an ethically conscious investment opportunity, that securities were subject to ESG research and screening, and that any securities which violated applicable ESG criteria were excluded or removed from the index and therefore the fund.

The contraventions were admitted by Mercer (who agreed with ASIC to pay a $11.3M penalty), largely admitted by Vanguard (who was ordered to pay a $12.9M penalty, less than the $20M ASIC sought) and partly admitted by LGSS.

The importance of the LGSS decision from a penalty perspective:

The Court was required to consider 'all relevant matters' to determine an appropriate penalty, which is fixed at a level to ensure that it would not be regarded as an acceptable cost of doing business but must also be proportionate to the seriousness of the offence.

ASIC sought a $13M penalty, while LGSS argued a $2.456M penalty was appropriate due to its limited $877,000 in net assets, that a higher penalty would have a "direct, negative impact" on the fund members and its profit-for-members. The Court looked past those arguments, as to adjust a penalty due to LGSS's limited assets or the indirect impact on fund members would neutralise the sting of the penalty and that LGSS was profit-for-members was not a reason to impose a different penalty.

In imposing a $10.5 million penalty, the factors the Court considered relevant included:

the seriousness of the conduct;
the representations were made in numerous documents, over an extended period of time and to thousands of people;
LGSS benefited from its conduct through its ability to attract investors and enhance its reputation as the provider of an ESG-characteristic fund;
the steps LGSS took to improve its compliance systems since the contraventions;
LGSS did not adduce evidence as to the likely causes of the contravening conduct; and
notwithstanding LGSS's co-operation with ASIC, the manner in which LGSS ran its defence at the liability hearing.

The Court's approach to determining penalties emphasises the significance of companies having strong practices to verify information and properly characterise the nature or components of a fund or other financial product. It also underscores the importance of senior management oversight and the company's conduct once the misrepresentations are identified.

ASIC's recent cybersecurity actions:

On 12 March 2025, ASIC commenced proceedings against FIIG for contraventions of sections 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth). The proceedings followed a cyberattack on FIIG in early 2023 where approximately 385GB of confidential data and clients' personal information was stolen.

These sections of the Act require an Australian Financial Services licensee to:

do all things necessary to ensure that financial services covered by its licence are provided effectively, honestly and fairly;
have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
have adequate risk management systems.

In its concise statement,^[3]ASIC alleges that the missing cybersecurity and risk management measures include:

an annually tested cybersecurity response plan;
mandatory security awareness training at onboarding and then annually;
vulnerability scanning and regular penetration or vulnerability tests performed from both internal and external points;
"next-generation" firewalls configured to impose outbound traffic rules for endpoints and servers;
quarterly reviews and evaluations of existing technical cybersecurity controls;
the use of multi-factor authentication for all remote access users;
operating system and application security patches must be tested and implemented as soon as possible, according to a documented patch-management process; and
all event logs reviewed by the security administration every 90 days.

ASIC's case against FIIG is similar to its previous case against RI Advice Group Pty Ltd where it was found to have contravened sections 912A(1)(a) and (h) of the Corporations Act 2001 (Cth) for having outdated antivirus software, no backup system, and poor password practices. It was ordered to hire a cybersecurity expert, report to ASIC on any further necessary measures to adequately manage cyber risks, and implement those measures within 90 days at its own expense. It was also ordered to contribute to ASIC's legal costs.^[4]

ASIC seeks similar compliance programme orders and its legal costs in FIIG's case, in addition to a pecuniary penalty.

How companies can mitigate ESG and cyber risks:

ASIC's approach to greenwashing and cybersecurity and risk management measures is an important and timely reminder to companies to ensure they have robust and operationalised governance frameworks and practices in place. This will foster a culture of proactive governance to mitigate against ESG and cyber risks.

The steps and measures companies should consider include:

Designating a committee (comprised of members from a range of backgrounds) to be responsible for overseeing and implementing ESG compliance.
Implementing robust governance frameworks, policies and procedures, and regularly reviewing them to ensure they are fit for purpose.
Operationalising policies, procedures and practices through onboarding and ongoing training.
Conducting periodic audits to identify, address and report on products (such as whether investments are compliant with the company's ESG policies) and internal systems (such as whether cybersecurity and risk management practices are fit for purpose and being utilised).
Monitoring and adapting to regulatory changes and updates (such as ASIC's recent activities) to maintain compliance and identify areas of improvement in your governance frameworks and practices.

---------------------------------------------------------------------------------------------------------------------