On 9 February 2026, the Federal Court of Australia (FCA) in ASIC v FIIG Securities Limited^[1]:

1. declared that for the period between 13 March 2019 and 8 June 2023 preceding a cyber incident Australian Financial Services License (AFSL) holder FIIG Securities Limited (FIIG) breached three (3) AFSL core obligations under the Corporations Act 2001 (Cth) (Corporations Act) relating to cybersecurity; and
2. ordered:
   1. a pecuniary penalty of $2.5 million;
   2. FIIG undertake a compliance programme at its own cost;
   3. $500,000 be paid toward ASIC’s costs in the proceeding.

This is in addition to the circa $1.5 million incident response costs already suffered by FIIG, bringing the total to over $4.5 million for the cyber incident.

Background

Under its AFSL, FIIG was entitled to provide financial product advice, asset trading and custodial/depository services to its client base. In doing so it collected personal client information which included contact information, DOBs, government identity documents (driver’s licences, passports, Medicare cards, TFNs) and financial information.

In May 2023, FIIG experienced a cyberattack resulting in the theft of 385 gigabytes of data from its IT infrastructure. FIIG did not identify the incident despite email alerts and daily reports generated by its firewall. Instead, the Australian Signals Directorate (ASD) detected and notified FIIG of the cyberattack. Despite this, FIIG only commenced an investigation into the incident 6 days later.

According to documents filed in the proceedings FIIG’s ability to provide financial services following the attack was impacted for several months during restoration.

The value of assets controlled by FIIG for its clients at the time of the cyberattack, sat between $2.99 to $3.7 billion with the value of funds under advice between $4.7 and $7.6 billion. Its net assets were approx. $12,500,000 and turnover was approx. $31,250,000. FIIG maintained records of client’s investments and managed platforms where investments could be traded and investment information accessed by clients.

The cyber incident was not of itself the basis of ASIC’s enforcement action, but a catalyst which brought into light the potential AFSL core obligation failings.

Proceedings

ASIC alleged that, relative to its risk profile, FIIG breached its AFSL holder obligations under the Corporations Act to:

1. provide financial services efficiently, honestly and fairly (s912A(1)(a));
2. have adequate risk management systems (s912A(1)(h)), and
3. have adequate financial, technological and human resources in place (s912A(1)(d)).

The proceedings were only the second of its kind in Australia, the first being against ‘RI Advice’^[2], where the Federal Court ruled in favour of ASIC in May 2022 on the basis that RI Advice failed to provide its services efficiently and fairly, and lacked adequate risk management systems, due to the implementation of inadequate cybersecurity measures.

This proceeding went a step further than RI Advice by alleging an additional (third) core obligation of failing to have adequate financial, technological and human resources in place with respect to cybersecurity measures.

Cybersecurity Risks

The parties had reached a consensus filing a Statement of Agreed Facts and Admissions in the proceeding. They agreed that there was a real risk the “Cybersecurity Risks”, which included that a cyber intrusion could result in unauthorised access, loss and / or use of data held by FIIG; loss of FIIG’s ability to provide its services and / or utilise its systems; financial fraudsters may target FIIG’s clients and / or employees; and actual financial loss could occur.

What were the gaps in FIIG’s cybersecurity framework?

Before turning to the gaps, it is useful to consider what framework FIIG did have in place prior to the cyber attack, which were found to be inadequate by ASIC and the Federal Court.

According to the judgment and documents filed in the proceedings, FIIG:

1. had a risk management system which included an IT Information Security Policy and Cyber and Information Security Policy;
2. conducted penetration testing (only once in February 2023);
3. conducted vulnerability testing of its website (once in 2021);
4. had Palo Alto next generation firewalls;
5. had EDR software on some but not all endpoints and servers;
6. Had between 9 and 14 IT staff with Head of IT duties under the Chief Operating Officer’s (COO) remit (all with a wide range of other responsibilities).

The parties agreed a list of missing “Adequate Cybersecurity Measures” which FIIG had failed to have in place for the relevant 4-year period since it first obtained its AFSL until it began investigating and containing the cyber attack . The list is long and includes:

1. an Incident Response Plan with critical action steps;
2. adequate protections for privileged accounts;
3. quarterly reviews of access rights;
4. vulnerability scanning;
5. adequate and regular penetration testing;
6. adequate firewall configurations;
7. monitoring of firewall alerts or threat alerts;
8. updates and vulnerability patching plan;
9. MFA for remote access users;
10. annual cybersecurity awareness training;
11. cybersecurity controls review process.

The above missing measures amounted to a breach of the core obligation to provide financial services efficiently, honestly and fairly.

Curiously, in relation to the obligation to have adequate risk management systems, whilst the parties had agreed FIIG had failed to put in place the Adequate Cybersecurity Measures, ASIC did not seek a declaration in that respect, but instead sought the declaration in relation to a failure to fully implement, maintain and monitor the controls it did have in its risk management system.

In terms of the obligation to have available adequate resources, FIIG’s gaps were found/agreed to be:

1. Technological resources – the Adequate Cybersecurity Measures;
2. Human resources – despite that it had employed between 9 – 14 IT staff with its COO being the Head of IT, FIIG had not employed or outsourced people with the skills, knowledge and experience in IT security measures to ensure it had the Adequate Cybersecurity Measures in place or adequate controls in its Risk Management System and had not ensured sufficient staff/contractors were given a sufficient level of responsibility for carrying out those tasks and with sufficient time (with regard to their other responsibilities in the organisation) to properly discharge them.
3. Financial resources – the parties agreed sufficient budget was not provisioned to enable it to have the Adequate Cybersecurity Measures or employ /outsource adequate human resources.

Key Judicial Commentary

Justice Derrington observed that “the mere fact of a successful cyberattack on an entity’s information technology systems does not necessarily indicate that the entity had failed to meet the statutory obligations imposed upon it” and that “it would be all but impossible to prevent every cyber attack”^[3].

The parties had agreed and Derrington J accepted that the standard of competence in respect of cybersecurity, or the reasonable standard of performance that the public is entitled to expect, should be informed by:

1. the nature of the business (including size and resources);
2. the personal client information it holds;
3. the value of funds under advice and assets held by it on behalf of clients;
4. the magnitude and potential consequences of its cybersecurity risks;
5. contractual obligations to clients.

Derrington J commented that in this case, though FIIG did have in place a regime of measures, they were insufficient to provide adequate protection given the level of the Cybersecurity Risks.

What are the implications of this ruling?

Waiting for a cyber incident to occur before assessing cyber measures is too late.

From ASIC’s perspective, inadequate financial, technological and human resources implemented in relation to an organisation’s cybersecurity framework amounts to a breach of AFSL holders’ obligations under the Corporations Act.

This judgment illustrates to AFSL/ACL holders that assigning adequate budget to adequately address cyber risk is not optional. AFSL/ACL holders must take accountability, actively assess the scope of an organisation’s cyber risks, invest appropriately in its security frameworks and develop robust governance strategies including the employment or outsourcing of sufficient staff/contractors to establish and oversee cyber resilience.

ASIC has now established baseline technical standards for AFSL/ACL holders to have regard to when developing their cybersecurity frameworks – standards that organisations of all sizes will need to have regard to.

An open question remains as to where ASIC’s next test case of its regulatory toolkit may be focused. It is anticipated that ASIC may decide to pursue regulatory action for breaches of director’s duties under ss 180 – 181 of the Corporations Act. ASIC’s pursuit of such breaches may leave directors of an organisation personally liable in the context of a cybersecurity incident, where risk management frameworks were knowingly left in an inadequate state (i.e. failing to act with care and diligence and failing to act in good faith and in the bests interests of the corporation).

On a broader scale these proceedings are indicative of a unified approach across the various agencies of the Australian Federal Government, in alignment with the 2023 – 2030 Australian Cyber Strategy (Strategy), to increase cyber security resilience across the Australian economy and increase oversight at a Board level. The Strategy has translated into a suite of legislative reform packages being rolled out across government to increase cybersecurity accountability across a variety of industries accountable to different governmental agencies, and the Courts orders here are indicative of increasingly invested legislature and judiciary in an organisations’ cybersecurity measures.

Key Takeaways

• AFS and Australian Credit Licensees must conduct an assessment of their cybersecurity risk and match it with adequate controls/measures/resources and continually monitor their effectiveness.
• What adequate looks like will differ from organisation to organisation, however the judgment gives us some direction with 5 key points to consider when assessing the reasonable standard of competence/performance.
• The agreed list of “Adequate Cybersecurity Measures” can now be used as a benchmark list to measure against.
• With reference to the resulting pecuniary penalty order made, when all else fails, cooperation with the regulator counts in mitigating the consequences, noting the maximum pecuniary penalty order available was $41,250,000 and the order agreed between the parties and ultimately granted by the Federal Court was $2.5 million.

^[1] [2026] FCA 92

^[2] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022) 160 ACSR 204

^[3] [2026] FCA 92 at para [4]