.svg)
In February 2026, the Australian Federal Court ordered FIIG Securities Limited (FIIG), an investment firm, to pay A$2.5m in civil penalties, plus A$500,000 in costs, following the Australian Securities and Investment Commission’s (ASIC) proceedings due to sustained cybersecurity failures at FIIG.
The court found that, over a four-year period, FIIG breached core Australian Financial Services Licence (AFSL) obligations under the Corporations Act 2001, including failing to provide services efficiently, honestly and fairly, to maintain adequate resources, and to implement effective risk management systems. These failures were exposed by a 2023 cyber intrusion that resulted in the theft of approximately 385GB of sensitive data, affecting around 18,000 customers, with some of the information later appearing on the dark web.
FIIG failed to:
- Allocate sufficient financial and technological resources to ensure suitably qualified and experienced personnel were available to manage cybersecurity.
- Implement adequate cybersecurity measures, including multi-factor authentication for remote access users, strong passwords and access controls for privileged accounts, appropriate firewall and security software configurations and regular penetration testing and vulnerability scanning.
- Maintain a structured plan to ensure key software systems were updated to address security vulnerabilities.
- Ensure qualified IT personnel monitor threat alerts to identify and respond to cyber attacks.
- Provide mandatory cybersecurity awareness training to staff.
- Maintain an appropriate cyber incident response plan that was tested at least annually.
FIIG admitted the contraventions, and the court ordered a mandatory cyber compliance uplift programme led by an independent expert.
This case is particularly significant because it confirms how general AFSL obligations under the Corporations Act 2001 apply in a cybersecurity context. For the first time, civil penalties have been imposed for specific cybersecurity failures through these provisions, reinforcing that cyber resilience is a core component of providing financial services. It also demonstrates that ASIC is willing to interpret these broadly framed obligations in a more prescriptive and technical manner, with a clear focus on whether firms have adequately implemented and operated these controls in practice.
The FIIG case highlights that where cyber risks are real and foreseeable, firms are expected to take proactive steps to mitigate them and their consequences.
Lessons Learned
Cybersecurity sits firmly within the core regulatory obligations imposed on financial services firms in Australia. Under the Corporations Act 2001, AFSL holders are required to ensure that their systems, controls and governance frameworks are sufficiently robust to manage technology and data-related risks as part of their broader obligation to provide financial services efficiently, honestly and fairly. The table below outlines the cybersecurity measures firms can take to protect against the risks and consequences of a cyberattack to align with their obligations under the Corporations Act 2001.
|
Obligation under the Corporations Act |
Next steps to satisfy the obligation |
|
Section 912A(1)(a) Do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. |
Compliance and risk functions can:
Technology or cybersecurity teams can:
IT operation teams can:
Incident response teams can:
Human resource teams can:
Senior management or board-level teams can:
Internal audit teams can:
|
|
Section 912A(1)(d) Have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by the licence. |
Human resource teams can:
Technology or cybersecurity teams can:
Finance teams can:
|
|
Section 912A(1)(h) Have adequate risk management systems. |
Risk and compliance teams can put in place a risk management system that identifies and evaluates risks faced by both the AFSL holder and its clients, implements controls to manage or mitigate those risks, and monitors those controls for effectiveness. |
Regularity of activities
ASIC's concise statement on the FIIG decision provides clear, practical insight into the frequency and consistency with which firms are expected to implement and operate technical cybersecurity controls. The table below highlights what this means in practice for firms seeking to demonstrate ongoing compliance.
|
Testing of the cyber incident response plan |
Regularity/timeframes as set out in the concise statement |
|
Testing of the cyber incident response plan |
Annually. |
|
Monitoring of Endpoint Detection and Response (EDR) software |
Daily. |
|
Application of patches and software updates |
Within one month of the release of a patch or update for critical or high-importance patches. Within three months of the release of the patch or update for all other patches. Otherwise, implement compensating controls where a patch or update cannot be deployed. |
|
Storage of logs |
Online for at least 90 days. In an electronic archive for at least 12 months. |
|
Mandatory security awareness training |
At onboarding, and then annually. |
|
Review and evaluation of the effectiveness of technical cybersecurity controls |
Quarterly. |
|
Review and evaluation of cyber resilience across the organisation |
General cyber resilience not identified as a missing cybersecurity measure. |
Looking ahead
ASIC’s 2026 key issues outlook positions cybersecurity, data breaches and operational resilience as a core supervisory priority, reflecting a clear concern about their impact on market confidence and consumer outcomes. Read together with the FIIG Securities decision, this signals that cyber risk is being treated as an integral component of AFSL compliance under the Corporations Act, with expectations extending beyond the existence of a framework to their ongoing implementation, testing and governance.
The FIIG outcome demonstrates ASIC’s willingness to take enforcement action where firms fail to adequately manage cyber risks, where deficiencies relate to control effectiveness, resourcing and oversight. In this context, firms should expect closer supervisory attention on whether their cyber risk management measures are proportionate to their business model, supported by sufficient financing and human resources and subject to regular testing and review.
Looking ahead, this combination of stated supervisory focus and demonstrated enforcement capability suggests a higher likelihood of targeted interventions and enforcement actions in cases involving significant control failures. The direction of travel is towards a more evidence-based supervision, where firms must be able to clearly demonstrate that cyber resilience is embedded within their governance and risk management frameworks.
In parallel, it is likely that New Zealand will at least move in a similar direction, given the shared regulatory focus on consumer protection, market integrity and operational resilience in financial services. Therefore, this case carries a direct warning for firms on both sides of the Tasman, and further afield moving forward.
Those who treat this decision as a catalyst to proactively strengthen their cybersecurity frameworks are likely to be in a stronger position both operationally and commercially. Firms that can demonstrate robust and actively tested controls can enhance consumer trust, with customers increasingly sensitive to how their data is being protected. At the same time, firms that can clearly evidence the effectiveness of their risk management measures are more likely to build regulatory confidence, resulting in more constructive supervisory engagement, reduced friction in oversight processes and a lower chance of enforcement action being taken by regulators.
