ARTICLE
23 February 2026

First ASIC Penalty For Cybersecurity Failures: Federal Court Imposes $2.5m Penalty On FIIG

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The Federal Court has handed down its reasons in Australian Securities and Investments Commission v FIIG Securities...
Australia Technology
Camille Tewari,Cameron Whittfield,Peter Jones
+1 Authors
 Your Author LinkedIn Connections
Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology, Transport, Media, Telecoms, IT and Entertainment topic(s)
  • with Inhouse Counsel
  • with readers working within the Law Firm industries

The Federal Court has handed down its reasons in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92, marking the first time the Court has imposed a civil penalty on an Australian financial services licensee (AFSL) for contraventions of its general obligations arising from cybersecurity failures.

Although the decision acknowledges that the mere fact of an attack does not necessarily indicate that an AFSL has failed to meet its statutory obligations in respect of cybersecurity, it reinforces ASIC's expectation that AFSLs be "on the front foot" in respect of cybersecurity in order to protect their clients against attacks that are escalating in both scale and sophistication.

Takeaways

FIIG is a significant milestone in ASIC's cyber enforcement program, building on the decision in ASIC v RI Advice in 2022 (see our article here). It demonstrates that under‑investment in cybersecurity — even absent widespread consumer loss or impact — can attract substantial civil penalties. In this case, the penalties were 20% of FIIG's net assets, 8% of its turnover, and more than twice what the cost of compliance would have been.

The case also provides a practical illustration of how ASIC assessed "adequacy" in the context of FIIG's business and underscores the importance of being able to demonstrate — with evidence — that cybersecurity risks are actively identified, resourced, implemented and reviewed over time, in a manner proportionate to the business and the risks it faces. This includes:

  • ensuring that documented policies and procedures are implemented
  • ensuring an appropriate level of responsibility and expertise for managing cybersecurity risks (whether via internal staff or third parties)

ASIC and FIIG reached agreement on liability and penalty in this case. There was no contest about the specific steps that needed to be taken to comply with general financial services laws and the case related to historic breaches in the period 2019 to 2023.

However, we recommend that organisations review their cybersecurity settings against the cybersecurity measures steps that were agreed to be "adequate" in this case to consider their appropriateness in their setting.

Background

FIIG Securities Limited (FIIG) specialises in fixed income investment products and custodial services. Between 13 March 2019 and 8 June 2023 (the Relevant Period), FIIG controlled assets of between approximately $2.99 billion and $3.7 billion for its clients. The value of funds under advice ranged between $4.7 billion and $7.6 billion. In the course of its business, it collected and stored personal information about its clients.

In May 2023, FIIG suffered a cyberattack in which approximately 385GB of data, including sensitive personal client information, was exfiltrated from its systems. Screenshots of some of that data were later published on the dark web.

ASIC commenced proceedings alleging that, over a period of more than four years prior to the attack, FIIG had failed to implement and maintain cybersecurity measures that were adequate having regard to the nature, scale and risk profile of its business.

The contraventions and declarations

On the basis of the parties' agreed facts and admissions, the Court declared that FIIG had breached 912A(1)(a), (d) and (h) of the Corporations Act 2001 (Cth).

Failure to provide financial services efficiently, honestly and fairly (s 912A(1)(a))

The Court declared that FIIG failed to do all things necessary to ensure that the financial services covered by its AFSL were provided efficiently, honestly and fairly. It did not have cybersecurity measures that were adequate to protect its clients from well‑understood and foreseeable cybersecurity risks, having regard to:

  • the scale and complexity of its financial services business;
  • the sensitivity of the personal and financial information it held;
  • the value of assets under its control;
  • the magnitude and potential consequences of those risks; and
  • its contractual representations to clients regarding the security of its systems.

The specific inadequacies are outlined below.

Failure to have available adequate resources (s 912A(1)(d))

The Court declared that FIIG failed to have available adequate financial, technological and human resources to provide the financial services covered by its licence. It did not have:

  • technological resources comprising adequate cybersecurity measures;
  • human resources (either within FIIG or outsourced from a third party) with sufficient skills, experience, responsibility and capacity to design, implement and monitor those measures; and
  • financial resources sufficient to support both the technology and the personnel required.

Responsibility for cybersecurity had been dispersed across roles without dedicated cyber expertise. FIIG had not invested at a level commensurate with the risks it had identified over time.

Failure to have adequate risk management systems (s 912A(1)(h))

The Court declared that FIIG failed to have adequate risk management systems. Although FIIG had identified cybersecurity as a material risk and had accounted for that risk in its risk management framework and policies, it failed to fully implement, maintain and monitor the controls those systems required. In particular, FIIG did not consistently give effect to the controls set out in its own information security policies and audit processes.

Penalty and other orders

The Court imposed a $2.5 million penalty for all the contraventions based on the parties' joint submissions. The Court accepted that the contraventions arose from a closely related course of conduct and that a lower penalty was appropriate having regard to factors including:

  • FIIG's cooperation and early admissions;
  • the absence of deliberate misconduct;
  • the fact that most quantifiable financial loss was borne by FIIG itself through $1.2 million in remediation costs; and
  • the remedial steps taken following the cyber incident.

It was also significant that the penalty was an amount equivalent to 20% of FIIG's net assets and around 8% of its turnover such that it would provide an appropriate "sting" for FIIG and would not be considered merely a cost of doing business. Additionally, the fact that the penalty was roughly twice the cost of compliance was considered to "validate the behaviour and efforts of compliant businesses" and "send a warning to businesses with inappropriate underinvestment in cybersecurity".

The Court also ordered FIIG to implement a comprehensive cybersecurity compliance programme overseen by an independent expert approved by ASIC.

What ASIC and FIIG agreed was "adequate" — and where FIIG fell short

A central feature of the case was the parties' agreement as to what constituted "adequate cybersecurity measures" for FIIG during the Relevant Period, and the respects in which FIIG's actual controls were deficient.

While the judgment stresses that adequacy is context‑specific and does not require perfection, the agreed facts identified a range of material shortcomings, including the following:

1. Its incident preparedness and response plan falling to:

  • clearly set out how to detect and confirm a cyber incident;
  • allocate responsibility for containment, investigation and remediation;
  • identify internal escalation pathways; or
  • be tested at least annually.

2. Failures in its access controls and credential management including:

  • the use of privileged accounts for ordinary, non‑privileged activities;
  • weak password standards for privileged access;
  • insecure storage of passwords; and
  • the absence of regular reviews of user access rights.

3. Deficiencies in vulnerability management and patching including:

  • no network‑wide vulnerability scanning tools;
  • no routine vulnerability scans;
  • failure to apply patches for known and critical vulnerabilities within reasonable timeframes.

4. Deficiencies in network security and monitoring including:

  • "next‑generation" firewalls were not configured to appropriately restrict outbound traffic, prevent unnecessary internet access from internal systems or block certain high‑risk protocols;
  • endpoint detection and response tooling was inconsistently deployed, not kept up to date, and not actively monitored by personnel with sufficient cybersecurity expertise;
  • alerts were generated but not meaningfully reviewed or acted upon.

5. Failures in authentication and user awareness including:

  • no multi‑factor authentication for remote access users from late 2022;
  • no structured, mandatory cybersecurity awareness training to staff beyond limited induction material and ad hoc communications.

6. Deficiencies in review and assurance including:

  • no regular or testing of the effectiveness of cybersecurity controls, either through periodic control reviews or broader assessments of cyber resilience.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Camille Tewari
Camille Tewari
Photo of Cameron Whittfield
Cameron Whittfield
Photo of Christine Wong
Christine Wong
Photo of Peter Jones
Peter Jones
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More