ARTICLE
25 February 2026

Cybersecurity Enforcement Intensifies: Lessons From FIIG Securities' $2.5m Compliance Penalty

CC
Corrs Chambers Westgarth

Contributor

Corrs Chambers Westgarth logo
With over 175 years of experience and a team of over 1000 talented professionals, we offer exceptional legal services for major transactions, projects, and disputes. Our client-focused approach and commitment to excellence ensure success for our clients. We connect with top lawyers globally for the best results.
Explore Firm Details
First time that penalties have been awarded under the general Australian financial services licence obligations for cybersecurity deficiencies.
Australia Finance and Banking
James North,Steven Rice, and Eugenia Kolivos
Your Author LinkedIn Connections
James North’s articles from Corrs Chambers Westgarth are most popular:
  • with readers working within the Automotive, Media & Information and Law Firm industries
Corrs Chambers Westgarth are most popular:
  • within Antitrust/Competition Law, Intellectual Property and International Law topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel

The Federal Court has imposed a $2.5 million penalty on FIIG Securities Limited (FIIG) for failing to maintain adequate cybersecurity measures. This marks the first time penalties have been awarded under the general Australian financial services (AFS) licence obligations for cybersecurity deficiencies.1

FIIG's failures occurred over four years (March 2019 to June 2023) and materially worsened the impact of a May 2023 ransomware attack. FIIG admitted that adequate measures would have enabled earlier detection and prevented some or all of the 385 gigabyte data exfiltration.

The Court confirmed that licensees are not expected to be able to prevent all cyber incidents, and that ASIC is not seeking to impose an unattainable standard of information protection. Rather, the question is whether licensees have 'adequate' cyber protection systems in place, considering the nature, scale and risk profile of the business.

The decision follows ASIC's 2022 enforcement action against RI Advice and sits alongside ongoing proceedings against Fortnum Private Wealth, signalling sustained regulatory focus on operational resilience.

Background to ASIC v FIIG

FIIG is a fixed income specialist providing retail and wholesale investors with access to fixed income investments and bond financing. Under its AFS licence, FIIG was authorised to provide financial product advice, deal in financial products, make a market for certain financial products, and provide custodial or depository services. During the relevant period, FIIG held approximately $4.7-7.6 billion in funds under advice and $2.99-$3.7 billion in client assets under management.

In May 2023, FIIG suffered a cyber incident in which threat actors gained access to FIIG's network and exfiltrated approximately 385 gigabytes of data, some of which was subsequently published on the dark web. The stolen data included sensitive personal information such as details of driver's licences, passports and Medicare cards, Tax File Numbers and bank account details.

On 12 March 2025, ASIC commenced civil penalty proceedings against FIIG in the Federal Court. The proceedings alleged that over a four-year period prior to the incident, FIIG failed to have in place adequate cybersecurity measures, and thereby contravened its obligations under section 912A of the Corporations Act 2001 (Cth) (Act).

The matter was resolved by way of agreed facts and admissions. On 9 February 2026, the Court made orders by consent imposing penalties and requiring remediation.

Contraventions

The Court declared that FIIG breached its obligations under s 912A(1)(a), (d), and (h) of the Act, and thereby contravened the s 912A(5A) civil penalty provision, by failing to:

  1. Have adequate technological, human and financial resources (s 912A(1)(d)) Specifically, the Court found that FIIG did not have:
  • adequate technological resources comprising adequate cybersecurity measures;
  • adequate human resources with the skills, responsibility and capacity necessary to put in place and maintain adequate security measures and implement the controls required as part of its risk management system; and
  • sufficient financial resources to enable it to have in place the required technological and human resources.
  1. Have adequate risk management systems (s 912A(1)(h)) Although FIIG had identified cybersecurity controls within its risk management framework, it failed to implement them. The Court held that this failure meant FIIG did not have adequate risk management systems as required by s 912A(1)(h).
  2. Do all things necessary to provide financial services efficiently, honestly and fairly (s 912A(1)(a)) The Court found FIIG failed to comply with this obligation because it lacked:
  • adequate cybersecurity measures;
  • adequate financial technological and human resources; and
  • adequate risk management systems.

Inadequate cybersecurity measures

The Court emphasised that 'adequacy' in the context of cybersecurity is determined by reference to the risks faced by the relevant business. In FIIG's case, this involved consideration of:

  • the nature of the business
  • the data it held;
  • the value of funds under advice and assets held;
  • the potential consequences posed by a cyber attack; and
  • FIIG's contractual obligations to clients.

The parties agreed and the Court accepted that FIIG's cybersecurity measures fell short of what was required under s 912A of the Act, when considering the matters set out above. These inadequacies included:

  • Incident response: FIIG's cyber incident response plan did not identify steps for detecting, containing, or recovering from an incident, no key personnel were nominated, and no annual testing was conducted.
  • Access controls and password management: Privileged accounts were used for routine tasks, passwords were not required to meet a 14-character minimum, and credentials were stored in plaintext files on FIIG's network. User access rights were also not reviewed on a regular basis.
  • Vulnerability scanning and penetration testing: FIIG had no vulnerability scanning tools across its network or endpoints and never ran or reviewed vulnerability scans. Penetration testing was limited to external perimeter testing in February 2023 and basic website testing in 2021, with no annual testing of internal systems or business-critical applications.
  • Firewall configuration: Although FIIG had Palo Alto next-generation firewalls, they were not configured to prevent direct connections to FTP servers over the internet or to restrict outbound traffic to only what each system required. The only outbound restriction in place was a block on SMTP email traffic.
  • Authentication weaknesses :FIIG failed to disable the insecure NTLMv1 authentication protocol across its network and did not implement multi-factor authentication for remote access users until late 2022.
  • Endpoint detection and response (EDR): Carbon Black EDR software was not installed on all devices, agents were allowed to fall more than two versions out of date, and threat signatures were not updated daily. There was also no daily monitoring of alerts, and the tool was never tuned to filter known benign activity.
  • Patching: FIIG had no patching plan and consistently failed to apply patches within required timeframes for critical, medium, and lower-priority vulnerabilities. It also failed to patch the widely-exploited 'EternalBlue' vulnerability from March 2019 to at least February 2023, and the 'BlueKeep' vulnerability from May 2019 to at least May 2023.
  • Threat monitoring: FIIG had no practice of monitoring threat alerts using IT personnel with the knowledge, skills and experience to identify and respond to suspicious or unusual activity.
  • Security awareness training:Employee training was limited to induction references to policy documents and two phishing-awareness emails sent in 2022, with no mandatory annual training ever implemented.
  • Review of controls and cyber resilience: FIIG had no process to assess the effectiveness of its technical controls on a quarterly or annual basis, and never conducted an organisation-wide review of its cyber resilience.

Penalties

Pecuniary penalty: $2.5 million

The Court ordered FIIG to pay a pecuniary penalty of $2.5 million for all the contraventions based on the parties' joint submissions. This penalty is significant for FIIG, representing approximately 20% of FIIG's net assets and 8% of its annual turnover, and was intended to act as 'a warning to businesses with inappropriate underinvestment in cybersecurity'. Notably, the penalty was also more than twice the estimated cost of compliance over the relevant period, which the Court considered would 'validate the behaviour and efforts of compliant businesses'.

Court-supervised compliance programme

The Court also ordered FIIG to undertake a comprehensive compliance programme involving the engagement of an independent cybersecurity expert, the preparation of an independent report, and the implementation of remedial actions in accordance with an agreed timetable, with ASIC oversight throughout the process.

Costs order: $500,000

The Court ordered FIIG to pay $500,000 towards ASIC's costs of the proceeding within 30 days.

Significance and ASIC's enforcement approach to cyber risk

Building on RI Advice

The FIIG case is the most significant development in ASIC's cybersecurity enforcement programme since ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (RI Advice). It reflects a clear evolution in both the scope of the contraventions alleged and the consequences ASIC is prepared to pursue.

A comparison of the 2026 FIIG and 2022 RI Advice decisions shows several important developments over the period:

  • Introduction of civil penalties: This is the second time ASIC has sought that an AFS licensee pay civil penalties for cybersecurity failures under their general AFSL obligations.2 However, it is the first case in which penalties have actually been awarded, as RI Advice ultimately settled without a pecuniary penalty (relief was limited to remediation and cost orders). This signals that financial penalties will form part of ASIC's enforcement programme going forward.
  • Expansion to resource allocation: In RI Advice, ASIC only alleged contraventions of ss 912A(1)(a) and (h) of the Act. However, in FIIG, ASIC also alleged a contravention of s 912A(1)(d), the obligation to have adequate financial, technological and human resources. This additional alleged contravention reflects ASIC's view that inadequate cybersecurity is not merely a failure to implement the right controls, but also a failure of resource allocation.
  • More granularity as to what is 'adequate': Both cases confirm that 'adequacy' is a normative, context-specific standard informed by technical expertise rather than public expectation. However, where RI Advice identified relatively general deficiencies (absent antivirus, poor password practices, lack of backups), FIIG addresses specific technical cybersecurity protections, such as 14-character password minimums, separation of privileged accounts, annual penetration testing, MFA for remote access, and mandatory annual security training. Furthermore, the nature of the deficiencies identified in each case is itself instructive: in RI Advice, the failures were largely basic, whereas in FIIG they extended to how controls were configured, deployed and maintained. That shift in the type of conduct that is treated as inadequate suggests the standard has risen materially. Licensees should not treat the controls identified in either case as a fixed benchmark, given that FIIG's own relevant period ended in June 2023.
  • Implementation is key: A further development highlighted by FIIG is the explicit and standalone treatment of the gap between documented controls and actual implementation. While RI Advice touched on implementation failures (e.g. the failure to audit authorised representative compliance with cybersecurity standards), implementation failures were incidental to the broader finding that the overall system was inadequate. In FIIG however, ASIC went further: the s 912A(1)(h) contravention was specifically limited to FIIG's failure to implement controls it had already identified within its own risk management framework, producing a separate and distinct declaration on that basis. This confirms that having a policy or framework on paper is not sufficient - ASIC will look at whether identified controls have actually been operationalised.

FIIG shows a sustained ASIC focus

Cybersecurity has featured as a priority in ASIC's corporate plans since at least 2021 and was an explicit enforcement priority for 2025. Although it does not appear as a discrete priority in ASIC's published priorities for 2026, this is unlikely to indicate reduced focus. ASIC's 2026 Key Issues Outlook, published in January 2026, identifies cyber risk and operational resilience as one of ten systemic risks facing Australia's financial system, citing increased cyber incidents across sectors and the need for robust risk management, resilience testing and third-party vulnerability management.

Three enforcement actions have now been taken against AFS licensees for cybersecurity failures under s 912A: RI Advice (2022), FIIG (resolved February 2026), and proceedings commenced against Fortnum Private Wealth in July 2025, which remain ongoing. The Fortnum proceedings are also a reminder that ASIC's scrutiny is not limited to technical control failures: the allegations there concern governance frameworks, policies and oversight of authorised representatives.3

Generally, AFS licensees should expect that material cybersecurity incidents will be investigated and that prolonged or systemic failures will be met with civil penalty proceedings. As ASIC Deputy Chair Sarah Court stated in a press release following the FIIG orders: "ASIC expects financial services licensees to be on the front foot every day to protect their clients."

Practical takeaways for AFS licensees to manage cyber risk

  1. Conduct a comprehensive cyber risk assessment AFS licensees should undertake a thorough assessment of cybersecurity risks tailored to their specific circumstances. It should consider the sensitivity of information held, value of assets under control, the threat environment for their sector and potential consequences of a cyber incident.
  2. 'Adequacy' is a constantly evolving standard, and may be higher for APRA-regulated entities The specific measures identified in the FIIG judgment provide a useful reference point for assessing control adequacy. However, AFS licensees should not treat them as a checklist. What is 'adequate' is both context-specific and a constantly evolving standard, meaning that the measures that are sufficient for today may no longer meet regulatory expectations in the future. Further, while the AFS licensee general obligations relating to resourcing and risk management generally do not apply to APRA-regulated entities, a higher standard could arguably be required from the specific requirements in Prudential Standard CPS 234 Information Security. An additional dimension also applies with respect to service providers in CPS 230 Operational Risk Management.
  3. Ensure adequate resourcing across all three areas FIIGis a reminder that in terms of cybersecurity, AFS licensees must allocate:
    • sufficient financial resources for required technology and skilled personnel;
    • appropriate technological resources to detect threats, prevent unauthorised access, and respond effectively; and
    • adequate human resources with appropriate cybersecurity skills, clear responsibilities, and access to external expertise when needed.
  4. Close the gap between documentation and implementation The FIIG case confirms that having policies is not enough. AFS licensees should verify that documented controls are actually implemented and properly configured, test controls regularly (not just after incidents), monitor compliance with policies, and promptly remediate identified gaps.
  5. Prepare for incidents and understand reporting obligations AFS licensees should develop and test incident response plans, ensure key personnel know their roles, maintain relationships with external incident response providers, and understand notification obligations to regulators and affected individuals.
  6. Prioritise board and executive engagement While FIIG did not include claims against individual directors or officers, ASIC has repeatedly emphasised that cybersecurity is a critical board responsibility. Boards and executives should receive regular reporting on cyber risks and control adequacy, challenge management on resource adequacy, oversee testing and assurance activities and ensure lessons are learned from incidents and near-misses.
  7. Invest in prevention ASIC's message was clear: inadequate controls cost more in the long run than implementing adequate measures from the outset. Organisations should invest in prevention, not just response, address identified deficiencies promptly and treat cybersecurity as a business-critical operational issue, not just an IT problem.

Footnotes:

1 Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92 (ASIC v FIIG) [1]-[4].

2 ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (RI Advice), [3]-[6].

3 ASIC v Fortnum Private Wealth, Originating Process and Concise Statement [1].

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021
 		Employer of Choice for Gender Equality (WGEA)
[View Source]
Authors
Photo of James North
James North
Photo of Steven Rice
Steven Rice
Photo of Eugenia Kolivos
Eugenia Kolivos
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More