Lessons learned from ASIC's enforcement action against FIIG

Civil penalties for cyber security failures 8 min read

For the first time, the Federal Court has successfully imposed civil penalties for cybersecurity failures under the general Australian Financial Services Licence obligations.

Proceedings commenced by ASIC against FIIG Securities Limited (FIIG) for its failure to protect itself and its clients from cybersecurity risks have now been finalised (Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92). FIIG admitted to:

• failing to provide financial services efficiently, honestly and fairly;
• failing to have adequate resources (financial, technological and human) to ensure appropriate cybersecurity measures and comply with its legal obligations; and
• failing to have adequate risk management systems;

in contravention of sections 912A(1)(a), (d), and (h), and 912A(5A) of the Corporations Act 2001 (Cth).

ASIC's enforcement action against FIIG is consistent with its current enforcement priorities, namely, to ensure licensees have in place adequate cybersecurity protections. ASIC Chair Joe Longo has also emphasised the importance of 'proactively and regularly' checking the adequacy of cybersecurity measures and following the advice of the Australian Signals Directorate's Australian Cyber Security Centre (ACSC).  His Honour Justice Derrington, in his written reasons, noted that the 'mere fact of a successful cyberattack on an entity’s information technology systems does not necessarily indicate that the entity had failed to meet the statutory obligations'. 

Background

FIIG holds an Australian Financial Services Licence (AFSL) and specialises in fixed-income products and services. It collects and maintains personal information of clients (including government identifiers and other sensitive information) and held significant value in assets on their behalf.

In May 2023, FIIG was subject to a cyber intrusion in which approximately 385GB of data was stolen, affecting around 18,000 customers. FIIG became aware its systems may have been compromised on 2 June 2023 when alerted by the ACSC, but did not properly investigate the compromise until 8 June 2023, nearly three weeks after the incident occurred.

ASIC's claim was that, due to the nature of FIIG's business and the data it held, FIIG was at 'real risk' of cyber intrusion, which could lead to data breaches, financial loss and an inability to access data, provide services or operate its network or systems. 

ASIC had alleged, and FIIG agreed, that FIIG failed to have adequate cybersecurity measures in place and failed to implement the controls identified in its risk management system to mitigate cybersecurity risks.

On 9 February 2026, the Federal Court granted consent orders applied for by the parties with respect to FIIG's admissions and made orders in respect of FIIG's penalty.

Takeaways

ASIC's evolving approach

This was the second time ASIC has taken enforcement action for failures to have adequate cybersecurity systems in place—the first being in relation to RI Advice in August 2020. Following commencement of the FIIG enforcement action, ASIC has since also commenced proceedings against Fortnum Private Wealth.

The outcome in the FIIG proceedings demonstrates ASIC's evolving and increasingly prescriptive approach to cyber risk management. In particular, ASIC's articulation of expected technical security measures in the FIIG matter was significantly more detailed than for 'adequate cybersecurity documentation and controls' presented in the earlier RI Advice proceedings. Whilst director compliance in relation to cybersecurity remains a priority for ASIC, no proceedings were commenced against FIIG directors or other officers.

Cybersecurity measures

The cybersecurity measures ASIC suggests, and which FIIG ultimately agreed, should have been implemented are consistent with many of those identified by the Office of the Australian Information Commissioner in its recent determination made against Vinomofo, its successful civil penalty proceedings brought against Australian Clinical Labs and the ongoing civil penalty proceedings against Medibank, as well as in class action proceedings brought against Optus and Medibank.

The adequacy of the cybersecurity measures and controls were informed by:

• the nature of FIIG's business (including its size and resources)
• the personal information held
• the value of funds under advice and the assets held by it on behalf of clients
• the magnitude and potential consequence of the cybersecurity risks
• FIIG's contractual obligations to its clients.

Examples of FIIG's inadequate cybersecurity measures and controls include:

• failing to implement adequate cybersecurity measures such as strong passwords and access controls for privileged accounts, multi-factor authentication for remote access users, regular penetration testing and vulnerability scanning and appropriate configuration of firewalls and security software.
• failing to have an appropriate cyber incident response plan that was tested at least annually.
• failing to deliver mandatory cybersecurity awareness training to staff.
• failing to allocate the necessary financial resources to ensure suitably qualified and experienced people were available and implement adequate technological resources to manage cybersecurity.
• failing to have qualified IT personnel monitor threat alerts to identify and respond to cyber attacks.
• failing to implement a structured plan that would ensure key software systems were updated to address known security vulnerabilities.

A comparison of security measures class action plaintiffs and regulators have alleged are required in these proceedings as at 19 March 2025 is available here. 

Timeliness of detection and response

The fact FIIG was alerted to the issue by the ACSC (ie it was not detected internally) was likely compounded by the six-day delay between the ACSC's alert (2 June 2023) and FIIG's investigation of the potential malicious activity (8 June 2023).

ASIC and FIIG agreed that if FIIG had had adequate cybersecurity measures in place, it would have detected suspicious activity well before the ACSC notification, implemented its cyber incident response plan on or shortly after the incident occurred, identified the presence of the threat actor within its system promptly following identification of the incident, and prevented some or all of the client information from being downloaded from FIIG’s servers by the threat actor.

FIIG ultimately agreed with ASIC's allegations that it should have had in place the following 'Adequate Cybersecurity Measures':

• vulnerability scanning tooling and processes to identify vulnerabilities at a regular cadence, and then ensure the results were reviewed and appropriate action taken in response to any vulnerabilities identified.
• regular penetration testing for business-critical applications at least annually.
• firewalls configured with appropriate rules regarding connectivity.
• appropriate Active Director configurations to disable certain protocols.
• endpoint detection and response software that was monitored on a daily basis by a person with sufficient skills, training and experience to identify and respond to any unusual network activity.
• a patching and software management plan to manage patching processes and apply patches and update software regularly (depending on the nature of the vulnerability to be rectified), and apply compensating controls for operating systems that could not be patched or updated.
• multi-factor authentication for remote user access.
• a practice of monitoring threat alerts and ensuring such monitoring was undertaken by appropriately skilled and experienced personnel.
• implementing annual cybersecurity awareness training addressing FIIG's key cybersecurity risks and expectations of personnel.
• a process to review and evaluate its technical cyber controls and broader cyber resilience.
• a cyber incident response plan that addressed: (i) the action to be taken, key roles and responsibilities of FIIG personnel, and regulatory notification requirements, in the event of a cybersecurity event; (ii) incident detection and analysis; and (iii) incident response (containment, eradication and recovery).

Failure of risk management systems

FIIG's risk management systems were inadequate because they failed to implement and maintain the relevant 'adequate' cybersecurity measures. Although FIIG had a documented risk management framework, including an IT Information Security Policy and a Cyber Information Security Policy, it failed to comply with its policies and procedures. Regulators have repeatedly emphasised the importance of ensuring the operating effectiveness of risk management systems (ie that they are adhered to, and that compliance is monitored and enforced), in addition to design effectiveness. This should also be supported by regular training on, and testing of, such systems and processes.

Adequacy of human resources

ASIC expects that:

• AFSL holders and credit licensees employ or outsource to people with the skills, knowledge and experience in cyber security to ensure adequate cybersecurity measures are implemented, commensurate to the risk of the relevant business; 
• one or more persons will be assigned the responsibility for doing so; and 
• that those responsible are given sufficient time to properly discharge their responsibility.

In FIIG's case, it was accepted that FIIG over-relied on its Chief Operating Officer (who was not an IT, or IT security, expert, and for whom IT and IT security were one of several responsibility and oversight areas) and IT infrastructure team (which had general IT expertise, but limited IT security experience), and doing so contributed to the inadequacy of FIIG's cybersecurity arrangements.

Regularity of activities

ASIC's concise statement and the Statement of Agreed Facts are instructive as to the regularity with which ASIC expects organisations (particularly those in circumstances similar to FIIG) to implement and operate certain technical cybersecurity controls on an ongoing basis. Notably, there were changes to some of these activities from the concise statement to the Statement of Agreed Facts, which we have identified in the table below.

Declarations and orders

On 9 February 2026, the Federal Court of Australia made consent orders ordering FIIG to:

1. pay a pecuniary penalty of $2.5 million;
2. pay $500,000 towards ASIC's costs; and
3. engage an independent expert to identify further compliance uplift steps, develop a compliance program and then report on the implementation of that program.

During the penalty hearing, his Honour Justice Derrington commented that in the case of a cyber incident, the potential impact of the publication of personal information on the dark web and the potential subsequent loss for individuals impacted, was very difficult to quantify (given the potential future uses of that exposed information is so unknown). However, the court was ultimately persuaded that the penalty sought by way of consent orders was appropriate, due to:

• the co-operation of FIIG in resolving the proceedings;
• the fact that the known losses from the breach were sustained by FIIG itself, rather than others; and
• the cost and time that would be required for a trial (both in respect of the court's time and the time and cost required to prepare technical expert witnesses and legal advisors etc).