The landmark ruling in ASIC v FIIG shows the courts are now willing to impose civil penalties for cyber security failures under AFSL obligations. The decision sets a new benchmark for licence holders and puts the entire financial sector on notice: failing to maintain adequate cyber security with integration of people, processes, and technology in a coordinated framework carries significant legal and financial consequences.
On the 13th of February, the Federal Court’s decision to impose $2.5 million in penalties against FIIG Securities Limited, marked a turning point for Australian financial services licensees, and the Australian regulatory landscape in general. For the first time, the Court has imposed civil penalties specifically for cyber security failures under general AFSL obligations, reshaping what it means to hold an Australian Financial Services Licence in the market today.
The decision reinforces that protecting client data and maintaining trust in financial systems are core obligations for licensees and highlights the growing importance of robust cyber capability in safeguarding market confidence and consumer outcomes.
The regulatory landscape has shifted
The case: The Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92
The Australian Securities and Investments Commission (ASIC) brought the case against FIIG Securities Limited for failing to meet obligations under the Corporations Act 2001 (Cth) due to inadequate cyber security measures.
These failures included basic security hygiene issues: absence of multi-factor authentication for remote access, inadequate password controls, improperly configured firewalls, and failure to maintain software patches addressing known vulnerabilities.
In addition to the lack of key technical controls, FIIG did not provide mandatory cyber security awareness training for employees, did not conduct regular penetration testing, and did not have qualified personnel monitoring security alerts.
FIIG admitted that implementing adequate cyber security measures would have enabled earlier detection and response to the breach, potentially preventing the download of confidential client data affecting some 18,000 clients.
The Court found FIIG’s failures represented systemic deficiencies across multiple areas of cyber security over an extended period from 13 March 2019 to 8 June 2023.
ASIC’s successful prosecution of FIIG Securities reflects the evolving nature of the regulator’s approach to cyber security failures. The Court’s declaration that FIIG breached sections of the Corporations Act 2001 demonstrates how existing licensee obligations clearly extend to cyber security capabilities. These are not new obligations, but the Court’s willingness to apply them rigorously to cyber security failures marks a significant enforcement shift.
This evolution reflects growing regulatory expectations globally, supported by enforcement action that demonstrates serious consequences for those who fail to meet reasonable standards.
The long tail of breach costs: financial and reputational impact
The $2.5 million penalty imposed on FIIG should be considered in the context of the overall financial impact. Beyond the penalty itself, FIIG was ordered to pay $500,000 in ASIC’s costs and to implement a compliance program that included an independent expert to review and improve its cyber security systems. These expenses are in addition to immediate breach response costs.
These regulatory consequences emerged approximately 32 months after the initial breach was detected in June 2023, with court orders issued in February 2026. This timeline illustrates a crucial point: the financial consequences of inadequate cyber security can materialise long after the immediate crisis has passed. Boards and executives who believe they have weathered the storm following initial breach response may face a second wave of financial impact through regulatory action. In the aftermath of a breach, regulatory penalties are hard to quantify, but the FIIG case shows they can dwarf initial response costs.
Perfection is not the standard
The Court’s decision is interesting in that it notes that the mere fact of a successful cyber-attack does not necessarily indicate regulatory failure as it is “all but impossible to prevent every cyber-attack” in the current threat environment.
This admission is not an excuse to be complacent. Rather, it redefines what is considered defensible cyber security. The Court has supported ASIC’s concern, which does not seek to impose an unattainable level of cyber security. The regulatory expectation is that entities subject to the Act’s obligations have adequate cyber security systems in place that can prevent attacks where possible, detect intrusions when they occur, and respond effectively to minimise the consequences.
People, processes, and technology working together
The FIIG case illustrates that adequate cyber security requires the integration of people, processes, and technology in a coordinated framework. FIIG’s failures spanned all three domains: it lacked personnel with sufficient skills and time dedicated to security monitoring; its processes existed on paper but were not implemented in practice; and its technological controls were misconfigured, unpatched, or absent entirely. Boards of regulated entities must appreciate that investment in technology alone is insufficient.
The Court’s reasoning implies that adequate cyber security is an ongoing requirement rather than a static end goal. The threat landscape is constantly evolving as hostile actors develop new techniques to exploit existing gaps in organisational defences.
Having access to the most recent trends in who is targeting financial services organisations and the tactics used to carry out these attacks enables organisations to take proactive measures to reduce the likelihood of these attacks succeeding.
The focus is not only on assessing the external environment, but also on continuously assessing the capability of internal resources to ensure that people and processes are up to date, and incident response plans are tested and updated on a regular basis.
Why this matters for the financial services and superannuation sectors
Cybersecurity breaches not only expose sensitive information, disrupt business operations, and erode trust in financial institutions, but they can also have serious long-term financial consequences. The FIIG case also demonstrates the dynamic nature of the threat environment, and while regulators and courts recognise the complexities of operating in such an environment, they have little patience for organisations that fail to keep up with the evolving threat landscape. It also emphasises the importance of industry-wide capability development, collaborative learning, and coordinated responses to increasingly sophisticated cyber and financial crime threats.
All industries, including superannuation, are at risk from increasingly sophisticated cyber threats and scammers. Collaboration is globally recognised as an important tool to enhance resilience and strengthen organisations’ individual defences.
In response to this growing threat, the super sector is developing the SC3 Framework, a collaboration initiative to protect super fund members from cyber threats, fraud, and scams. Driven by the super sector and coordinated by the sector’s peak body, ASFA, the SC3 Framework will enhance resilience through sharing threat intelligence and working together to keep members’ retirement savings and data safe. The SC3 Framework includes the development of the Super Sector Response Playbook, which will act as a guiding document for how the superannuation sector will coordinate and communicate during a significant cyber security incident. This is supported by regular super sector response exercises designed to test the playbook, allowing the sector to practise its coordinated response to a significant cyber incident, stress-test processes, analyse outcomes, and strengthen and improve system-wide readiness.
For more information, please contact membership@superannuation.asn.au
