Australian Securities and Investments Commission v FIIG Securities Limited: civil penalties for financial service licence holder with inadequate cybersecurity

In the first decision of its kind in Australia, the Federal Court of Australia has awarded a civil penalty of A$ 2.5m (US$ 1.77m) and costs of A$ 500k (US$ 350k) against an Australian financial services licence holder due to serious and sustained cybersecurity failings. 

The decision in Australian Securities and Investments Commission v FIIG Securities Limited [2026] clarifies the standard of adequacy expected of financial service licensees and confirms that serious deficiencies can attract significant penalties. The decision builds on the 2022 Federal Court case of ASIC v RI Advice Group Pty Ltd [2022], which we previously discussed.

This case arose from a major cyberattack suffered by the defendant, a financial adviser, in May 2023. The attack involved the unauthorised exfiltration of approximately 385GB of sensitive information regarding FIIG’s clients, some of which later appeared on the dark web.

The court’s interpretation of “adequate” cybersecurity

Under the Corporations Act 2001 (Cth) (the Act), financial services licence holders – which includes insurers, banks and financial advisers – are subject to a set of ‘core obligations’, which include obligations to have adequate technological resources and adequate risk management systems to provide the financial services covered by their licence. While the Act does not mention cybersecurity specifically, the Australian Securities and Investments Commission has long taken the view that these core obligations imply an obligation for licence holders to have adequate cybersecurity and cyber risk management.

The Federal Court confirmed that the core obligations under the Act include an obligation for licence holders to have adequate cybersecurity and cyber risk management. The court emphasised that “adequate” cybersecurity and cyber risk management does not require perfection or immunity from attack. Rather, it requires systems, governance and resourcing that are proportionate to the risks faced by the licensee. 

The court found that FIIG did not have adequate cybersecurity and cyber risk management measures in place. The court made clear that this finding was not based on the mere fact that FIIG had suffered an attack. Rather, it found that:

• FIIG had consistently underinvested in cybersecurity despite known risks, the sensitivity of the client information it held, and the scale of funds under advice; and 
• FIIG’s cyber risk management measures had systemic deficiencies, including the absence of a tested cyber incident response plan, inadequate access controls, failure to remediate known vulnerabilities, insufficient monitoring of security alerts, and inadequate staff training.

Cybersecurity governance lessons for financial services firms

The decision makes clear that merely having risk management measures in place will not be adequate if those measures are under-resourced, poorly implemented, outdated or inadequately monitored. “Adequate” means practical sufficiency over time — active implementation, testing, resourcing and oversight.

The decision reinforces a clear governance lesson: cybersecurity is no longer a technical back-office issue, but a core enterprise risk that demands sustained investment, active oversight and demonstrable operational resilience.