ASIC cyber enforcement outcome against FIIG — what the February 2026 penalty means in practice

In February 2026, the Federal Court ordered FIIG Securities Limited (FIIG) to pay $2.5 million in civil penalties (plus $500,000 in costs) following ASIC proceedings over prolonged cyber security failures at FIIG. The orders follow ASIC’s earlier civil action in which the Court found, over a four-year period, FIIG failed to meet core Australian Financial Services Licence (AFSL) obligations under the Corporations Act 2001 (Cth) — including the obligations to:

• provide financial services efficiently, honestly and fairly — section 912A(1)(a);
• have adequate resources (financial, technological and human) — section 912A(1)(d); and
• maintain adequate risk management systems — sections 912A(1)(h) and 912A(5A).

The case arose from a 2023 cyber intrusion in which approximately 385GB of data was stolen from FIIG’s systems, affecting around 18,000 customers, with highly sensitive personal information later appearing on the dark web. ASIC alleged FIIG was at real and foreseeable risk of intrusion given the nature of its business and the volume and sensitivity of client data it held — yet failed to implement and operationalise adequate controls. FIIG admitted contraventions, and the Court also ordered an independent expert-led cyber compliance uplift program.

This is the first time civil penalties have been imposed for cyber security failures arising from regulatory action by the Australian company regulator in relation to general AFSL obligations. It materially raises the stakes AFSL holders and confirms ASIC’s more prescriptive and technical expectations compared with earlier cyber enforcement.

What regulators are focusing on now

The FIIG outcome shows ASIC is no longer framing cyber issues at a high level. Its case set out detailed expectations around technical controls, detection capability, resourcing and control regularity — similar to positions taken by other regulators and class action plaintiffs in major breach cases.

Key themes included:

• Failure to implement controls already identified in internal policies — risk frameworks existed, but were not followed in practice.
• Detection and response gaps — ASIC pointed to the fact the intrusion was identified externally (via the ACSC) and that investigation response was delayed.
• Human resourcing weaknesses — over-reliance on staff with split operational roles rather than dedicated cyber capability.
• Control effectiveness, not just control design — regulators are testing whether controls operate, are monitored, and are enforced.

ASIC also pointed to expected control rhythms and operational cadence — for example, daily monitoring of endpoint detection tools, annual incident response testing, quarterly control reviews, defined patching timeframes, and recurring staff training.

Practical implications for organisations

For AFSL holders and other regulated entities, the practical lesson is that cyber resilience must now be demonstrably embedded into licence compliance and governance frameworks. Organisations should assume regulators will test not just whether controls exist — but whether they are:

• proportionate to data sensitivity and business risk;
• properly resourced and owned;
• consistently implemented;
• regularly tested and reviewed;
• supported by skilled personnel; and
• actively overseen by management and boards.

A useful immediate step is a regulator-defensibility review — mapping your cyber control environment and resourcing against licence obligations and enforcement expectations, not just against technical standards. In enforcement, the critical question is not whether your framework aligns with a standard — but whether it would stand up under forensic regulatory scrutiny.

Our expert team advises on AFSL cyber compliance exposure, governance uplift and regulator-ready control assurance. If you would like a practical assessment of your position in light of this decision, please get in touch.