惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
Arctic Wolf
T
Tor Project blog
G
GRAHAM CLULEY
I
InfoQ
博客园_首页
IT之家
IT之家
The Register - Security
The Register - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
K
Kaspersky official blog
博客园 - 三生石上(FineUI控件)
S
SegmentFault 最新的问题
U
Unit 42
PCI Perspectives
PCI Perspectives
量子位
P
Palo Alto Networks Blog
S
Securelist
T
Troy Hunt's Blog
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security Affairs
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
博客园 - 聂微东
罗磊的独立博客
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
NISL@THU
NISL@THU
C
Cisco Blogs
T
Threatpost
有赞技术团队
有赞技术团队
Forbes - Security
Forbes - Security
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
T
The Exploit Database - CXSecurity.com
Cloudbric
Cloudbric
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
C
Cyber Attacks, Cyber Crime and Cyber Security

Discover

Five billion-dollar companies in two months... the past and the future Shadow AI agents – when the problem isn’t human Cyber Insurance for Small Business: When Getting Hacked Stops Everything Anthropic Mythos: The model, the myth and the mundane​ Your developers work for cyber gangs The four shifts reshaping Microsoft 365 security and resilience Your staff will click: why cyber security must be engineered, not trained Australian Organisations Must Manage Supplier Risk to Strengthen Cyber Defence How Omri Hurwitz Became Cybersecurity’s Most Dominant PR Firm How to Remove Personal Info From the Internet? Australia’s New Boardroom Baseline: 5 New ASD and AICD Security Priorities Heidi Cuthbert - Chief Executive Grafa Marco Delgado - 365mesh continues to lead the AI space by pioneering cutting-edge technologies that redefine what’s possible across industries.
FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures
DotSec · 2026-03-03 · via Discover

In the 9th of February 2026, the Federal Court ordered FIIG to pay $2.5 million in civil penalties, plus $500,000 towards ASIC’s legal costs. The Court also ordered FIIG to engage an independent cyber security expert at its own expense and implement a formal compliance programme.

FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures

What the Court found

Back in April 2025, we wrote about ASIC’s lawsuit against FIIG Securities.

Now, February 2026, the Federal Court has imposed a A$2.5M penalty against FIIG for failing to maintain adequate cyber security measures. Justice Derrington declared that FIIG contravened section 912A of the Corporations Act between 13 March 2019 and 8 June 2023 across three distinct limbs:

  • failing to have adequate financial, technological and human resources (s912A(1)(d))
  • failing to have adequate risk management systems (s912A(1)(h)), and
  • failing to provide financial services efficiently, honestly and fairly (s912A(1)(a))

One aspect of the judgment worth noting: the Court was clear that the mere fact of a successful cyberattack does not automatically mean a licensee has failed its statutory obligations. As Justice Derrington observed in ASIC v FIIG Securities Limited [2026] FCA 92, it would be all but impossible to prevent every cyberattack. The finding against FIIG was based on documented under investment over four years, not simply on the fact that an attacker got in.

A second point that deserves attention: FIIG had identified cyber security as a material risk in its own risk management framework and policies. The problem was that it failed to consistently implement, maintain and monitor the controls those policies required. As Herbert Smith Freehills Kramer noted, FIIG did not consistently give effect to the controls set out in its own information security policies and audit processes.

Having a policy and not following it is not a defence; in this case, it was part of the problem.

ASIC’s media release confirmed this is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations. ASIC Deputy Chair Sarah Court stated: “This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.”

The numbers in context

The $2.5M penalty represents approximately 20% of FIIG’s net assets and 8% of its 2025 turnover. The maximum available penalty for the contraventions was $41.25 million. The Court acknowledged FIIG’s full cooperation and admission of liability in arriving at the lower figure.

According to MinterEllison, who acted for ASIC in the proceedings, implementing adequate cyber security controls over the relevant period would have cost approximately $1.2 million. FIIG’s own post-breach remediation costs came to nearly $1.5 million. Add the $2.5M penalty, $500K in legal costs, the independent expert programme, and ongoing compliance obligations, and the total cost is greater than $4 million, before counting the reputational damage and the impact on 18,000 clients whose passport details, tax file numbers, driver’s licences, Medicare cards and bank account information that was accessed by the attackers.

As ASIC Deputy Chair Court put it: “In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”

The Court also noted explicitly that a penalty roughly twice the cost of compliance serves to validate the efforts of compliant businesses and send a warning to those that underinvest. That framing is deliberate.

The controls ASIC identified as missing (tested incident response plans, MFA, vulnerability scanning, patch management, privileged access management, security awareness training, and a properly configured SIEM with daily monitoring) are not exotic. They are foundational.

It often all starts with simple, but effective phishing.

In many previous posts, we have suggested that it is better for a business to spend its own money on its own terms, managing risk proactively, than to have the costs and payment plan dictated by attackers and regulators. The FIIG outcome illustrates that point with considerable precision.

FIIG held approximately $3 billion in client assets under management during the period of non-compliance. It ran a penetration test once in four years. It stored passwords in plain files on the network. It had no MFA for remote access. When the ACSC notified FIIG of a potential intrusion on 2 June 2023, the company did not begin its own investigation for six days.

Where this sits in the enforcement landscape

This is ASIC’s second cyber security enforcement action. The first, against RI Advice in 2022, resulted in an order to pay $750,000 towards ASIC’s costs. The FIIG outcome is materially larger and represents the first civil penalty under the general licensee obligations, which means it applies well beyond the specific facts of this case.

ASIC has already filed civil proceedings against Fortnum Private Wealth Limited in July 2025 for similar failures, and cyber security and operational resilience feature explicitly in ASIC’s 2026 key issues outlook. This is not a trend that is going to reverse.

For APRA-regulated entities, the introduction of CPS 230 adds another layer of obligation on top of the Corporations Act section 912A framework that ASIC has been using. The message from regulators is consistent and increasingly concrete: cyber security is a licence condition, not a best-practice aspiration.

What this means for your organisation

Any organisation that holds sensitive client information and lacks basic controls is now operating in an environment where regulators have demonstrated their willingness to act, and their ability to secure meaningful penalties.

If your organisation holds an AFS licence, the FIIG outcome is a direct statement about your obligations under section 912A. But the underlying principle extends beyond AFS licensees.

The practical question is whether you have documented evidence that you have addressed the kinds of controls that were itemised the concise statement: tested incident response plans, MFA, patch management, vulnerability scanning, privileged access controls, security awareness training, and a monitored SIEM.

If you have that evidence, you are in a materially better position than FIIG was. If you are not sure, then now’s the time to find out!

There is money to be saved!

The controls the Court found absent at FIIG are foundational to any mature cyber security programme, and they are precisely the controls dotSec has been helping Australian organisations implement for over 25 years.

We can help you assess where you stand, identify the gaps, and build the documented evidence your obligations now require. That includes penetration testing, GRC and accreditation, managed SOC, SIEM and EDR, and the system hardening and identity and access management work the Court found was missing at FIIG.

Now is a good time to get on the front foot! It is better (more manageable and less expensive) to spend your own money on your own terms and to manage risk proactively, than it is to have the costs and payment plan set by attackers and the Federal Court.

Let us help ›