In the 9th of February 2026, the Federal Court ordered FIIG to pay $2.5 million in civil penalties, plus $500,000 towards ASIC’s legal costs. The Court also ordered FIIG to engage an independent cyber security expert at its own expense and implement a formal compliance programme.
What the Court found
Back in April 2025, we wrote about ASIC’s lawsuit against FIIG Securities.
Now, February 2026, the Federal Court has imposed a A$2.5M penalty against FIIG for failing to maintain adequate cyber security measures. Justice Derrington declared that FIIG contravened section 912A of the Corporations Act between 13 March 2019 and 8 June 2023 across three distinct limbs:
- failing to have adequate financial, technological and human resources (s912A(1)(d))
- failing to have adequate risk management systems (s912A(1)(h)), and
- failing to provide financial services efficiently, honestly and fairly (s912A(1)(a))
One aspect of the judgment worth noting: the Court was clear that the mere fact of a successful cyberattack does not automatically mean a licensee has failed its statutory obligations. As Justice Derrington observed in ASIC v FIIG Securities Limited [2026] FCA 92, it would be all but impossible to prevent every cyberattack. The finding against FIIG was based on documented under investment over four years, not simply on the fact that an attacker got in.
A second point that deserves attention: FIIG had identified cyber security as a material risk in its own risk management framework and policies. The problem was that it failed to consistently implement, maintain and monitor the controls those policies required. As Herbert Smith Freehills Kramer noted, FIIG did not consistently give effect to the controls set out in its own information security policies and audit processes.
Having a policy and not following it is not a defence; in this case, it was part of the problem.
ASIC’s media release confirmed this is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations. ASIC Deputy Chair Sarah Court stated: “This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.”
The numbers in context
The $2.5M penalty represents approximately 20% of FIIG’s net assets and 8% of its 2025 turnover. The maximum available penalty for the contraventions was $41.25 million. The Court acknowledged FIIG’s full cooperation and admission of liability in arriving at the lower figure.
According to MinterEllison, who acted for ASIC in the proceedings, implementing adequate cyber security controls over the relevant period would have cost approximately $1.2 million. FIIG’s own post-breach remediation costs came to nearly $1.5 million. Add the $2.5M penalty, $500K in legal costs, the independent expert programme, and ongoing compliance obligations, and the total cost is greater than $4 million, before counting the reputational damage and the impact on 18,000 clients whose passport details, tax file numbers, driver’s licences, Medicare cards and bank account information that was accessed by the attackers.
As ASIC Deputy Chair Court put it: “In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
The Court also noted explicitly that a penalty roughly twice the cost of compliance serves to validate the efforts of compliant businesses and send a warning to those that underinvest. That framing is deliberate.
The controls ASIC identified as missing (tested incident response plans, MFA, vulnerability scanning, patch management, privileged access management, security awareness training, and a properly configured SIEM with daily monitoring) are not exotic. They are foundational.
It often all starts with simple, but effective phishing.
In many previous posts, we have suggested that it is better for a business to spend its own money on its own terms, managing risk proactively, than to have the costs and payment plan dictated by attackers and regulators. The FIIG outcome illustrates that point with considerable precision.
FIIG held approximately $3 billion in client assets under management during the period of non-compliance. It ran a penetration test once in four years. It stored passwords in plain files on the network. It had no MFA for remote access. When the ACSC notified FIIG of a potential intrusion on 2 June 2023, the company did not begin its own investigation for six days.
Where this sits in the enforcement landscape
This is ASIC’s second cyber security enforcement action. The first, against RI Advice in 2022, resulted in an order to pay $750,000 towards ASIC’s costs. The FIIG outcome is materially larger and represents the first civil penalty under the general licensee obligations, which means it applies well beyond the specific facts of this case.
ASIC has already filed civil proceedings against Fortnum Private Wealth Limited in July 2025 for similar failures, and cyber security and operational resilience feature explicitly in ASIC’s 2026 key issues outlook. This is not a trend that is going to reverse.
For APRA-regulated entities, the introduction of CPS 230 adds another layer of obligation on top of the Corporations Act section 912A framework that ASIC has been using. The message from regulators is consistent and increasingly concrete: cyber security is a licence condition, not a best-practice aspiration.
What this means for your organisation
Any organisation that holds sensitive client information and lacks basic controls is now operating in an environment where regulators have demonstrated their willingness to act, and their ability to secure meaningful penalties.
If your organisation holds an AFS licence, the FIIG outcome is a direct statement about your obligations under section 912A. But the underlying principle extends beyond AFS licensees.
The practical question is whether you have documented evidence that you have addressed the kinds of controls that were itemised the concise statement: tested incident response plans, MFA, patch management, vulnerability scanning, privileged access controls, security awareness training, and a monitored SIEM.
If you have that evidence, you are in a materially better position than FIIG was. If you are not sure, then now’s the time to find out!
There is money to be saved!
The controls the Court found absent at FIIG are foundational to any mature cyber security programme, and they are precisely the controls dotSec has been helping Australian organisations implement for over 25 years.
We can help you assess where you stand, identify the gaps, and build the documented evidence your obligations now require. That includes penetration testing, GRC and accreditation, managed SOC, SIEM and EDR, and the system hardening and identity and access management work the Court found was missing at FIIG.
Now is a good time to get on the front foot! It is better (more manageable and less expensive) to spend your own money on your own terms and to manage risk proactively, than it is to have the costs and payment plan set by attackers and the Federal Court.