Legal development

How Australia's ASIC v FIIG decision supports your cyber investment business case

By Rachael Falk, Nick Perkins and Andrew Hilton

25 March 2026

Print

What you need to know

First AFSL cyber penalty: FIIG's $2.5 million penalty is the first cyber security penalty under general financial services licence obligations.
The price of deterrence, not a cost of doing business: The penalty sends a strong message of deterrence – set at over twice the cost of adequate cyber investment.
Cyber resourcing in the spotlight: The FIIG decision went further than the earlier RI Advice decision by examining whether cyber security was adequately resourced. Organisations unable to demonstrate appropriate and defensible resourcing will be easy targets for prosecution.
Focus at the top - not set and forget: ASIC sought more specific orders for FIIG's compliance uplift program than in the previous RI Advice decision, including CEO sign-off on remediation measures.
Tech-neutral laws used for high-tech issues: ASIC's cyber security prosecutions apply general financial services laws, not specific cyber security obligations. Expect regulators to approach other high-tech challenges (like AI harms) in a similar way.

What you need to do

Bolster your cyber business case: Adequate investment in cyber security costs less in the end. To drive the right behaviours, the penalty was more than double what adequate cyber security investment would have cost – not to mention recovery and remediation costs, business interruption, and other costs. Factor the consequences of under-investment into your business case.
Capabilities, not just spend: Any business case for cyber investment must focus on improving and uplifting capability – combining experienced cyber security staff or contractors with technical solutions. It must focus on driving down cyber risk. Without adequate investment in experienced cyber capability, investment in technical controls will not deliver results. FIIG had purchased licences for tools, but those tools had not been updated or ‘tuned’ to meet FIIG's specific cyber risk.
Get governance right, and the rest will follow: It is tempting to see the FIIG decision as a checklist for technical issues to address in your organisation. But these issues are symptoms, not root causes. Focus on the cyber governance arrangements that will identify and address these and other gaps pro-actively – a governance framework that will respond dynamically in real time to your threat environment and risk profile. Good security posture is not a compliance tick box exercise.
Use the right technical tools – and make sure they work properly: Experienced staff must implement and regularly monitor processes and controls in your risk management system. Plans and risk assessments will almost certainly result in avoidable cyber breaches if not properly actioned.
Documented and defensible resourcing: Demonstrate that appropriate financial, technological, and human resources are allocated to cyber security. Boards and management should have visibility of and scrutinise budget allocation, capabilities, maturity levels, and gap analysis.
Build cyber governance awareness in directors and management: Ensure senior management and boards have an active role in curiously and critically challenging your cyber security posture on an informed basis.

A clear expectation for robust cyber resilience

FIIG's $2.5m fine is the first court-imposed civil penalty for cyber security under general financial services licence obligations.

According to ASIC Deputy Chair Sarah Court, the decision represents the most significant milestone in ASIC’s cyber security enforcement since RI Advice, establishing a "clear licence-to-operate expectation for robust cyber resilience."

Why the FIIG decision matters

First AFSL cyber penalty – with a calculated deterrence value.
First decision on adequate cyber security resources – insufficient cyber investment is an easy target for regulators.
Decision drives focus at the top – with the CEO to sign off on cyber uplift.
Tech-neutral laws used for high-tech challenges – expect the same for AI harms.

1. First AFSL cyber penalty – with deterrence the paramount consideration

FIIG's $2.5 million penalty was more than double the estimated $1.2 million cost of compliant cyber security measures. The Federal Court sent a clear message that underinvestment in cyber security will cost far more than appropriate investment.

Post-incident remediation costs were approximately $1.5m – again, well below the penalty amount.

The Court considered the penalty an appropriate "sting" for FIIG, more than a cost of doing business. $2.5m amounted to 20% of FIIG’s net assets and around 8% of turnover – far more than merely a cost of doing business.

The Court also ordered FIIG to pay $500,000 towards ASIC's costs.

FIIG was not penalised for suffering a cyber attack – it would be "all but impossible to prevent every cyber attack." Organisations aren't expected to reduce cyber security risk to zero – but risk must be materially reduced to an acceptable level.

We unpack the penalty further below.

2. First decision on adequate cyber resources

The FIIG Securities decision reinforces the previous RI Advice decision – that failing to ensure adequate cyber security measures are in place can breach the obligation to do all things necessary to provide financial services efficiently and honestly, and that cyber security is an essential part of adequate risk management systems (breaching s 912A(1)(a) and (h) of the Corporations Act).

In FIIG Securities, and in the yet-to-be-determined ASIC v Fortnum action, ASIC sought an additional contravention – that insufficient investment in cyber security (including financial, technological, and dedicated employed personnel with necessary skills) is itself a failure to provide adequate resources to provide financial services (breaching s 912A(1)(d) of the Corporations Act). Personnel numbers and budgets are becoming a simple proxy for adequate cyber security investment in both ASIC and OAIC actions.

What are "adequate" cyber security measures?

ASIC and FIIG agreed on specific factors that informed what standards should be expected of FIIG:

the nature of its business (including size and resources),
the personal client information it held,
the value of assets under its control,
the magnitude and potential consequences of the cyber security risks, and
FIIG's contractual obligations to its clients.

While different factors might apply in other situations, we can expect considerations to be broadly similar – the OAIC considers similar factors when assessing data breach incidents. With the consumer protection focus of many regulators, we may see customer promises becoming increasingly relevant.

3. Focus at the top – with the CEO to sign off on cyber uplift

While an order for external cyber security review was also made in RI Advice decision, the compliance program ordered in FIIG Securities was more prescriptive.

At its conclusion, FIIG's CEO will be required to personally attest that they have read and understood reports and are satisfied with FIIG's remedial actions.

Using attestations to drive accountability in senior management and boards (and, in the case of boards, to trigger directors' duties) is a hallmark of critical infrastructure regulation in Australia.

ASIC has emphasised for several years the importance of boards actively engaging on cyber risk – and as the recent Star Entertainment decision demonstrates, boards are expected to ensure they receive the right information to fulfil their duties.

4. Tech-neutral laws used for high-tech challenges – expect the same for AI harms

ASIC's cyber prosecutions demonstrate how technology-neutral laws designed for a previous age can be adapted to address current and emerging high-tech threats.

Expect ASIC to leverage the regime to address emerging risks like artificial intelligence and quantum decryption. Australia's National AI Plan emphasises that AI risks will be addressed by existing regulators under existing frameworks – in most cases, regulators will apply technology-neutral laws (read more).

A deeper dive into the FIIG Securities cyber attack

FIIG is a specialist in fixed income financial products and services. FIIG collected and maintained significant quantities of personal information about its clients as part of its business, including names, addresses, dates of birth, phone numbers, email addresses, copies of driver's licences, passports and Medicare cards, tax file numbers and bank account details.

In May 2023, a FIIG employee inadvertently downloaded a file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG's network and download approximately 385GB of data, including personal client information relating to approximately 18,000 individuals.

Despite numerous firewall email alerts flagging suspicious activity being generated since May 2023, FIIG had not identified or responded to the cyber intrusion until alerted by the Australian Cyber Security Centre that its systems may have been compromised. FIIG's own risk registers also recognised a "high or likely to eventuate" risk of confidential information being obtained by hackers if controls were not in place.

Breaches of AFS licence obligations

ASIC commenced civil penalty proceedings against FIIG in March 2025, alleging that FIIG failed to take adequate steps to protect itself and its clients against cyber security risks over a four-year period prior to the incident, in breach of Australian Financial Services Licence (AFSL) general obligations.

In addition to its AFSL obligations, FIIG was subject to obligations under the Privacy Act 1988 (Cth), the Privacy (Tax File Number) Rule 2015 (Cth) and the Taxation Administration Act 1953 (Cth) to take reasonable steps to protect personal information and tax file number information from misuse, loss and unauthorised access, as well as contractual obligations to its clients to take reasonable steps to keep confidential information secure and to have computer systems which are secure.

As in ASIC's previous RI Advice decision, and the recent Australian Clinical Labs decision, ASIC and FIIG negotiated agreed facts and submissions, as well as proposed orders. The Court's role was to independently determine if it was sufficiently persuaded of the accuracy of the agreed facts and consequences, and the appropriateness of the agreed orders. It was not required to weigh competing evidence or legal interpretations.

FIIG admitted breaches of:

Section 912A(1)(d) – In order to ensure that FIIG was able to meet its obligations and provide the financial services covered by its AFSL, it was required to have 'adequate measures in place to protect clients' (which included 'financial, technological, and human resources') from cyber security risks. Though FIIG employed almost 14 IT staff during the relevant period, the staff did not have sufficient skills, knowledge or experience in IT security, and did not have sufficient time (having regard to their other responsibilities within the organisation) to ensure that FIIG had the necessary measures in place.
Section 912A(1)(h) – FIIG did not have adequate risk management systems. While FIIG had a risk management system, including an IT Information Security Policy and Cyber and Information Security Policy, FIIG failed to implement measures identified in those policies.
Section 912A(1)(a) – Overall, FIIG did not have adequate measures to protect its clients from the risks and consequences of a cyber intrusion.

Why $2.5 million?

The Court ordered FIIG to pay a pecuniary penalty of $2.5 million, the first penalty imposed for cyber security failures under AFSL general obligations.

The penalty amount was submitted as appropriate by ASIC and FIIG, and the Court assessed, taking into account submissions, whether that amount was appropriate.

Because ASIC and FIIG agreed contraventions of three subparagraphs of section 912A(1), the maximum potential penalty was $41,250,000. However, the contraventions were a single "course of conduct", indicating a penalty at or near the maximum was not appropriate.

In assessing the penalty, the Court had regard to the following factors, with deterrence the paramount consideration.

Specific deterrence – an appropriate "sting", not cost of doing business: 20% of FIIG’s net assets, and around 8% of turnover, provided an appropriate “sting” for FIIG – far more than merely a cost of doing business.
General deterrence: The cost of compliance over the four-year period would have been approximately $1.2 million. A penalty of $2.5 million validates the decisions of those investing appropriately in cyber security, and sends a warning to those underinvesting.
Period of contravention – 4 years: The contraventions occurred continuously over approximately four years and arose as a result of FIIG's failure to adequately invest in its cyber security and cyber resilience, despite its awareness of the cyber security risks and the importance of the personal client information which it held.
Not deliberate: The contraventions did not occur as a result of any deliberate misconduct by FIIG.
Actual loss: The known financial loss flowing from the cyber attack was largely limited to FIIG's own remediation costs of approximately $1.5 million, though some clients suffered a compromise of their confidential personal information with potential for significant consequences.
Prior conduct: FIIG had not previously been found to have engaged in any similar conduct.
Cooperation: FIIG had been fully cooperative with ASIC by engaging from an early stage in good faith discussions to resolve the proceedings, making admissions, and agreeing on joint submissions, warranting a substantial discount for cooperation.

Want to know more?

Read more cyber security insights at Redefining Cyber Readiness.

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

This material is current as at 25 March 2026 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.