On 9 February 2026, in a landmark cybersecurity case brought by ASIC, the Federal Court made orders against FIIG Securities Limited for failing to comply with its general obligations as a financial services licensee. His Honour Justice Derrington delivered his reasons on 13 February 2026.

The licensee was ordered to pay a civil penalty of $2.5 million for not taking adequate steps to protect thousands of clients from cyber security risks for more than four years. They were also ordered to pay $500,000 towards ASIC's costs, and to undertake a compliance programme that includes engaging an independent expert to undertake a review and make recommendations about further documentation, resources and controls to manage cybersecurity risks, and for the licensee to implement the recommendations.

Justice Derrington said at [80] that the imposition of the penalty '…will send a warning to businesses with inappropriate underinvestment in cybersecurity.'

The proceeding followed a major cyberattack on the licensee in 2023 which went undetected and saw around 385 gigabytes of confidential information stolen and personal client information leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.

His Honour recognised that, in an environment where it is impossible to prevent every cyber attack:

'ASIC's very legitimate concern does not seek to impose an unattainable standard of information protection. Rather, ASIC is concerned that entities which are subject to obligations under the Act have adequate cyber protection systems in place.'

The Court found that the standard of cybersecurity is informed by the nature of the business; the information held about clients; the value of funds under advice and assets held on behalf of clients; the magnitude and potential consequences of cybersecurity risks; and contractual obligations to clients.

Having regard to those factors, the appropriate level of cybersecurity measures that the licensee was required to have in place over the relevant period included:

• ensuring privileged accounts were not used for non-privileged activities, and were protected by securely kept passwords of at least 14 characters;
• reviewing access rights quarterly;
• a patching plan and the application of patches within certain timeframes;
• configuration of group policies to disable insecure authentication protocols;
• multi-factor authentication for all remote access users from late 2022;
• vulnerability scanning over networks and endpoints, and processes to review results and take necessary action;
• penetration testing of the external perimeter, internal network and at least business-critical applications at least annually;
• next-generation firewalls that were configured to prevent endpoints or servers from establishing direct connections to file transfer protocol servers over the internet, and to restrict access to the internet from internal systems to only the extent necessary;
• endpoint detection and response (EDR) software that was installed on all endpoints and servers, was appropriately updated, and that generated alerts that were tuned to suppress non-threatening alerts;
• a practice of monitoring threat alerts across the licensee’s systems by IT personnel with the knowledge, skills and experience to identify and respond to any unusual or suspicious activity;
• annual mandatory security awareness training for all employees addressing the organisation’s key cybersecurity risks and the behaviour expected;
• a process to review and evaluate the effectiveness of EDR configuration and rules at least quarterly, and other technical controls and organisation-wide cyber resilience at least annually; and
• having a cyber incident response plan that identified relevant action to be taken and the people to be contacted, and that was tested annually.

In addition to the penalty and compliance orders, the Court declared that, at all times during the period between 13 March 2019 and 8 June 2023, contrary to s912A(1)(d) of the Corporations Act 2001, the licensee failed to:

• have available technological resources comprising certain cybersecurity measures;
• have available human resources with the skills, responsibility and capacity necessary to put those measures in place and to implement the controls it had established to mitigate the cybersecurity risks it faced; and
• provision sufficient financial resources for the above.

The Court also declared that, at all times between 13 March 2019 and 8 June 2023, the licensee failed to:

• have adequate risk management systems, as required under s 912A(1)(h) of the Corporations Act by failing to implement the relevant controls it had identified; and
• do all things necessary to ensure that the financial services covered by its licence were provided efficiently, honestly and fairly, as required under s912A(1)(a) of the Corporations Act, by reason of its failures to have: the cybersecurity measures in place; adequate technological, human and financial resources available; and adequate risk management systems.

The Judge was satisfied that a penalty of $2.5 million was appropriate in circumstances where:

• The contraventions occurred continuously over a period of approximately 4 years and 3 months.
• They arose as a result of a failure to adequately invest in cyber security and cyber resilience, despite knowing of the risks. However, the contraventions appeared to have occurred as a result of carelessness, rather than deliberate conduct by the licensee.
• The cost of compliance over the relevant period would have been approximately $1.2 million.
• The known financial loss was largely limited to the licensee's own remediation costs (of nearly $1.5 million). However, the licensee’s customers also suffered a loss of their confidential information, which could in turn result in identity theft in the future. The Court recognised this as potentially significant.
• The licensee has not previously been found to engage in similar conduct, and cooperated with ASIC from an early stage.

MinterEllison acted for ASIC in the proceedings.

Contact

Melinda Smith