A landmark ruling from the Federal Court of Australia has sent a clear signal to financial services firms, and to organisations across the broader economy: inadequate cyber security controls carry real and substantial legal consequences. The decision in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92, handed down in February 2026, marks the first time civil penalties have been imposed for cyber security failures under the general obligations of an Australian Financial Services Licence (AFSL).
What happened at FIIG Securities?
FIIG Securities Limited, a fixed-income specialist holding an AFSL, failed to implement adequate cyber security controls across a period spanning March 2019 to June 2023. The Australian Securities and Investments Commission (ASIC) found the firm had insufficient staffing and financial resources dedicated to cyber security, weak password policies, no multi-factor authentication for remote users, inadequate penetration testing, poorly configured firewalls, and no qualified IT staff monitoring threat alerts. In May 2023, the ransomware group AlphV/BlackCat exploited these weaknesses, exfiltrating approximately 385 gigabytes of data belonging to around 18,000 clients. The compromised data included passport details, tax file numbers, and bank account information. FIIG was not even aware of the breach until the Australian Cyber Security Centre (ACSC) notified the firm on 2 June 2023.
The penalty
The Federal Court ordered FIIG to pay a civil penalty of $2.5 million, together with $500,000 toward ASIC’s legal costs. The court also imposed a mandatory compliance program overseen by an independent cyber security expert. ASIC Deputy Chair Sarah Court observed that the consequences of FIIG’s failures far exceeded what it would have cost the firm to implement adequate controls in the first place, a point that will resonate with any organisation currently deferring investment in its cyber security posture.
What this means for Australian professionals
The FIIG decision establishes that ASIC expects AFSL holders to maintain proportionate cyber security measures commensurate with the sensitivity and volume of client data they hold. The ruling is a significant development for the financial services sector, but its implications extend well beyond it. Regulators across multiple domains in Australia, including those governing legal, accounting, and corporate governance practice, are sharpening their focus on operational resilience and data protection obligations. For professionals who advise or work alongside organisations holding sensitive client data, understanding those obligations is no longer an optional consideration. It is a professional responsibility.
The AICS perspective
Cases like FIIG Securities illustrate exactly the gap that AICS training is designed to address. The Cyber Security Accreditation Course covers risk assessment, regulatory and compliance obligations in Australia, incident response planning, and the practical construction of cyber security frameworks suited to real organisational environments. The specialist courses for lawyers and accountants address the specific obligations and risks relevant to those professions, including the regulatory frameworks under which their clients operate. For professionals who want to demonstrate they take these responsibilities seriously, and who want the credentials to prove it, AICS accreditation and membership provide a structured and recognised pathway.
To explore how AICS training can help you and your organisation meet your cyber security obligations, visit cybersecurity.com.au/courses. Source: Information Age, Australian Computer Society (2026).
Comments are closed