Skip to content

Featured Search

When cyber failures become licence failures: Lessons from ASIC’s FIIG action.

Tags

A $2.5 million penalty in itself is not existential for most Australian financial services (AFS) licensees. Nonetheless, ASIC’s action against FIIG Securities marks a decisive shift in how cyber risk is regulated.

The Federal Court ordered FIIG to pay $2.5 million in civil penalties, plus $500,000 in costs, after years of inadequate cyber security practices. ASIC did not describe the outcome as a technology lapse. It framed cyber resilience as a licence-to-operate expectation.

This framing matters.

Cyber security has crossed a regulatory threshold. It is no longer adjacent to governance. It is now assessed as part of the operating model that underpins trust, continuity and compliance.

Explore what this shift means in practice, and how cyber, risk and compliance leaders are responding. Register for our cyber risk webinar now: Register

This was not about a breach  

For years, cyber incidents were treated as operational shocks: disruptive and costly, but still distinct from governance or conduct failures. The FIIG case collapses that distinction.

ASIC was explicit that this was the first time civil penalties were imposed for cyber security failures under general licence obligations.

No new cyber regime was required. The regulator relied on the core requirements that underpin every AFS licence.

This finding marks a change from the 2022 Federal Court case when RI Advice was found in breach of license obligations following multiple cyber incidents: in that case, the settlement merely required RI Advice to remedy its cyber resilience and contribute towards ASIC’s costs.

The implication of the latest ruling is straightforward. If a licensee cannot demonstrate that cyber risk is managed as part of its risk management system, appropriately governed, resourced and monitored, it cannot credibly claim to be meeting its obligations to clients or the market.

ASIC also reframed the economics of cyber resilience. It noted that the harm caused by FIIG’s failures far exceeded the cost of implementing adequate controls. Prevention is no longer discretionary. It is an expected investment.

Cyber incidents now involve multiple risks at once   

The scale of the FIIG incident explains the regulatory escalation:

  • Around 385 gigabytes of confidential data were exfiltrated
  • Approximately 18,000 clients were notified that their personal information may have been compromised
  • The exposed data included passports, driver licences, bank account details and tax file numbers, the most trust-sensitive information financial institutions hold.

This is no longer just an information security issue.

Cyber incidents trigger customer harm, regulatory enforcement, legal exposure, remediation obligations and reputational damage simultaneously. They are not isolated ‘security events’. They are institutional failures.

Why ASIC focuses on controls, not attackers  

ASIC did not focus on the sophistication of the attackers. It focused on what FIIG failed to put in place over an extended period.

FIIG admitted that measures appropriate to its size and the sensitivity of the data it held could have enabled earlier detection and response. It also admitted that following its own policies may have prevented some or all of the data loss.

The control gaps ASIC identified were basic, not advanced: inadequate resourcing, missing baseline access controls, weak patching and testing, no active monitoring, and no tested incident response capability.

The regulatory test is now clear.

The question is no longer whether an organisation was attacked. It is whether its control environment was defensible.

Fragmentation was the real weakness

The most confronting aspect of the FIIG case is how familiar the failures look.

They reflect a fragmented cyber operating model, with policies disconnected from practice, controls detached from monitoring, and response plans rarely exercised. This fragmentation rarely results from neglect. More often, it emerges from accumulation: point solutions layered over time, ownership spread across teams, and evidence scattered across systems.

The result is predictable.

Detection slows.

Response fragments.

And when regulators ask for evidence, organisations struggle to assemble a coherent account of what was operating and why it failed.

FIIG’s case is not exceptional. It is what fragmented cyber governance looks like under scrutiny.

Cyber resilience is now an operating model issue   

ASIC’s reasoning went beyond individual controls. It focused on governance, resourcing and integration.

The court did not just impose a financial penalty. It ordered a compliance program, including independent expert oversight of FIIG’s cyber security and resilience arrangements. This aligns with ASIC’s broader supervisory focus on cyber risk, operational resilience and crisis management.

Together, these expectations reframe cyber resilience as an operating model issue, not a box-ticking exercise.

From breach response to continuous assurance  

The underlying shift is from reactive breach response to continuous assurance.

  • In fragmented environments, assurance is periodic and manual. It intensifies after incidents, then fades.

  • In integrated environments, assurance is a continuous by-product of connected risks, controls, ownership and evidence.
That shift enables earlier detection, faster containment, clearer accountability and sustained regulatory confidence. FIIG’s admissions show what happens when those capabilities are missing.

From cyber tooling to cyber governance  

ASIC’s action against FIIG crystallises a practical question for every AFS licensee: could you prove you were in control, at speed, if scrutiny arrived tomorrow?

Fragmented systems make that proof fragile. Integrated governance makes it credible. That is the direction in which cyber risk management is now moving: from detection to defensible resilience.

For cyber leaders, risk executives and compliance teams, FIIG’s case is not just a warning. It is a preview of how cyber resilience will be assessed in practice.

In the upcoming webinar, we examine how organisations are responding to that shift: how they are building integrated cyber risk operating models, demonstrating continuous assurance to boards and regulators, and reducing exposure before incidents occur.

Register for our cyber risk webinar to understand what good now looks like and how to get there: Register

References

  1. ASIC media release: ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures
    https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-021mr-asic-action-sees-fiig-securities-ordered-to-pay-2-5-million-over-cyber-security-failures/
  2. ASIC media release: Court finds RI Advice failed to adequately manage cybersecurity risks
    https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/

 
Back to list

About the author

Mike Franklin has a long background in cyber security and risk governance. Prior to joining Protecht to lead our cyber risk team, he worked for multiple blue-chip organisations in banking, finance and tertiary education. Mike’s deep expertise helps Protecht customers to strengthen their cyber security, ISMS and third party/vendor risk management programs.

Connect with Author on Linkedin

You may also like