FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures
Back in April 2025, we wrote about ASIC’s lawsuit against FIIG Securities for what ASIC described as “systemic and prolonged cybersecurity failures”. Back then, we noted that the initiative had shifted firmly from FIIG to ASIC and the Federal Court, and that on the question of penalties, time would tell.
Well, time has told. On 13 February 2026, the Federal Court ordered FIIG to pay $2.5 million in civil penalties, plus $500,000 towards ASIC’s legal costs. The Court also ordered FIIG to engage an independent cyber security expert at its own expense and implement a formal compliance programme.
What the Court found
Back in April 2025, we wrote about ASIC’s lawsuit against FIIG Securities.
Now, February 2026, the Federal Court has imposed a A$2.5M penalty against FIIG for failing to maintain adequate cyber security measures. Justice Derrington declared that FIIG contravened section 912A of the Corporations Act between 13 March 2019 and 8 June 2023 across three distinct limbs:
- failing to have adequate financial, technological and human resources (s912A(1)(d))
- failing to have adequate risk management systems (s912A(1)(h)), and
- failing to provide financial services efficiently, honestly and fairly (s912A(1)(a))
FIIG admitted that adequate controls would have enabled earlier detection and response, and may have prevented some or all of the 385GB of client data from being exfiltrated in the May 2023 ALPHV attack.
One aspect of the judgment worth noting: the Court was clear that the mere fact of a successful cyberattack does not automatically mean a licensee has failed its statutory obligations. As Justice Derrington observed in ASIC v FIIG Securities Limited [2026] FCA 92, it would be all but impossible to prevent every cyberattack. The finding against FIIG was based on documented, sustained underinvestment over four years, not simply on the fact that an attacker got in.
A second point that deserves attention: FIIG had identified cyber security as a material risk in its own risk management framework and policies. The problem was that it failed to implement, maintain and monitor the controls those policies required. As Herbert Smith Freehills Kramer noted, FIIG did not consistently give effect to the controls set out in its own information security policies and audit processes.
Having a policy and not following it is not a defence; in this case, it was part of the problem.
ASIC’s media release confirmed this is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations. ASIC Deputy Chair Sarah Court stated: “This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience.”
The numbers in context
The $2.5M penalty represents approximately 20% of FIIG’s net assets and 8% of its 2025 turnover. The maximum available penalty for the contraventions was $41.25 million. The Court acknowledged FIIG’s full cooperation and admission of liability in arriving at the lower figure.
The cost framing is stark. According to MinterEllison, who acted for ASIC in the proceedings, implementing adequate cyber security controls over the relevant period would have cost approximately $1.2 million. FIIG’s own post-breach remediation costs came to nearly $1.5 million. Add the $2.5M penalty, $500K in legal costs, the independent expert programme, and ongoing compliance obligations, and the total bill for four years of underinvestment is well north of $4.5 million, before counting the reputational damage and the impact on 18,000 clients whose passport details, tax file numbers, driver’s licences, Medicare cards and bank account information ended up on the dark web.
As ASIC Deputy Chair Court put it: “In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”
The Court also noted explicitly that a penalty roughly twice the cost of compliance serves to validate the efforts of compliant businesses and send a warning to those that underinvest. That framing is deliberate.
The controls ASIC identified as missing (tested incident response plans, MFA, vulnerability scanning, patch management, privileged access management, security awareness training, and a properly configured SIEM with daily monitoring) are not exotic. They are foundational. They are also precisely what dotSec has been helping Australian organisations implement for over 25 years.
It often all starts with simple, but effective phishing.
In many previous posts, we have suggested that it is better for a business to spend its own money on its own terms, managing risk proactively, than to have the costs and payment plan dictated by attackers and regulators. The FIIG outcome illustrates that point with considerable precision.
FIIG held approximately $3 billion in client assets under management during the period of non-compliance. It ran a penetration test once in four years. It stored passwords in plain files on the network. It had no MFA for remote access. When the ACSC notified FIIG of a potential intrusion on 2 June 2023, the company did not begin its own investigation for six days. By then, ALPHV had already been inside for two weeks.
None of this required a sophisticated attacker. It required an organisation that had, over four years, failed to treat cyber security as a genuine operational priority.
Where this sits in the enforcement landscape
This is ASIC’s second cyber security enforcement action. The first, against RI Advice in 2022, resulted in a $750K penalty plus remediation costs. The FIIG outcome is materially larger and represents the first civil penalty under the general licensee obligations, which means it applies well beyond the specific facts of this case.
ASIC has already filed civil proceedings against Fortnum Private Wealth Limited in July 2025 for similar failures, and cyber security and operational resilience feature explicitly in ASIC’s 2026 key issues outlook. This is not a trend that is going to reverse.
For APRA-regulated entities, the introduction of CPS 230 adds another layer of obligation on top of the Corporations Act section 912A framework that ASIC has been using. The message from regulators is consistent and increasingly concrete: cyber security is a licence condition, not a best-practice aspiration.
What this means for your organisation
If your organisation holds an AFS licence, the FIIG outcome is a direct statement about your obligations under section 912A. But the underlying principle extends beyond AFS licensees. Any organisation that holds sensitive client information and lacks basic controls is now operating in an environment where regulators have demonstrated their willingness to act, and their ability to secure meaningful penalties.
The practical question is whether you have documented evidence that you have addressed the kinds of controls that were itemised the concise statement: tested incident response plans, MFA, patch management, vulnerability scanning, privileged access controls, security awareness training, and a monitored SIEM.
If you have that evidence, you are in a materially better position than FIIG was. If you are not sure, then now’s the time to find out!
How dotSec can help
The controls the Court found absent at FIIG are foundational to any mature cyber security programme, and they are precisely the controls dotSec has been helping Australian organisations implement for over 25 years.
We can help you assess where you stand, identify the gaps, and build the documented evidence your obligations now require. That includes penetration testing, Essential Eight assessments, managed SOC, SIEM and EDR, and the system hardening and privileged access management work the Court found was missing at FIIG.
The bottom line
It is better (more manageable and less expensive) to spend your own money, on your own terms, managing risk proactively, than to have the costs and payment plan set by attackers and the Federal Court.
We can help with all of that, and we have 25 years of references to back us up.
References.
[2] ASIC v FIIG Securities Limited [2026] FCA 92 (Federal Court judgment, 13 February 2026)
[3] Herbert Smith Freehills Kramer: First ASIC penalty for cybersecurity failures
[4] MinterEllison: Federal Court delivers a warning to businesses that underinvest in cybersecurity
[5] ASIC sues Fortnum Private Wealth for failure to manage cybersecurity risks
[6] ASIC key issues outlook 2026
[7] APRA Prudential Standard CPS 230: Operational Risk Management
Premier australian cyber security specialists
