EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer
Selected cases

Federal Court of Australia · [2026] FCA 92

ASIC v FIIG Securities

A Federal Court case about cybersecurity failures at an AFS licensee, sensitive client data, risk management and a $2.5 million penalty.

Federal Court of Australia13 Feb 2026

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

  • Cybersecurity is now a licence and governance issue for regulated businesses.
  • A Federal Court case about cybersecurity failures at an AFS licensee, sensitive client data, risk management and a $2.5 million penalty.

Use this to check

  • Cyber controls should match the sensitivity of the data and the size and risk profile of the business.
  • Incident response plans need to be written, owned, tested and updated.
  • MFA, privileged access controls, patching, monitoring and staff training are legal risk controls for regulated firms.

Decision snapshot

  1. 1

    What happened

    • FIIG Securities was an Australian fixed-income specialist and AFS licensee.
    • It held sensitive client information including identity documents, tax file numbers, ABNs, bank account details and records of fixed income investments.
    • In May 2023, FIIG suffered a cyberattack in which about 385GB of data was downloaded from its servers and some client information appeared on the dark web.
    • FIIG admitted that from 13 March 2019 to 8 June 2023 it did not have adequate cybersecurity measures, resources or risk management systems for the risks it faced.
  2. 2

    What the court had to decide

    • The Federal Court had to decide whether admitted failures in cybersecurity resources, controls and risk management amounted to contraventions of the general AFS licensee obligations in section 912A of the Corporations Act, and whether the agreed penalty and compliance program were appropriate.
  3. 3

    What the court decided

    • The Federal Court ordered FIIG to pay a $2.5 million penalty and $500,000 toward ASIC's costs.
    • The Court also ordered FIIG to undertake a compliance program involving an independent expert to review its cybersecurity and cyber resilience systems and identify further remedial actions.

Practical impact

Practical read

  • Cybersecurity is now a licence and governance issue for regulated businesses.
  • If your business holds sensitive client data, weak access controls, untested incident plans and under-resourced IT security can become legal compliance failures, not just technology problems.

Useful next steps

  • Cyber controls should match the sensitivity of the data and the size and risk profile of the business.
  • Incident response plans need to be written, owned, tested and updated.
  • MFA, privileged access controls, patching, monitoring and staff training are legal risk controls for regulated firms.
  • A board or leadership team should be able to show how cyber risks are funded, tracked and reviewed.
  • Identify the most sensitive data your business holds and who can access it.

Practical read

FIIG is useful because the Court was careful about what the law requires. A successful cyberattack does not automatically prove a business broke the law. But where a regulated business holds highly sensitive client information, the question becomes whether its cyber controls, staffing, funding, incident response and risk management were adequate for the risk.

The agreed facts pointed to practical failures: no adequate incident response plan for much of the period, gaps in multi-factor authentication, penetration testing, patching, privileged access controls, monitoring, training and review of cyber resilience. FIIG also admitted that adequate controls would have helped it detect and respond to the breach sooner and could have prevented some or all of the data from being downloaded.

For small and scaling businesses, the lesson is to stop treating cyber as a vague IT spend. If you collect client identity data, payment data, investment records, health data or tax file numbers, you need clear ownership, budget, controls, testing and board-level reporting.

Checks to run

Key points

  • Identify the most sensitive data your business holds and who can access it.
  • Turn on MFA for remote access and privileged accounts.
  • Keep a tested incident response plan with named decision-makers.
  • Run regular vulnerability scanning, patch reviews and penetration testing where risk justifies it.
  • Report cyber risks to directors or senior leaders in business language, not only IT tickets.

Key takeaways

  • Cyber controls should match the sensitivity of the data and the size and risk profile of the business.
  • Incident response plans need to be written, owned, tested and updated.
  • MFA, privileged access controls, patching, monitoring and staff training are legal risk controls for regulated firms.
  • A board or leadership team should be able to show how cyber risks are funded, tracked and reviewed.

Related topics

Privacy & DataFinance, Payments & SecurityCompanies & Startups

How Sprintlaw can help

Privacy PolicyRegulatory Compliance