Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92

In Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92, the Federal Court dealt with admitted contraventions by an AFSL holder following a cyber attack and long-running cyber security deficiencies. ASIC sought declarations, a pecuniary penalty, a compliance programme and costs. The Court made the agreed orders.

The case is important because it links cyber security failures to core licence obligations under section 912A of the Corporations Act. The Court declared that FIIG failed to have adequate resources, failed to have adequate risk management systems, and by reason of those failures and the absence of adequate cyber security measures, failed to do all things necessary to ensure its financial services were provided efficiently, honestly and fairly.

FIIG was a licensed financial services business, not a casual online operator. It held an Australian Financial Services Licence and was authorised to provide financial product advice, deal in financial products, make a market for certain products, and provide custodial or depository services. In the course of that business, it collected and stored extensive personal client information and maintained electronic records of clients’ fixed income investments on internal servers. It also operated outward-facing electronic platforms through which clients could access information and transact.

The scale of the business mattered. During the relevant period, the value of assets under FIIG’s control for clients ranged between about $2.99 billion and $3.7 billion, and the value of funds under advice ranged between about $4.7 billion and $7.6 billion. The parties agreed there was a real risk that FIIG could be the subject of a cyber attack and that such an attack could lead to unauthorised access to personal information, data loss or publication, system disablement, inability to provide licensed services, impersonation risks, financial loss, reputational damage and proceedings for breach of obligations owed to clients.

ASIC’s action was triggered by a cyber attack from 19 May 2023. Approximately 385GB of data, including personal information of FIIG’s clients, was downloaded from FIIG’s servers. Screenshots of two documents containing some of that information were later published on the dark web. ASIC investigated and alleged that, between 13 March 2019 and 8 June 2023, FIIG had failed to take adequate steps to protect itself and its clients against cyber security risks. FIIG admitted the contraventions.

The proceeding was not decided after a contested factual trial. The parties filed a joint Statement of Agreed Facts and Admissions and joint submissions on contravention and relief. The Court said the agreed orders were acceptable and made them at the hearing, then published reasons explaining why.

The legal question was not whether FIIG had guaranteed perfect cyber protection. The Court expressly observed that it would be all but impossible to prevent every cyber attack, and that the mere fact of a successful attack does not necessarily indicate a failure to meet statutory obligations. Instead, the issue was whether FIIG had adequate cyber protection systems in place, having regard to the obligations imposed on it as an AFSL holder.

ASIC alleged, and FIIG admitted, contraventions of section 912A(1)(a), (d) and (h), with section 912A(5A) making those contraventions civil penalty matters. In practical terms, the Court had to consider whether FIIG had available adequate financial, technological and human resources to provide the financial services covered by its licence, whether it had adequate risk management systems, and whether the admitted cyber security failures meant it had not done all things necessary to ensure its financial services were provided efficiently, honestly and fairly.

The reasons also explain that adequacy is a normative standard. It depends on the risks faced by the licensee and whether the systems and resources in place were adequate to manage those risks. The parties agreed that the standard of competence in respect of cyber security should be informed by the nature of FIIG’s business, its size and resources, the personal client information it held, the value of funds and assets involved, the magnitude and potential consequences of the cyber risks, and FIIG’s contractual obligations to clients.

The judgment is especially useful because it does not stay at a high level. It identifies concrete deficiencies that the parties agreed made FIIG’s cyber security measures inadequate. This gives businesses a practical picture of what a regulator and a court may look at when assessing adequacy.

FIIG had contractual commitments to clients that also formed part of the factual setting. In its client custody terms and conditions, it warranted that it had the capacity to perform core administrative activities for custodial services, including having computer systems which are secure. It also agreed to take reasonable steps to keep secure all confidential information in its possession. Those promises did not create the statutory obligations in issue, but they helped explain the seriousness of the cyber risk in the context of FIIG’s business.

Read together, these were not isolated technical oversights. They showed gaps in planning, access control, vulnerability management, testing, monitoring, patching, staff capability and governance review. That is why ASIC framed the case not only as a cyber security problem, but also as a resources and risk management problem.

The Court accepted the agreed facts and admissions and made declarations under section 1317E of the Corporations Act. First, it declared that between 13 March 2019 and 8 June 2023, FIIG failed to have available adequate resources, including technological, human and financial resources, to provide the financial services covered by its licence, contrary to section 912A(1)(d). The declaration was framed in detail, including failures to have the technological resources comprising the adequate cyber security measures, failures to have human resources with the necessary skills, responsibility and capacity, and failures to provide sufficient financial resources to support those measures and personnel.

Second, the Court declared that during the same period FIIG failed to implement the controls identified in its risk management system to mitigate the cyber security risks it faced, and therefore failed to have adequate risk management systems as required by section 912A(1)(h).

Third, the Court declared that by reason of FIIG’s failures to have in place adequate cyber security measures, to have available adequate resources, and to have adequate risk management systems, it failed to do all things necessary to ensure that the financial services covered by its licence were provided efficiently, honestly and fairly, contrary to section 912A(1)(a).

The Court then ordered FIIG to pay a pecuniary penalty of $2.5 million within 30 days. It also ordered a compliance programme under section 1101B(1), and ordered FIIG to pay ASIC $500,000 towards ASIC’s costs within 30 days.

The compliance programme is one of the most practical parts of the case for business owners and executives. It was not limited to a general instruction to improve cyber security. It set up a structured remediation process with external oversight.

FIIG had to engage an independent expert agreed between FIIG and ASIC, each acting reasonably. The expert was required to prepare a first report identifying what, if any, further documentation, resources and controls in respect of cyber security and cyber resilience were necessary for FIIG to implement in order to reasonably manage risk. If remedial actions were identified, FIIG then had to agree a timetable for implementation with the independent expert and ASIC, with the end date being the earliest date reasonably practicable unless another date was agreed in writing.

After implementation, the independent expert had to provide a further report on whether, and to what extent, the remedial actions had been fully and appropriately implemented. FIIG then had to provide ASIC with an attestation from its Chief Executive Officer stating that the CEO had read and understood the first and final reports and, having made reasonable enquiries, believed the remedial actions had been implemented and was satisfied with how they had been implemented.

That structure matters because it pushes cyber remediation into governance territory. It requires external review, implementation planning, reporting, executive accountability and regulator visibility. The orders also required FIIG to pay the expert’s costs and the costs of implementation, provide reasonable assistance, and provide certain written correspondence with the expert to ASIC if requested, subject to legal professional privilege.

For AFSL holders, the message is direct. Cyber security can be treated as part of your licence compliance framework. If your controls are inadequate for your business and risk profile, the issue may be characterised as a failure of resources, a failure of risk management systems, and a failure to provide services efficiently, honestly and fairly.

For other businesses, the statutory provisions in this case may not apply in the same way, but the practical reading is still important. Courts and regulators are likely to look at whether cyber controls are real, maintained, reviewed and matched to the sensitivity of the data and systems involved. A business that stores identity documents, tax information, payment details or commercially sensitive records should assume that cyber security is a leadership issue, not just a technical support issue.

This case also shows that adequacy is contextual. The right question is not whether your business has every possible control. The right question is whether your controls, staffing, budget and review processes are adequate for the risks you know you face. That includes the nature of your services, the volume and sensitivity of information you hold, the consequences of compromise, and any promises you make to customers in contracts or policies.

Another practical point is that some of the deficiencies here were basic governance failures rather than exotic technical issues. They included not having a tested incident response plan, not reviewing access rights regularly, not patching known vulnerabilities in time, not ensuring monitoring was done by appropriately skilled people, and not running recurring reviews of control effectiveness. Those are the kinds of issues that boards, founders and executives can ask about directly.

This page is based on the Federal Court judgment and orders in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92, dated 13 February 2026. The reasons state that the parties filed a joint Statement of Agreed Facts and Admissions and joint submissions, and that the Court considered the agreed orders acceptable.

The published reasons available here are truncated after paragraph 44. The public explanation above therefore focuses on the facts, admissions, declarations, legal framing and orders that are clearly set out in the judgment and orders.