$2.5M FIIG penalty: cyber security is now a permanent fixture

On 13 February 2026, Justice Derrington ordered FIIG Securities to pay $2.5 million in civil penalties for contravening section 912A of the Corporations Act between March 2019 and June 2023. The Court also ordered $500,000 towards ASIC's costs and a compliance programme overseen by an independent cyber security expert at FIIG's expense.

This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations. It follows ASIC's 2022 enforcement action against RI Advice, where the Court found a contravention but imposed no penalty, and sits alongside ongoing proceedings against Fortnum Private Wealth, filed in July 2025.

What the Court found

The Court declared contraventions across three limbs of s912A: failing to provide financial services efficiently, honestly and fairly (s912A(1)(a)); failing to have adequate financial, technological and human resources (s912A(1)(d)); and failing to have adequate risk management systems (s912A(1)(h)).

FIIG's deficiencies included: no multi-factor authentication for remote access; privileged accounts used for non-privileged access and tasks; credentials stored in plaintext files on the network; one penetration test between 13 March 2019 and 8 June 2023 (the Relevant Period); no use of network-based scanning tools that could of identify security vulnerabilities in FIIG’s network; and no annually-tested cyber incident response plan that could identify the action to be taken by FIIG to detect, confirm and contain a cybersecurity incident.

When the ACSC notified FIIG of a potential intrusion on 2 June 2023, FIIG did not commence its own investigation for six days. By that point, the ALPHV attackers had been inside the network for approximately two weeks and had exfiltrated roughly 385 gigabytes of data, including passport details, tax file numbers, driver's licences, Medicare cards and bank account details belonging to approximately 18,000 clients.

Planning ahead: A breach need not lead to a penalty

When considering the implications of this case, it's important to note that Justice Derrington was clear: A successful cyberattack does not automatically establish a contravention. The finding turned on four years of documented, sustained underinvestment, not on the fact that an attacker gained access. Also relevant, FIIG had identified cyber security as a material risk in its own risk management framework. However, the Court found that it failed to implement, maintain and monitor the controls those policies required.

Having a policy and not operationalising it will probably not work as a defence; in fact, it may form part of the evidentiary basis for a finding against a licensee.

The past: Unplanned and uncontrolled costs

FIIGs penalty was set by the Court, against a maximum of $41.25 million, with the Court acknowledging FIIG's full cooperation and admission of liability. But the quantum was framed deliberately: the Court noted that implementing adequate controls over the relevant period would have cost approximately $1.2 million. The $2.5 million penalty, roughly twice the cost of compliance, was described as serving to validate the efforts of compliant businesses and to deter those that underinvest.

Further remediation costs are recorded as being approximately $1,500,000. On top of that comes $500,000 in legal costs, and the costs of the mandated expert program. Add this to the $2.5 million penalty and the estimated total cost is over $4 million, excluding unquantifable costs associated with reputational damage and the ongoing risk of identity fraud affecting 18,000 individuals.

The future: Planned and predictable costs

ASIC's 2026 key issues outlook lists cyber security and operational resilience as explicit priorities. The Fortnum proceedings are ongoing. For APRA-regulated entities, CPS 230 adds a further layer of obligation on top of the s912A framework.

We have long argued that proactively managing risk and spending your own money on your own terms is better (more manageable and less costly) than waiting for attackers and the Federal Court set the costs and timeframes. For practitioners advising AFS licensees, the FIIG judgment provides a concrete, dollar-denominated benchmark. The practical question for boards and compliance teams is no longer whether regulators will act. The question now is: What evidence can an organisation produce to confirm the effectiveness of the controls (tested incident response plans, MFA, patch management, vulnerability scanning, privileged access controls, security awareness training, and monitored security event logging) that ASIC has now itemised in its actions?