Three questions financial services leaders should now be asking after the ASIC vs FIIG ruling

Confidence in financial services depends on the ability to stand behind how systems support licensed activity over time.

The Federal Court’s ruling in ASIC v FIIG Securities placed that expectation into an operational context. The findings focused on whether the organisation’s environment reflected the risks it carried.

For leadership teams, this clarifies how preparedness is expressed across the organisation.

Three questions now provide a clear lens for that reflection.

Is cyber responsibility supported by capability your organisation can rely on?

The FIIG findings highlight how responsibility for cyber risk must be sustained through capability.

The court found that the organisation’s internal capability was not sufficient to carry its cybersecurity obligations. Its IT function, while established, did not have the depth of security expertise or capacity to manage the risks it faced. Responsibility had been assigned but not supported by the resources required for it to operate effectively.

Financial resourcing followed the same pattern. The organisation did not allocate sufficient funding to sustain the controls it had identified. The cost of doing so was estimated at approximately $1.2 million. The penalty imposed was $2.5 million, before remediation and compliance costs.

Where capability is not sustained with sufficient depth and backing, responsibility becomes difficult to carry in practice.

Does your organisation follow the cyber frameworks and controls it has already defined?

Risk management frameworks set direction. The environment determines whether that direction is carried through.

The FIIG matter demonstrated a disconnect between defined control frameworks and their operation within the environment. The organisation maintained an IT Information Security Policy, a Cyber and Information Security Policy, and conducted annual custodial service audits. Its own risk registers had identified the exposure of confidential information as a credible risk.

Despite this, the court found the required controls were not implemented or maintained. Critical vulnerabilities, including EternalBlue and BlueKeep, remained unpatched over several years. Endpoint detection capability was only partially deployed, operating on outdated versions, with alerts not actively reviewed.

This places the focus on whether governance decisions are carried into system behaviour in a way that holds under exposure.

If your organisation experienced a breach, would your response approach hold under pressure?

In the FIIG case, no incident response plan had been in place in the years leading up to the breach. When the event occurred and data relating to approximately 18,000 clients was extracted, the organisation had no established framework to coordinate its response.

The compromise was not identified internally, despite alerts being generated within the environment, and was instead raised by the Australian Cyber Security Centre after the intrusion had progressed.

This places the focus on whether response is established before it is required. Where a defined approach exists, leadership retains confidence that the organisation can act with clarity when required.

A practical way to reflect on your current position

The FIIG ruling offers a clearer view of how cyber obligations are examined when tested. For financial services leaders, it brings greater focus to the role the environment plays in supporting responsibility and carrying decisions through to moments of disruption.

The andersenIT FIIG briefing outlines what this means in practice and how organisations are expected to demonstrate that position.

Download the briefing in the form below to explore this information and understand where your environment stands.