What adequate cyber preparation looks like in financial services after FIIG

The Federal Court's ruling in ASIC v FIIG Securities set the benchmark every AFSL holder now operates under. FIIG was penalised because it couldn't demonstrate adequate preparation across four years and five specific areas. The penalty came in at more than twice what compliance would have cost.

For financial services leadership, ASIC doesn't ask for your security to be perfect, it’s obligations ask you to demonstrate confidence through people, budget, controls, governance, and response.

Adequate means people and accountability, not just policies

FIIG had cybersecurity policies and a risk register. What it didn't have was the resourcing or ownership to act on either. The court found 9–14 IT staff lacked the time and skills to manage cyber risk.

Adequate preparation looks different.

• Someone owns cyber risk at board level.
• Security alerts are monitored daily by someone qualified to interpret them.
• Access reviews happen on a schedule, with evidence.
• Training is mandatory, tracked, and tailored to the risks your organisation actually carries.

If ASIC asked today who owns cyber risk in your organisation, there should be one name.

Adequate means controls that function

The ruling draws a line between deployed controls and working ones. FIIG had Carbon Black EDR, two versions out of date, Palo Alto firewalls that were misconfigured, with FTP open and a risk register with identified gaps left unaddressed.

Adequate preparation means:

• MFA enforced on all accounts, not just some
• EDR current, with alerts reviewed daily by a qualified person
• Vulnerability scanning in place, critical patches inside 30 days
• Firewalls at least privilege, NTLMv1 disabled, access restricted by role
• Risk register actively maintained, remediation evidenced and visible to the board
  
  

Adequate means a tested response

FIIG had no Incident Response Plan. When the breach occurred, the organisation learned about it from the Australian Cyber Security Centre, not from its own systems. The court also required FIIG's CEO to personally attest to the remediation work. Boards and executives can no longer delegate cyber and assume it's handled.

Adequate preparation means detection happens inside your environment, response follows a documented and rehearsed path, and leadership knows their role before an incident, not during one.

Where to from here

The ASIC vs FIIG ruling makes cyber readiness something you have to evidence. The andersenIT After FIIG: A Practical Briefing for Financial Services IT Leaders breaks down the five areas the court examined, what adequate looks like in each, and a clear starting point to assess where your organisation sits today.

Download the free briefing now through the form below: