The Federal Court's ruling in ASIC v FIIG Securities set the benchmark every AFSL holder now operates under. FIIG was penalised because it couldn't demonstrate adequate preparation across four years and five specific areas. The penalty came in at more than twice what compliance would have cost.
For financial services leadership, ASIC doesn't ask for your security to be perfect, it’s obligations ask you to demonstrate confidence through people, budget, controls, governance, and response.
FIIG had cybersecurity policies and a risk register. What it didn't have was the resourcing or ownership to act on either. The court found 9–14 IT staff lacked the time and skills to manage cyber risk.
Adequate preparation looks different.
If ASIC asked today who owns cyber risk in your organisation, there should be one name.
The ruling draws a line between deployed controls and working ones. FIIG had Carbon Black EDR, two versions out of date, Palo Alto firewalls that were misconfigured, with FTP open and a risk register with identified gaps left unaddressed.
Adequate preparation means:
FIIG had no Incident Response Plan. When the breach occurred, the organisation learned about it from the Australian Cyber Security Centre, not from its own systems. The court also required FIIG's CEO to personally attest to the remediation work. Boards and executives can no longer delegate cyber and assume it's handled.
Adequate preparation means detection happens inside your environment, response follows a documented and rehearsed path, and leadership knows their role before an incident, not during one.
The ASIC vs FIIG ruling makes cyber readiness something you have to evidence. The andersenIT After FIIG: A Practical Briefing for Financial Services IT Leaders breaks down the five areas the court examined, what adequate looks like in each, and a clear starting point to assess where your organisation sits today.
Download the free briefing now through the form below: