Maintaining operational consistency across financial services environments
The Federal Court’s ruling in ASIC v FIIG Securities reinforced that ASIC expects organisations to demonstrate that cyber controls remain active...
2 min read
ait-admin
:
Updated on July 8, 2026
When identifying a risk becomes the exposure
Most of the early commentary on the ASIC vs FIIG ruling focused on the $2.5M penalty. The legal analysis published since the judgement has zeroed in on something narrower: the specific finding under section 912A(1)(h) of the Corporations Act, which ASIC limited to FIIG's failure to implement controls it had already identified within its own risk management framework. 1
That distinction is doing most of the work in the post-judgement commentary, and it shapes what lawyers are now telling financial services leaders to do next.
Legal commentary on the case has converged on a clear precedent: a risk management framework on paper is not sufficient where the controls identified in that framework have not been operationalised.2 The case provides a practical illustration of how ASIC assesses adequacy in context, with the document itself capable of becoming the evidence used against an organisation if the controls described in it are not being implemented and reviewed.
Wotton Kearney, examining the ruling through a privacy and cyber governance lens, noted it is the first time the Federal Court has imposed civil penalties for cybersecurity failures under Australian Financial Services Licence obligations, and that responsibility for embedding cyber risk in the compliance framework now sits squarely with boards and senior management. 3
Justice Derrington described the standard directly in paragraph 4 of the judgement: ASIC is not requiring perfection. It is requiring systems, governance and resourcing that are proportionate to the risks the organisation faces, evidenced over time.4
The legal exposure is not about whether an incident occurs. It is about whether the organisation can demonstrate it took the steps its own framework required.
The next-step guidance from the firms covering the case is consistent.5 Review the controls listed in your existing risk register and confirm which have been implemented in operation. Where gaps remain, document the remediation status, the rationale for any deferred items, and the executive accountable for closure. Where controls have been implemented, evidence the review activity that keeps them current.
The advice is not to redesign frameworks. It is to close the gap between what your framework describes and what your organisation can demonstrate.
In the long run, Wotton Kearny argues cyber becomes a licence compliance question, so they advise companies to 3:
The andersenIT FIIG briefing sets out the five organisational failures the court identified and what adequate looks like against each. It is a useful reference when reviewing whether your own framework reflects current operating reality.
Download the briefing:https://www.andersenit.com.au/fiig-cyber-ruling-briefing-andersenit#download-form
The Federal Court’s ruling in ASIC v FIIG Securities reinforced that ASIC expects organisations to demonstrate that cyber controls remain active...
Financial services firms operate in environments where accuracy, compliance, and continuity are non-negotiable. As firms launch their 2026 strategies...
“Controlling what you can’t ensure and insuring what you can’t control.”