IT Insights

What lawyers are saying about the ASIC vs FIIG ruling

Written by ait-admin | Jul 8, 2026 3:37:10 AM

When identifying a risk becomes the exposure

Most of the early commentary on the ASIC vs FIIG ruling focused on the $2.5M penalty. The legal analysis published since the judgement has zeroed in on something narrower: the specific finding under section 912A(1)(h) of the Corporations Act, which ASIC limited to FIIG's failure to implement controls it had already identified within its own risk management framework. 1

That distinction is doing most of the work in the post-judgement commentary, and it shapes what lawyers are now telling financial services leaders to do next.

The point lawyers are highlighting

Legal commentary on the case has converged on a clear precedent: a risk management framework on paper is not sufficient where the controls identified in that framework have not been operationalised.2 The case provides a practical illustration of how ASIC assesses adequacy in context, with the document itself capable of becoming the evidence used against an organisation if the controls described in it are not being implemented and reviewed.

Wotton Kearney, examining the ruling through a privacy and cyber governance lens, noted it is the first time the Federal Court has imposed civil penalties for cybersecurity failures under Australian Financial Services Licence obligations, and that responsibility for embedding cyber risk in the compliance framework now sits squarely with boards and senior management. 3

What the "adequacy" standard now means in practice

Justice Derrington described the standard directly in paragraph 4 of the judgement: ASIC is not requiring perfection. It is requiring systems, governance and resourcing that are proportionate to the risks the organisation faces, evidenced over time.4

The legal exposure is not about whether an incident occurs. It is about whether the organisation can demonstrate it took the steps its own framework required.

What lawyers are advising leaders to do next

The next-step guidance from the firms covering the case is consistent.5 Review the controls listed in your existing risk register and confirm which have been implemented in operation. Where gaps remain, document the remediation status, the rationale for any deferred items, and the executive accountable for closure. Where controls have been implemented, evidence the review activity that keeps them current.

The advice is not to redesign frameworks. It is to close the gap between what your framework describes and what your organisation can demonstrate.

In the long run, Wotton Kearny argues cyber becomes a licence compliance question, so they advise companies to 3:

  1. Assess cyber maturity by how each control gap exposes customer data
  2. Quantify risk by likely customer harm such as identity theft or financial loss (not just business disruption)
  3. Prove customer information is protected across its full lifecycle from collection to deletion
  4. Treat resourcing as part of the obligation as underinvestment that leaves customer data exposed is itself a failure under s912A

A practical next step

The andersenIT FIIG briefing sets out the five organisational failures the court identified and what adequate looks like against each. It is a useful reference when reviewing whether your own framework reflects current operating reality.

Download the briefing:https://www.andersenit.com.au/fiig-cyber-ruling-briefing-andersenit#download-form

 

References

  1. Herbert Smith Freehills Kramer, "First ASIC penalty for cybersecurity failures: Federal Court imposes $2.5m penalty on FIIG." https://www.hsfkramer.com/insights/2026-02/first-asic-penalty-for-cybersecurity-failures-federal-court-imposes-two-point-five-million-penalty
  2. MinterEllison, "Federal Court delivers a warning to businesses that underinvest in cybersecurity." https://www.minterellison.com/articles/federal-court-delivers-a-warning-to-businesses-that-underinvest-in-cybersecurity
  3. Wotton Kearney “ASIC’s FIIG Enforcement Action Through a Privacy and Cyber Governance Lens” https://www.wottonkearney.com/asics-fiig-enforcement-action-through-a-privacy-and-cyber-governance-lens/
  4. Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92, paragraph 4 (Derrington J). https://download.asic.gov.au/media/o02h30dd/26-021mr-asic-v-fiig-securities-limited-judgment-13-feb-2026.pdf
  5. Corrs Chambers Westgarth, "Cybersecurity enforcement intensifies: lessons from FIIG Securities' $2.5m compliance penalty." https://www.corrs.com.au/insights/cybersecurity-enforcement-intensifies-lessons-from-fiig-securities-2-5m-compliance-penalty