ASIC v FIIG Securities [2026] FCA 92

A Financial Services firm was just fined $2.5M for cybersecurity failures. Here's what your organisation needs to know.

ASIC secured its first civil penalty under general financial services licence obligations for cyber security failures. If you hold an AFSL, manage client assets, or operate in a regulated framework, this ruling changes everything.

DOWNLOAD THE FREE BRIEFING
Free briefing
After FIIG: A Practical Briefing for Financial Services IT Leaders
What the Federal Court ruling means for your organisation
andersenIT • 2026
Free 3-page briefing
$4.5M
Total cost of
non-compliance
$1.2M
What compliance
would've cost
18,000
Clients whose data
was compromised
4+ yrs
Duration of admitted
non-compliance
The ruling

What happened

In February 2026, the Federal Court ruled that FIIG Securities had failed to meet its cybersecurity obligations under the Corporations Act for more than four consecutive years. The failures weren't technical. They were failures of governance, investment and accountability at the organisational level. The court identified five specific areas where FIIG fell short, and the penalty was more than double what compliance would have cost.

Free briefing

What does this mean for me?

A three-page executive briefing that breaks down the FIIG ruling clearly, maps the five failures to practical controls, and shows you exactly what your organisation needs to demonstrate. Written for boards, CIOs, CFOs, IT leaders and technical teams.

1
The FIIG case explained clearly: what happened, what the court found, and why it matters for every regulated firm
2
The five specific organisational failures the court identified, and what "adequate" looks like for each one
3
The Australian regulatory enforcement timeline from 2022 to 2026, showing this is a clear and accelerating pattern, not a one-off
4
A detailed control-area comparison: what FIIG failed to have vs. what adequate looks like, across access controls, EDR, patching, firewalls, risk registers and security training
5
What andersenIT typically finds when reviewing Financial Services environments: the common gaps, and a clear next step to assess where your organisation sits
From the briefing
Cost of adequate compliance (4 yrs)$1.2M
FIIG's post-breach remediation$1.5M
Federal Court penalty$2.5M
ASIC costs awarded$500K
Total cost of non-compliance$4.5M

Excludes reputational damage, client claims, business interruption, and ongoing compliance costs.

Professional working on cybersecurity

Cyber governance is now a board-level responsibility.

The court made it clear: outsourcing IT does not outsource accountability.

Are you exposed?

This ruling applies to your organisation if you are...

The court was clear: ASIC is not asking for perfect security. It is asking whether you can demonstrate adequate preparation in people, budget, controls and governance. If you operate in a regulated financial services framework, you are in scope.

An AFSL holder
Any organisation holding an Australian Financial Services Licence is directly subject to the obligations the court enforced. This is the precedent case, and ASIC has signalled it's just the start.
A bank or credit union
You hold significant volumes of sensitive client data and operate under strict regulatory oversight. The standard set by this ruling applies directly to your cybersecurity governance obligations.
A wealth management or accounting practice
You hold tax file numbers, bank details, and identity documents for thousands of clients. The data FIIG lost is the same kind of data sitting in your systems right now.
An investment manager
Operating in a regulated framework means you're in scope. ASIC is actively building enforcement capability. FIIG was not an isolated case. There are proceedings already underway against others.

The court ordered a compliance programme requiring FIIG's CEO to personally attest they have read and understood the independent expert's reports. This accountability mechanism is now standard in ASIC cyber enforcement. Boards and executives cannot outsource this responsibility.

"This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience."

Sarah Court, ASIC Deputy Chair, 9 February 2026

The penalty was more than double the cost of compliance. Don't learn the same lesson.

Download the free briefing

Download the briefing.
Understand where you stand.

Fill in your details and we'll send the three-page executive briefing straight to your inbox. It takes 5 minutes to read and could save your organisation from a conversation you don't want to have with a regulator.

Based on ASIC v FIIG Securities [2026] FCA 92
Three pages, built for technical and executive teams
5-minute read with a clear action framework
25 years of Financial Services IT experience

Get the free briefing

Takes 30 seconds. Sent straight to your inbox.
andersenIT logo
© 2026 andersenIT  |  1300 428 248  |  andersenit.com.au