A Turning Point in Cyber Enforcement
ASIC’s $2.5million penalty against FIIG Securities marks a distinct shift in regulatory expectations. Cybersecurity failures are now treated as core compliance and governance failures, not just technical lapses.
The message is industry agnostic: if cyber risk affects customers, clients, or markets, regulators expect it to be managed.
What Went Wrong at FIIG
FIIG is an Australian financial service that specialises in fixed-income products and services. FIIG contravened the Corporations Act 2001 (Cth) by failing to maintain adequate cybersecurity systems, risk management frameworks and resourcing from 2019 to 2023. As a financial services provider, FIIG was required to deliver services efficiently, honestly and fairly, which includes implementing appropriate cybersecurity measures to protect clients’ data. However, FIIG’s systems were deficient in the management, monitoring and implementation of cybersecurity risk controls.
These failures exposed the company to significant cyber risks and in May 2023 they faced a cyberattack. Approximately 385GB of sensitive client data was accessed and downloaded without authorisation. The breaches were exacerbated by FIIG’s failure to allocate sufficient technological, human and financial resources to maintain effective cybersecurity protections.
FIIG did have cybersecurity policies, a risk management framework, and some technical tools in place, but ASIC found these were inadequate because they were poorly implemented, not maintained and not actively monitored. For example, systems were misconfigured, updates were not carried out, and incident response and staff training processes were incomplete and largely untested.
As a result, these measures were ineffective in practice and reflected broader governance failures, meaning FIIG did not have adequate risk management systems as required under the Corporations Act 2001 (Cth).
The Key Legal Lesson: Implementation Matters
Regulators are increasingly requiring boards and senior management to take an active role in overseeing cyber risk. Regulators are no longer satisfied with cybersecurity frameworks that exist only on paper. Policies, registers and risk plans must be actively implemented, monitored and resourced. It is no longer sufficient to delegate responsibility entirely to IT teams or third parties.
The cost of implementing and maintaining robust cybersecurity compliance is properly understood as the cost of doing business. The outcome in the FIIG matter illustrates this point, as the financial and reputational consequences far exceeded what proactive compliance would likely have cost, reinforcing the expectation that firms invest adequately in managing cyber risk.
Cyber risk is now treated like any other foreseeable operational risk. Businesses must be able to show that they identified cyber threats, allocated appropriate resources, implemented controls, and regularly reviewed whether those controls were effective.
The legal test is shifting toward:
- What risks were known?
- What steps were taken to address them?
- Can those steps be proven with evidence?
Why This Is Relevant to All Firms
The implications of the FIIG matter extend well-beyond financial services because almost all organisations now rely on digital stems, hold sensitive data or outsource critical functions.
A cyber incident can trigger:
- Regulatory action
- Contractual and client disputes
- Insurance coverage issues
- Reputational damage
The principles applied in FIIG are broadly transferable across industries because they reflect a general legal standard for how organisations must manage foreseeable risks. Cybersecurity is now treated in the same way as other core operational risks, requiring active oversight, adequate resourcing and effective implementation.
Practical Takeaways for Your Business
- Do your cyber controls match what your policies say?
- Are known risks tracked through to remediation?
- Is cyber risk regularly escalated to senior leadership or the board?
- Can your organisation demonstrate decisions, prioritisation, and action?
The Bottom Line
Cybersecurity is no longer a technical issue — it is a compliance, governance and liability issue. The FIIG decision reinforces that enforcement risk now attaches to how organisations operate, not just what they document.
If your business requires assistance with cybersecurity, our IP, Tech + Compliance team can provide tailored advice on risk management measures and regulatory compliance. Please contact Ersel: ersel@morganenglish.com.au
About the author:
Ersel Akpinar is Special Counsel at Morgan + English Commercial Lawyers and leads the firm’s IP & Technology practice. He advises technology‑led businesses on intellectual property, data, commercialisation and corporate matters, drawing on over 25 years’ experience in private practice.
