Federal Court docket imposes AUD 2.5 million superb for breach of AFSL obligations
Briefly
The Federal Court docket of Australia in Australian Securities and Investments Fee v FIIG Securities Restricted [2026] FCA 92 has ordered FIIG Securities Restricted (FIIG) to pay a penalty of AUD 2.5 million plus AUD 500,000 in prices in response to proceedings introduced by the Australian Securities and Funding Fee (ASIC) in March 2025 for cyber safety failures in breach of FIIG’s basic Australian Monetary Companies Licence (AFSL) obligations between March 2019 and June 2023.
FIIG’s cyber safety failures had been discovered to have culminated in roughly 385GB of information being compromised in a cyber-attack starting 19 Might 2023, affecting roughly 18,000 FIIG shoppers.
This case marks the primary time the Federal Court docket has imposed civil penalties for cyber safety failures beneath the overall AFSL obligations and highlights ASIC’s elevated give attention to cyber danger administration and its “clear license-to-operate expectation for sturdy resilience”.
Key takeaways
Cyber safety and cyber resilience are important parts of an AFSL holder’s obligations. This case highlights that:
- ASIC has prescriptive and technical expectations for danger administration programs and cyber safety controls and is prone to take an in depth forensic strategy to judge whether or not an AFSL holder’s danger administration programs and cyber safety controls are sufficient and proportionate to its knowledge sensitivity, scale and enterprise dangers, notably within the wake of a cyber-attack that ends in disclosure of consumer knowledge;
- Companies with an AFSL want to make sure that their danger administration programs and cyber safety measures adequately deal with cyber safety danger, together with by deploying sufficient monetary, technological and human sources to make sure sufficient cyber safety measures are in place;
- Failure to take action may end up in non-compliance with AFSL obligations, ASIC proceedings and penalties;
- Enough cyber safety measures have to be proportionate to the character of the enterprise, extent and complexity of data held, the worth of property held, the magnitude and potential penalties of the cyber safety dangers and any contractual obligations the ASFL holder has to its shoppers; and
- Workers with duty for guaranteeing sufficient cyber safety measures are in place have to be appropriately skilled and given enough time and sources to correctly discharge their obligations.
In depth
Background
FIIG is an Australian fixed-income specialist and AFSL holder and is topic to numerous obligations beneath the Firms Act 2001 (Cth) (“Act”) together with the overall AFSL obligations beneath part 912A(1) of Act. In offering monetary providers, FIIG collects and maintains in depth and detailed private details about its shoppers. On the time of non-compliance, FIIG held between roughly AUD 2.99 – 3.7 billion in consumer property beneath administration. Given these components, ASIC alleged that there was an actual and foreseeable danger that FIIG could be the topic of an tried or precise cyber-attack, but didn’t implement sufficient controls. A cyber-attack actually occurred from 19 March 2023 to eight June 2023 and resulted within the theft and subsequent launch of delicate consumer knowledge onto the darkish net. FIIG was unaware of the occasion till the Australian Cyber Safety Centre (ACSC) alerted FIIG on 2 June 2023.
ASIC’s cyber safety and resilience expectations to fulfill basic AFSL obligations
The proceedings illustrate ASIC’s detailed, technical and prescriptive expectations for danger administration programs and cyber safety controls (together with vulnerability scanning and risk detection) and acceptable resourcing (together with human sources) to fulfill basic AFSL obligations beneath the Act, together with to:
- Guarantee monetary providers are supplied effectively, truthfully and pretty (part 912A(1)(a));
- Have accessible sufficient sources (together with monetary, technological and human sources) to supply the related monetary providers (part 912A(1)(d)); and
- Have sufficient danger administration programs (part 912A(1)(h)).
The desk beneath summarises ASIC’s expectations popping out of this resolution in relation to the danger administration programs and controls that will have enabled FIIG to fulfill its basic AFSL obligations beneath part 912A(1)(a), (d) and (h) of the Act and supplies a helpful level of reference for different AFSL holders (taking into account the relative nature of their enterprise, extent and complexity of data held and the worth of property held).
Wanting forward: ASIC’s ongoing give attention to cyber safety enforcement
ASIC’s 2026 key points outlook identifies cyber-attacks, knowledge breaches and insufficient operational resilience and disaster administration as dangerous threats to market confidence and customers that it’s going to proceed to give attention to.
Regulators like ASIC will think about not simply whether or not AFSL holders have danger administration frameworks in place, however whether or not they’re:
- Correctly and persistently applied by the use of efficient controls;
- Proportionate to nature of the enterprise, sensitivity and extent of data and the worth of property held;
- Examined and reviewed frequently;
- Adequately supported by personnel and monetary sources; and
- Topic to acceptable governance and oversight.
On this atmosphere it’s notably essential for ASIC-regulated companies and AFSL holders to make sure that cyber resilience is embedded into their licence compliance and governance frameworks, to have the ability to display that they’ve robust danger administration measures in place and to check the robustness of those measures recurrently and deal with any recognized vulnerabilities to mitigate in opposition to the danger of a cyber-attack or knowledge breach.
* * * * *
Vanessa Franco, Summer time Clerk, has contributed to this authorized replace.
Federal Court docket imposes AUD 2.5 million superb for breach of AFSL obligations
Briefly
The Federal Court docket of Australia in Australian Securities and Investments Fee v FIIG Securities Restricted [2026] FCA 92 has ordered FIIG Securities Restricted (FIIG) to pay a penalty of AUD 2.5 million plus AUD 500,000 in prices in response to proceedings introduced by the Australian Securities and Funding Fee (ASIC) in March 2025 for cyber safety failures in breach of FIIG’s basic Australian Monetary Companies Licence (AFSL) obligations between March 2019 and June 2023.
FIIG’s cyber safety failures had been discovered to have culminated in roughly 385GB of information being compromised in a cyber-attack starting 19 Might 2023, affecting roughly 18,000 FIIG shoppers.
This case marks the primary time the Federal Court docket has imposed civil penalties for cyber safety failures beneath the overall AFSL obligations and highlights ASIC’s elevated give attention to cyber danger administration and its “clear license-to-operate expectation for sturdy resilience”.
Key takeaways
Cyber safety and cyber resilience are important parts of an AFSL holder’s obligations. This case highlights that:
- ASIC has prescriptive and technical expectations for danger administration programs and cyber safety controls and is prone to take an in depth forensic strategy to judge whether or not an AFSL holder’s danger administration programs and cyber safety controls are sufficient and proportionate to its knowledge sensitivity, scale and enterprise dangers, notably within the wake of a cyber-attack that ends in disclosure of consumer knowledge;
- Companies with an AFSL want to make sure that their danger administration programs and cyber safety measures adequately deal with cyber safety danger, together with by deploying sufficient monetary, technological and human sources to make sure sufficient cyber safety measures are in place;
- Failure to take action may end up in non-compliance with AFSL obligations, ASIC proceedings and penalties;
- Enough cyber safety measures have to be proportionate to the character of the enterprise, extent and complexity of data held, the worth of property held, the magnitude and potential penalties of the cyber safety dangers and any contractual obligations the ASFL holder has to its shoppers; and
- Workers with duty for guaranteeing sufficient cyber safety measures are in place have to be appropriately skilled and given enough time and sources to correctly discharge their obligations.
In depth
Background
FIIG is an Australian fixed-income specialist and AFSL holder and is topic to numerous obligations beneath the Firms Act 2001 (Cth) (“Act”) together with the overall AFSL obligations beneath part 912A(1) of Act. In offering monetary providers, FIIG collects and maintains in depth and detailed private details about its shoppers. On the time of non-compliance, FIIG held between roughly AUD 2.99 – 3.7 billion in consumer property beneath administration. Given these components, ASIC alleged that there was an actual and foreseeable danger that FIIG could be the topic of an tried or precise cyber-attack, but didn’t implement sufficient controls. A cyber-attack actually occurred from 19 March 2023 to eight June 2023 and resulted within the theft and subsequent launch of delicate consumer knowledge onto the darkish net. FIIG was unaware of the occasion till the Australian Cyber Safety Centre (ACSC) alerted FIIG on 2 June 2023.
ASIC’s cyber safety and resilience expectations to fulfill basic AFSL obligations
The proceedings illustrate ASIC’s detailed, technical and prescriptive expectations for danger administration programs and cyber safety controls (together with vulnerability scanning and risk detection) and acceptable resourcing (together with human sources) to fulfill basic AFSL obligations beneath the Act, together with to:
- Guarantee monetary providers are supplied effectively, truthfully and pretty (part 912A(1)(a));
- Have accessible sufficient sources (together with monetary, technological and human sources) to supply the related monetary providers (part 912A(1)(d)); and
- Have sufficient danger administration programs (part 912A(1)(h)).
The desk beneath summarises ASIC’s expectations popping out of this resolution in relation to the danger administration programs and controls that will have enabled FIIG to fulfill its basic AFSL obligations beneath part 912A(1)(a), (d) and (h) of the Act and supplies a helpful level of reference for different AFSL holders (taking into account the relative nature of their enterprise, extent and complexity of data held and the worth of property held).
Wanting forward: ASIC’s ongoing give attention to cyber safety enforcement
ASIC’s 2026 key points outlook identifies cyber-attacks, knowledge breaches and insufficient operational resilience and disaster administration as dangerous threats to market confidence and customers that it’s going to proceed to give attention to.
Regulators like ASIC will think about not simply whether or not AFSL holders have danger administration frameworks in place, however whether or not they’re:
- Correctly and persistently applied by the use of efficient controls;
- Proportionate to nature of the enterprise, sensitivity and extent of data and the worth of property held;
- Examined and reviewed frequently;
- Adequately supported by personnel and monetary sources; and
- Topic to acceptable governance and oversight.
On this atmosphere it’s notably essential for ASIC-regulated companies and AFSL holders to make sure that cyber resilience is embedded into their licence compliance and governance frameworks, to have the ability to display that they’ve robust danger administration measures in place and to check the robustness of those measures recurrently and deal with any recognized vulnerabilities to mitigate in opposition to the danger of a cyber-attack or knowledge breach.
* * * * *
Vanessa Franco, Summer time Clerk, has contributed to this authorized replace.
