By: Kieran Doyle, Nicole Gabryk, Matt O’Keefe, Josh Simonis and Stefanie Constance

The Australian Securities and Investments Commission (ASIC) has secured a Federal Court ruling requiring FIIG Securities Limited (FIIG) to pay $2.5 million in civil penalties for longstanding failures in cyber security and data protection.¹ The ruling marks the first time the Federal Court has imposed civil penalties for cyber security failures under Australian Financial Services licence (AFSL) obligations, and represents a significant development in Australian regulatory treatment of data protection and cyber risk within the financial services sector.

The action followed a significant 2023 cyber incident in which approximately 385 gigabytes of highly sensitive personal information, including driver’s licence details, passport information, bank account numbers and tax file numbers, was stolen and later published online.² While the penalty was imposed under licensing provisions rather than privacy‑specific legislation, the decision has broader implications for how organisations approach personal data governance and cyber resilience.

AFSL Obligations

Section 912A of the Corporations Act 2001 (Cth) requires AFS licensees to provide financial services efficiently, honestly and fairly, to have available adequate resources, and to maintain adequate risk management systems. These obligations are expressed in broad, principles-based terms.

In FIIG, the Court found contraventions of ss 912A(1)(a), (d) and (h) due to inadequate technological resources and risk management systems between March 2019 and June 2023. Weaknesses in access controls, monitoring, vulnerability management, staff training and incident preparedness were treated as failures to meet statutory obligations, not a standalone cyber‑security standard.

The application of s 912A to cyber risk is not new. In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Court accepted that deficiencies in cyber risk management could amount to contraventions of s 912A. The FIIG decision advances that trajectory by issuing declared contraventions and civil penalties for sustained cyber‑control deficiencies, confirming that cyber security and data governance fall within the scope of s 912A when systemic gaps in systems, resourcing or risk management are established.

Governance Expectations and Legal Implications

The FIIG matter illustrates how cyber‑security shortcomings can give rise to governance issues for AFS licensees in the delivery of financial services to clients. ASIC linked the adequacy of cyber controls to resourcing, capability and oversight, placing responsibility on boards and senior management to ensure cyber risk is embedded in broader compliance frameworks.³

Evidence of planning, investment, training and remediation may therefore be relevant in any future regulatory inquiry following a cyber incident. The broader implication, consistent with ASIC v RI Advice, is that cyber‑resilience forms part of “adequate” risk‑management systems under s 912A(1)(h). Sustained weaknesses in fundamental controls may indicate that an AFS licensee has not met its statutory obligations.

Cyber Security a Focus on Preventative Controls

From a cyber security perspective, the Court’s findings reinforce that cyber capability is assessed as part of a licensee’s broader operational framework. The deficiencies identified at FIIG were not treated as isolated technical errors but as indicators that systems, supervision and risk management processes had not been adequately embedded over time. In that sense, operational resilience becomes a compliance question: whether the organisation’s controls are designed, resourced and maintained in a manner consistent with its statutory obligations. In line with this shift in focus, organisations should ensure there is adequate investment in both understanding their key cyber risks, as well as developing a strategy to effectively manage their cyber risks, and continuously executing, refining and updating that strategy.

Cyber Governance Now Firmly Within s 912A Obligations

The FIIG decision confirms that sustained cyber and data‑governance weaknesses can contravene s 912A where systems, resources or risk management are inadequate, and that existing obligations capture systemic failures in cyber resilience.

The decision won’t mean that every breach will raise s 912A issues, the FIIG contraventions stem from long‑standing governance and resourcing failures, not the incident alone. But it narrows any doubt that cyber‑risk governance sits within “adequate systems”, “adequate resources” and “adequate risk‑management systems”.

For AFSL holders, treating cyber as purely a technical issue is no longer tenable where systemic gaps intersect with core licensing duties. This decision makes it clear that all AFSL holders need to take action to mitigate these risks so that they are well positioned in the event that an incident does occur.

Implications for Cyber Management

For regulated entities, the FIIG decision reinforces that cyber strategy is central to meeting obligations to customers under an AFS license. In the context of s 912A, inadequate cyber controls may compromise an entity’s ability to provide financial services efficiently, honestly and fairly, and to protect the sensitive information entrusted to it as part of the client relationship.

In practice, this means several strategic priorities take on heightened significance:

Investing in understanding current cyber maturity and the associated risks

Because the personal and financial information held is directly connected to customer trust and fair service delivery, maturity assessments should explicitly evaluate the risks to customers arising from data handling, system vulnerabilities and operational dependencies.

Quantifying cyber risks in line with regulatory expectations and customer impact

Cyber risk quantification should consider not only business disruption but also the potential harm to clients – such as identity theft, financial loss, or exposure of sensitive data. ASIC’s position in FIIG shows that where customer detriment is foreseeable, a failure to remediate known weaknesses may amount to a failure to act efficiently, honestly and fairly.

Developing and maintaining an effective cyber strategy to manage risks on an ongoing basis

A cyber strategy should demonstrate how customer information will be protected throughout the service lifecycle – collection, storage, use, disclosure and deletion – and how the organisation will maintain service continuity and safeguard client assets in the event of an incident.

Aligning cyber investment with strategy to effectively manage risks

Adequate resourcing is directly linked to customer obligations. Underinvestment that leaves customer information exposed, or that results in fragile systems used to deliver financial services, can be viewed as a failure to maintain adequate resources under s 912A.

These steps – maturity assessment, risk quantification, strategic planning and aligned investment – form the baseline of cyber management.

A Converging Regulatory Landscape

Cyber resilience is now central to license compliance and board accountability. ASIC’s FIIG action shows that cyber, privacy and licensing expectations are converging. Boards and responsible officers should assess whether resourcing, controls, assurance and recovery planning are genuinely fit for purpose.

A practical next step for AFS licensees is to review cyber risk governance against AFSL obligations, with a focus on customer data protection:

• Assess current cyber maturity with an emphasis on how control gaps expose customer data and critical services.
• Quantify cyber risks based on potential customer harm and regulatory expectations.
• Refresh the cyber strategy to clearly articulate how customer information and service continuity will be protected.
• Align cyber investment to areas that materially reduce customer impact and license compliance risk.

WK can support organisations in undertaking these steps by bringing together our expert legal and advisory team, to assess maturity, quantify risks and strengthen governance.

Key Contacts & Updates

For insights or questions about this article, please reach out to our authors.

To receive similar future updates around WK Advisory, please complete the form below.