FIIG-uring out Section 912A – A judicial warning to financial services licensees who underinvest in managing cyber risk

Federal Court decision sets standard for adequate cybersecurity measures, and issues a significant penalty and "warning to businesses with … underinvestment in cybersecurity". The decision provides guidance to both regulated entities and general businesses for assessing their own measures and investments.

Australia's Federal Court has ordered fixed income specialist, FIIG Securities Limited (FIIG) to undertake a compliance program and pay a multi-million dollar penalty  for admitted failures over a four-year period to protect its business and thousands of clients from cybersecurity threats.

A cybersecurity intrusion in May 2023 saw Russian cybercriminal group AlphV claim responsibility for taking approximately 385 gigabytes of personal information and confidential information from FIIG's network and publishing it onto the dark web. The data included company confidential information, as well as individual investors' passport details, tax file numbers and bank account information. FIIG notified about 18,000 clients that their personal information may have been compromised in the cyber incident.

What the court found

The Court's decision describes the expected standard of cyber risk management and cybersecurity: The adequacy of a financial services licensee's cyber risk management and cyber security measures will be informed by factors such as the nature of the licensee's business; the confidential or personal information held about its clients; the value of funds under advice and assets held on behalf of clients; the magnitude and potential consequences of cyber security risks; and business's contractual responsibilities to its clients.

The decision then details the technical capabilities and organisational measures including governance, funding and resourcing, that Australian regulators and the courts (and dare we add, class-action claimants) consider as reasonable to manage cyber risk and cyber security, having regard to those adequacy factors. Below we set out a list of measures missing from FIIG's cybersecurity program.

What the decision means

While the FIIG decision applies specifically to financial services licensees, it provides a useful touchstone also for APRA-regulated bodies, registered scheme operators, superannuation funds and general business when assessing the suitability their own measures. Indeed, the standard is even higher for prudentially regulated organisations e.g. banks, insurers and superannuation funds, as a failing here can lead to personal liability for persons accountable for cyber events, under the Financial Accountability Regime Act 2023 (Cth).

The outcome also confirms that, beyond mere technical measures, businesses must also invest sufficiently in people, time and financial resources needed for putting in place and maintaining adequate measures to reduce cyber risk and manage cybersecurity. The judgment noted that FIIG's costs of providing adequate measures over the four-plus year period would have been approximately $1.2 million, whereas the company's known costs of remediating the 2023 cyber incident were approx. $1.5 million.

The Court's civil penalty of $2.5 million represented 20 per cent of FIIG's net assets as at 30 June 2025, and approximately 8 per cent of its annual turnover during FY2025. The company was also ordered to pay $500,000 towards ASIC's legal costs.

What companies should do

Organisations – regulated and unregulated – must acknowledge that providing adequate technological, human, and financial resources (including adequate cybersecurity measures) for managing cyber risk and the impacts of cyber events is a mandatory, board-level governance obligation.

For assistance with assessing your organisation's measures for managing cyber risk and cybersecurity within your risk appetite and regulatory responsibilities, contact our Technology team.

Where FIIG failed

FIIG admitted that it failed to have adequate technical measures and provide sufficient time, money and resources for protecting funds, assets and personal information under its management. In particular, by FIIG not:

Technical and policy measures

• requiring privileged accounts to be secured with passwords of at least 14 characters;
• preventing use of privileged accounts for non-privileged activities;
• reviewing access rights quarterly;
• having a structured plan for patching key software systems to address known and emerging security vulnerabilities within determined timeframes;
• using group policies to disable insecure authentication protocols;
• mandating multi-factor authentication for all remote access users from late 2022;
• conducting vulnerability scanning over its networks and endpoints, and having processes for reviewing results and taking necessary action;
• conducting penetration testing of the external perimeter, internal network and at least business-critical applications at least annually;
• having firewalls configured to prevent endpoints or servers from establishing direct connections to file transfer protocol servers over the internet, and to restrict access to the internet from internal systems to only the extent necessary;
• ensuring endpoint detection and response (EDR) software was installed on all endpoints and servers, was appropriately updated, and configured to generate relevant alerts and suppress non-threatening alerts;
• having a process to review and evaluate the effectiveness of EDR configuration and rules at least quarterly, and other technical controls and organisation-wide cyber resilience at least annually;
• monitoring threat alerts across systems by using IT personnel having the knowledge, skills and experience to identify and respond to any unusual or suspicious activity;
• requiring annual security awareness training for all employees and addressing the organisation’s key cybersecurity risks and expected behaviours; and
• having an appropriate cyber incident response plan that was tested annually.

Resource allocation

• having available human resources (whether employed or outsourced from third party experts) with the knowledge and skills, sufficient level of responsibility and time (relative to their other duties) needed to put those measures in place and to implement the controls FIIG had established to mitigate the cybersecurity risks faced by it; and
• allocating sufficient financial resources to implement and maintain the technical and organisational controls.

This article was prepared by Partner Steven Hunwicks, a specialist cybersecurity, data privacy, and technology lawyer at Thomson Geer. Steven acknowledges the assistance of vacation clerk Kaitlyn Wood-Lambert in preparing this article.