Case Note: ASIC’s Cybersecurity and Data Breach Scrutiny and Penalties on the Rise - FIIG Securities

Overview 

In a landmark decision of the Federal Court of Australia, a major data breach that exposed thousands of investors’ personal details has resulted in a $2.5 million penalty against FIIG Securities Limited (FIIG). The decision followed proceedings brought by the Australian Securities and Investments Commission (ASIC) for FIIG’s failure to maintain adequate cybersecurity measures — marking what is understood to be the first instance of civil liability for cybersecurity obligations arising under an Australian Financial Services (AFS) licence.

This case underscores an evolving regulatory landscape in which multiple regulators may impose penalties arising from the same cybersecurity incident.

The Notifiable Data Breaches Scheme under the Privacy Act

The Notifiable Data Breaches (NDB) Scheme, introduced in February 2018 through amendments to the Privacy Act 1988 (Cth), requires covered entities to notify both affected individuals and the Office of the Australian Information Commissioner (OAIC) of any eligible data breach.

An eligible breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of personal information that is likely to result in serious harm to individuals. Entities must promptly assess suspected breaches and notify as soon as practicable if serious harm is likely.

The OAIC regulates and enforces the scheme. It investigates complaints, issues determinations, and may seek civil penalties for serious or repeated interferences with privacy — including breaches of Australian Privacy Principle 11, which requires reasonable steps to safeguard personal information.

The OAIC has already exercised its penalty powers in several major cases. In 2025, the Federal Court ordered Australian Clinical Labs Limited to pay between $4.2 million and $5.8 million following a data breach at its Medlab Pathology subsidiary affecting more than 223 000 individuals. This was the first civil penalty imposed under the Privacy Act for security failures and delays in breach notification. The OAIC has also commenced proceedings against Medibank Private Limited following its 2022 cyberattack, alleging failures to take reasonable steps to protect personal information.

Multi Regulator Enforcement and Overlapping Penalties

While the OAIC enforces privacy obligations under the Privacy Act, ASIC and other regulators are increasingly using their own statutes — such as the Corporations Act 2001 (Cth) — to pursue substantial penalties for cybersecurity failures.

This creates the potential for overlapping enforcement where a single data breach may lead to multiple regulatory actions and cumulative penalties.

This case note discusses ASIC v FIIG Securities Limited [2026] FCA 92, in which ASIC obtained penalties under FIIG’s AFS licence obligations, separate from any OAIC enforcement under the Privacy Act.

Background

FIIG is an Australian fixed income investment firm holding an AFS licence authorising it to deal in securities and provide financial product advice.

ASIC alleged that between March 2019 and June 2023, FIIG failed to allocate sufficient resources to cybersecurity as required under its licence.

FIIG’s deficiencies included:

• Inadequate documentation of cybersecurity and cyber resilience frameworks

• Weak riskmanagement systems relative to the sensitivity of data held

• Insufficient controls to manage and mitigate cybersecurity risks

• Absence of an effective incident response plan and lack of annual testing

  
  

By May 2023, these weaknesses left FIIG vulnerable to a ransomware attack. Approximately 385 GB of confidential client data—including driver’s licences, passports, bank details and tax file numbers—was leaked on the dark web, exposing clients to further risk.

ASIC commenced proceedings in March 2025. FIIG acknowledged the breach and accepted that earlier detection and response would have been possible with appropriate systems in place.

Court Findings

On 9 February 2026, the Federal Court held in ASIC’s favour and ordered FIIG to pay $2.5 million in penalties, plus $500,000 towards ASIC’s legal costs. The Court also ordered FIIG to implement a compliance program and engage an independent cybersecurity expert to strengthen its systems to a state that is “reasonably managed.”

The Court found breaches of section 912A(1) of the Corporations Act 2001 (Cth), which requires AFS licensees to:

• Provide financial services efficiently, honestly, and fairly

• Maintain adequate financial, technological, and human resources

• Maintain adequate risk management systems

“This decision highlights the fundamental importance of cybersecurity obligations under AFS licensing,” the Court observed, signalling ASIC’s clear licence to operate expectation for robust cyber resilience.

Lessons for Businesses

1. Integrate cybersecurity into risk frameworks. Enforcement can arise from breaches of general AFS obligations, even where cybersecurity is not expressly mentioned.

2. Allocate appropriate resources. Cybersecurity investment should reflect operational scale and data sensitivity. Underresourcing can breach licence conditions.

3. Document and test controls. Maintain policies covering multifactor authentication, data encryption, and regular resilience testing.

4. Maintain and review an incidentresponse plan annually. Regular testing supports faster detection and mitigation of breaches.

5. Treat cyber risks like financial risks. Executive oversight, accountability, and ongoing staff training are essential.

6. Engage external experts. Independent audits demonstrate good governance and continuous improvement.

   
   

ASIC Deputy Chair Sarah Court reinforced this message:

“Cyberattacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk.”

With the Australian Signals Directorate responding to over 1,200 cyber incidents in 2024–25, regulators are expected to intensify their proactive compliance reviews.

How Gibson MacNeill Lawyers Can Assist

At Gibson MacNeill Lawyers, we help clients navigate cybersecurity obligations and regulator expectations. Our team can assist with:

• Reviewing cybersecurity policies to assess compliance with AFS licensing obligations

• Identifying and managing exposure to privacy or corporatelaw enforcement actions

• Defending investigations or proceedings under the Corporations Act or Privacy Act

• Providing strategic advice on cybersecurity compliance and resilience

  
  

If your organisation holds sensitive data or a regulated licence, proactive assessment and improvement of cyber resilience controls are essential to protect clients and minimise legal risk.

Contact our team for tailored advice on meeting your cybersecurity compliance obligations.