0
Contact Us
Cyber regulatory risk grows: the AUD2.5 million ASIC cyber-attack penalty
Poor cybersecurity oversight just cost an Australian financial services firm AUD2.5 million, and no third party needed to prove known loss for the penalty to stick. The potential for significant harm was enough.
Australia's Federal Court has imposed that penalty on FIIG Securities Limited (FIIG), a financial services licensee, for cybersecurity governance failures; the first civil penalty of its kind against an Australian Financial Services (AFS) licensee under the Corporations Act 2001 (Cth).
The ruling marks a turning point in how regulators treat cyber risk, and with New Zealand's enforcement powers set to strengthen, this case carries a direct warning for businesses on both sides of the Tasman.
Key takeaways
-
Businesses operating in Australia are now firmly on notice of overlapping regulatory risk in relation to cybersecurity breaches: The Australian Securities & Investment Commission (ASIC) can, and will, act on proactive governance failures, under the Corporations Act, while the Office of the Australian Information Commissioner (OAIC) can pursue post-breach privacy harms under privacy legislation. These are distinct regimes, but a single cybersecurity incident could attract scrutiny from both.
-
This is the first time civil penalties of this magnitude have been imposed for cybersecurity governance failures in Australia - even without widespread or material consumer harm. It marks a significant escalation in ASIC enforcement.
-
While to date, New Zealand has lagged behind Australia in terms of penalties for cybersecurity and privacy breaches, the Government’s recently released Cyber Security Action Plan 2026-2027 indicates that stronger enforcement powers and fines under our Privacy Act are on the horizon.
What happened?
Providers of financial services in Australia, must hold an AFS licence, unless exceptions apply. That licence requires providers to maintain adequate risk management systems.
In 2023, AFS licensee FIIG suffered a cyber-attack which resulted in the theft and publication on the dark web of confidential and highly sensitive information relating to 18,000 clients. The compromised data included drivers’ licences, passport information, bank account details and tax file numbers.
ASIC brought proceedings against FIIG claiming it had failed to properly manage and mitigate cyber security risks over a four year period, in breach of its AFS licence. FIIG admitted to three separate contraventions of its AFS licence under s 912A of the Corporations Act 2001 (Cth):
- failing to provide financial services efficiently, honestly and fairly (s 912A(1)(a));
- failing to have adequate financial, technological and human resources (s 912A(1)(d)); and
- failing to have adequate risk management systems (s 912A(1)(h)).
Each of which also contravened the civil penalty provision in s 912A(5A).
In February 2026, Justice Derrington of the Australian Federal Court imposed the AUD2.5 million penalty, emphasising that compliance costs would have been far lower. Justice Derrington noted that the penalty “send[s] a warning to businesses with inappropriate underinvestment in cybersecurity" – a clear signal that cyber resilience is now a regulatory expectation, not a discretionary investment.
The decision is the first time Australian courts have imposed a civil penalty specifically for cybersecurity governance failings by an AFS licensee
This principle was foreshadowed in ASIC v RI Advice Group Pty Ltd (2022) and reflected in ASIC v Lanterne Fund Services Pty Ltd (2024) by reference to technological resources. But FIIG is the first case to impose a material agreed civil penalty where cybersecurity deficiency was the sole and direct cause of the contraventions - not merely a component of broader governance failures.
The message is clear: failing to maintain adequate cybersecurity measures can itself constitute a failure to provide financial services efficiently and fairly. Australian regulatory exposure extends beyond post-breach privacy harms pursued by the OAIC.
What this means for you
New Zealand companies carrying on business in Australia should be aware that they may be subject to both the Corporations Act 2001 (Cth) and Australian privacy legislation exposing them to potential penalties under either or both regimes for cybersecurity breaches.
While New Zealand has yet to see enforcement action for breach of financial cyber-resilience obligations, the Financial Markets Authority (FMA) has made clear that effective security systems are a necessary component of managing technology risks and meeting licensed services obligations.
At present, the New Zealand Privacy Act provides for comparatively small penalties for privacy breaches, chiefly a NZD 10,000 maximum penalty for a failure to notify the Office of the Privacy Commissioner (OPC) of a data breach giving rise to a serious risk of harm.
Unsurprisingly, the OPC has publicly called for greater enforcement powers. While Parliament has yet to act on these appeals, the Government’s recently released Cyber Security Action Plan 2026-2027 indicates that the long called for stronger compliance tools may not be far away. The Plan provides for the Ministry of Justice to provide advice on options to incentivise the protection of personal information from cyber threats, such as introducing a civil pecuniary penalty regime to the Privacy Act. For more information see our report on the Plan here and our Cyber Risks Report.
How we can help
If you’d like a review of your current practices, or guidance on how this case could impact your obligations, please get in touch with one of our experts.
Special thanks to Holly Soar for her assistance in writing this article.
