AFS licensee fined $2.5milllion for failing to protect client data
A recent Federal Court decision imposing $2.5 million in penalties on FIIG Securities Limited underscores the growing regulatory expectation that AFS licensees maintain robust cyber security and data protection practices.
On 9 February 2026, court ordered FIIG to pay $2.5 million in pecuniary penalties and $50,000 towards ASIC’s costs after ASIC brought proceedings alleging failures to protect thousands of clients from cyber security threats over more than four years.
This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general Australian financial services (AFS) licensee obligations in the Corporations Act 2001 (Cth). The decision sets clear expectations that AFS licensees must have robust cyber resilience practices in place.
Key takeaways
- Cyber security failures are now an enforcement priority, with ASIC willing to pursue significant financial penalties for non-compliance.
- The decision confirms that existing AFS licence obligations apply squarely to cyber resilience, no new law is needed for ASIC to take action.
- Licensees should expect increased regulatory scrutiny of their cyber security frameworks, resourcing and governance arrangements.
- Poorly governed AI adoption may heighten the risk of breaching core licence obligations, particularly where it impacts client outcomes.
- The cost of implementing robust cyber and AI governance frameworks is likely to be materially lower than the financial, legal and reputational consequences of a breach.
Background
FIIG is an AFS licensee providing retail and wholesale investors with access to fixed income investments and bond financing.
In the course of providing financial services, FIIG collected and maintained personal information about its clients, including names, addresses, dates of birth, phone numbers, copies or details of driver’s licences, passports and Medicare cards, tax file numbers, Australian business numbers and bank account details.
ASIC commenced proceedings against FIIG on 12 March 2025 following a cyber security failure that enabled a hacker to enter FIIG’s IT network and remain undetected. Approximately 385 GB of confidential data was stolen, with of client data later released on the dark web. Around 18,000 clients were notified that their personal information may have been compromised because of the breach.
AFS licensee obligations
ASIC alleged FIIG failed to comply with its obligations as an AFS licensee, including the obligations under the Corporations Act to:
do all things necessary to ensure the financial services covered by its AFS licence were provided efficiently, honestly and fairly (section 912A(1)(a));
have adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements (section 912A(1)(d)); and
have adequate risk management systems (section 912A(1)(h)).
For a deeper analysis of the court’s findings, what gave rise to the contraventions in this case, and what the decision means for AFS licensees, see our recent article Landmark ruling provides cyber security guidance for AFS licensees.
In addition to these legislative requirements, ASIC’s 2026 key issues outlook identified cyber-attacks, data breaches and/or inadequate operational resilience and crisis management as a key focus for 2026. This highlights ASIC’s expectation that AFS licensees prioritise and invest in systems that protect their customers and maintain integrity in the financial system.
This case marks ASIC’s second cyber security enforcement action. It follows the Federal Court’s ruling in May 2022 that AFS licensee RI Advice had breached its obligations to act efficiently and fairly when it failed to have adequate risk management systems in place to mitigate cyber security risks. ASIC also filed civil proceedings against financial advice business Fortnum Private Wealth Limited in July 2025, alleging it had failed to properly manage and mitigate cyber security risks. The matter is listed for a directions hearing on 13 July 2026.
How AI could increase the risk of non-compliance
The adoption of artificial intelligence (AI) tools and technologies across the financial services industry introduces additional compliance risks if not properly governed. These risks include:
- inadvertent leakage of personal, sensitive or confidential information to unauthorised third-parties;
- overreliance on AI outputs leading to poor or unlawful decision-making; and
- reputational and financial harm arising from inadequate oversight.
As we noted in our previous article A warning to AFSL holders – ASIC sues for alleged inadequate cyber security systems, an AFS licensee’s obligation to provide financial services efficiently, honestly and fairly under section 912A(1)(a) of the Corporations Act is broad.
An AFS licensee that adopts AI without appropriate governance measures may risk being in breach of this obligation, including where it relies solely on automated decision-making in matters affecting individual customers’ rights. Similarly, the obligation under section 912A(1)(d) may require licensees to invest in additional training or the recruitment of personnel who are sufficiently skilled and experienced in managing AI risk.
For an AFS licensee to maintain compliance with these obligations (not to mention the risk management obligation under section 912A(1)(h)), it is critical that the adoption of AI by AFS licensees is accompanied by appropriate governance procedures and policies to minimise potential harm to consumers.
ASIC’s increasing focus on AI
ASIC’s recent commentary, publications and enforcement actions indicate an increasing regulatory focus on the risks posed by AI in the financial services industry.
In January 2024, ASIC Chair Joe Longo gave a speech titled We're not there yet: Current regulation around AI may not be sufficient where he noted that the reasoning behind the Federal Court’s judgment in the RI Advice proceedings could also be applied to ‘the use and operation of AI by financial services licensees’. He emphasised ASIC’s position that its existing regulatory toolkit was technology-neutral and could be used to address AI risks, stating ‘the responsibility towards good governance is not changed just because the technology is new…ASIC will continue to act, and act early, to deter bad behaviour whenever appropriate and however caused’.
ASIC’s report REP 798 titled Beware the gap: Governance arrangements in the face of AI innovation, released in October 2024 further identified a ‘potential for a governance gap’, including failures by licensees to: which failed to:
- appropriately assess AI risks; or
- update their risk management policies or procedures to address AI.
ASIC also listed the following in its 2026 key issues outlook as additional key areas of focus for 2026:
- risks to consumers from automated decisions and AI-driven interactions; and
- regulatory gaps related to emerging financial sector participants, including users of AI.
In its media release about the FIIG proceedings, ASIC reinforced that:
- inadequate controls put clients and companies at risk of falling victim to increasingly sophisticated cyberattacks and data breaches. These consequences can far exceed the cost of implementing adequate controls in the first place;
- it views the Federal Court’s imposition of the penalty on FIIG as setting a ‘clear licence-to-operate expectation for robust cyber resilience’; and
- it expects licensees to prioritise cyber resilience and invest in fit-for-purpose people, systems and governance.
Considering these comments and the outcome of the FIIG proceedings, we expect ASIC will continue to take action against AFS licensees which fail to comply with their obligations, including where irresponsible AI adoption and lack of appropriate governance practices increase the risk of harm to consumers.
Adopting appropriate AI governance and responsible cyber security measures are no longer separate considerations, they are central to meeting AFS licensee obligations under the Corporations Act.
Licensees should take proactive steps to:
- strengthen cyber resilience frameworks,
- implement clear AI governance structures, and
- ensure systems, controls and personnel are fit for purpose.
Licensees should be aware of ASIC’s increasing focus on addressing non-compliance, including seeking significant financial penalties.
If you would like guidance on your compliance obligations or establishing an effective AI governance framework, please reach out to our Cyber, Privacy & Data Protection Team.
Contact
