Landmark ruling provides cyber security guidance for AFS licensees
Key takeaways
- The Federal Court has imposed a $2.5 million penalty on FIIG Securities Limited plus costs for failing to meet cyber security obligations as an Australian financial services (AFS) licensee.
- The ruling underscores the importance for AFS licensees to ensure robust cyber security protections for their clients.
- AFS licensees should regularly review and, as necessary, enhance their cyber security systems, resources, policies and training, ensuring standards are appropriate for their organisation and that controls are actively maintained and understood by staff.
- It is essential to avoid a ‘set and forget’ approach, engage qualified professionals, and prioritise ongoing compliance and governance in managing cyber risks.
- Reach out if you have questions about your cyber security obligations or need guidance reviewing or enhancing your current practices.
Background
In line with the increasing focus on cyber security standards within the financial services industry, the Federal Court has imposed a $2.5 million pecuniary penalty on an AFS licensee, FIIG.
While the court has previously imposed penalties on AFS licensees for contraventions of their obligations arising from cyber security failures (see our previous article, AFSL holders on notice for cyber security failings), this the first time the Federal Court has imposed civil penalties for cyber security failures giving rise to a contravention of the general AFS licensee obligations
This is significant for the industry, demonstrating to AFS licensees that cyber security protections for their clients are crucial to compliance with their general obligations under section 912A of the Corporations Act.
What gave rise to the contraventions?
FIIG is a fixed income specialist, relying on its AFS licence (AFSL) to provide direct retail and wholesale clients, and adviser intermediaries with access to fixed income investment opportunities. Its AFSL authorises it to provide general and personal financial product advice, deal in financial products, market making, and provide custodial or depository services (in each case for certain categories of financial product).
In May 2023, FIIG was the victim of a cyber incident, where screenshots of client data, including sensitive personal information (ie drivers’ licences, passports, bank account details and tax file numbers) was stolen and later published on the dark web by the perpetrator. The impact on clients was significant, with approximately 18,000 FIIG clients notified that their personal information may have been compromised.
In March 2025, ASIC commenced proceedings against FIIG alleging contraventions of the Corporations Act 2001 (Cth). We summarised the allegations against FIIG in our previous article, A warning to AFSL holders - ASIC sues for alleged inadequate cyber security systems.
The Court’s findings – breaches of the general AFS licensee obligations
ASIC and FIIG jointly sought orders for declarations rather than proceeding to a contested hearing. The Federal Court approved the proposed orders where FIIG accepted that, from 13 March 2019 to 8 June 2023 (breach period):
it had not complied with its obligations as an AFS licensee; and
given its size and the nature of the client data it held, it failed to have in place ‘adequate cyber security measures’ to allow it to appropriately detect and respond to the incident.
Summary of contraventions
The court held that the following breaches of the general obligations in section 912A occurred (and as a result, contravening ss 912A(5A)):
| General obligation | Relevant conduct |
|---|---|
| 912A(1)(d): Failure to have available adequate resources (including financial, technological and human resources) to provide the financial services covered by its AFSL | FIIG failed to:
|
| 912C(1)(h): Failed to have adequate risk management systems in place | FIIG failed to implement the controls identified in its risk management system to mitigate the cyber security risks it faced. |
| 912A(1)(a): Failed to do all things necessary to ensure the financial services covered by the AFSL were provided efficiently, honestly and fairly | Arose from failing to comply with the other general obligations in section 912A, as set out above. |
Failure to provide financial services efficiently, honestly and fairly
A broad culmination of conduct resulted in FIIG breaching its obligation to provide financial services ‘efficiently, honestly and fairly’ over various times during the breach period. This conduct was specifically identified by ASIC (and admitted by FIIG).
FIIG accepted the following:
Cyber incident response plan: it did not have in place a cyber incident response plan which was tested by FIIG at least annually and which identified the actions to be taken by FIIG (and specific personnel) following a cyber security incident (including containment, investigation and remediation) whilst ensuring the integrity and confidentiality of information.
Excessive access privileges: it had privileged user accounts that were used for non-privileged tasks, and it failed to review these access rights quarterly.
Inadequate passwords: it operated accounts using passwords that did not meet a minimum of 14 characters complexity requirement and stored them on FIIG’s network using unsecure methods).
Inadequate network and vulnerability scanning tools: it did not:
have a network-based scanning tool capable of identifying security vulnerabilities in its network;
have software on all endpoints capable of identifying security vulnerabilities;
run vulnerability scans over its network and endpoints; or
review the results of any vulnerability scans and take action to address any vulnerabilities identified.
Inadequate testing: it conducted testing infrequently or not at all in some instances, namely:
only conducting vulnerability testing related to its website in 2021, and external penetration testing of its perimeter, network and some of its applications in February 2023, when it should have done so for its external perimeter and business-critical applications at least annually;
no penetration testing of systems and applications in FIIG's network that were identified as having an increased risk profile or introduced into FIIG's network or the subject of a significant change, at or about the time the increased risk or change arose.
Inadequate firewall protections: it had firewalls in place, but:
these were not configured to prevent endpoints or servers from establishing direct connections to file transfer protocol servers over the internet
these did not restrict access to the internet from internal systems to only the extent necessary to perform those systems’ respective roles within the business;
these had insufficient limits on the protocols which could be used by outbound traffic to connect to the internet.
Improper policy configuration: it did not configure group policies on the Active Directory to disable insecure methods of hash authentication on all endpoints and servers.
Endpoint detection and response (EDR) software: in relation to its EDR software ‘Carbon Black’:
it was installed on some, but not all, endpoints and servers;
it maintained a version of that software that was two versions behind the current version (in circumstances where there were no known defects in subsequent versions of the software);
it did not:
update threat signatures and monitor alerts produced by the software daily by a person with sufficient skills, training and experience to identify and respond to any unusual network activity; or
tune the software to suppress alerts generated by activities which were known to be non-threatening.
No software patch plans or processes: it did not:
have a patching plan across its systems and applications to identify and apply available patches within expected timeframes (30 days for critical, 90 days for medium, 12 months for low‑importance patches);
update operating systems to a version currently supported by the vendor;
apply additional compensating controls in respect of operating systems and applications which could not be updated to control the increased risk of compromise;
apply security patches to address specific ‘common vulnerabilities and exposures’ that had been widely publicised since at least 2019.
No multi-factor authentication: it did not have multi-factor authentication for its remote access users from late 2022.
No threat alert monitoring: it did not have a practice of monitoring threat alerts by its IT personnel.
Inadequate cyber security awareness training: it provided minimal cyber security awareness training to its employees (i.e only basic induction training on the existence of IT security and cyber information security policies and two emails sent in 2022 from FIIG’s Chief Operating Officer to all employees in relating to phishing /spam emails); and
No cyber security reviews: it has no process to periodically assess the effectiveness of existing technical cyber security controls, including quarterly endpoint detection and response reviews of other controls, nor to evaluate its overall cyber resilience on an annual basis.
Failure to have available adequate resources
It was agreed by FIIG that it had breached its obligations to:
employ, or outsource to, people with the skills, knowledge and experience in IT security measures to have in place adequate cyber security measures, and those measures identified as controls in its risk management system; and
ensure staff or contractors were given a sufficient level of responsibility for carrying out those measures and adequate time to properly discharge those responsibilities.
During the breach period:
while FIIG delegated operational responsibility for its IT security to its Chief Operating Officer and also employed IT staff (between nine and 14 over the course of the breach period), those individuals did not have sufficient skills, knowledge or experience in IT security, or sufficient time (having regard to their other responsibilities within the organisation) to ensure FIIG had the necessary measures in place; and
FIIG did not provide sufficient financial resources to enable it to have adequate cyber security measures in place, or to employ or outsource the human resources with the requisite skills, knowledge and experience.
Failure to have adequate risk management systems in place
As is the case for other risks identified for an AFS licensee, FIIG was required to do the following in respect of cyber security risks under its section 912A(1)(h) obligation:
identify the relevant cyber security risks;
identify, establish, fully implement and maintain controls adequate to manage or mitigate those risks; and
monitor those controls to ensure they were effective in managing or mitigating those risks.
Not only did FIIG fail to put appropriate measures in place to manage or mitigate its cyber security risks, but where it had adopted controls to deal with such risks it did not follow through on compliance with them. It failed to implement the procedures and controls required by its own information security and cyber policies and annual custodial services audit. These deficiencies fell short of the requirements to implement, maintain and monitor the controls it had adopted.
What does this mean for licensees?
The contraventions by FIIG did not arise merely because of the cyber security incident. Importantly, the Court recognised it is impossible to prevent every cyber incident and that is not the regulatory expectation. ASIC is not seeking to impose an unattainable standard of information protection on licensees. Rather, its concern is that organisations subject to obligations under the Corporations Act maintain adequate and effective cyber protection systems, appropriate to the risks they face.
Considering the Federal Court’s findings and penalties, AFS licensees should have the following in place:
Ensure appropriate risk management systems: review their current systems and practices and ensure they are of an appropriate standard, considering the size of the organisation and the nature of client information dealt with.
Stress testing and scenario planning: consider scenario testing of major system outages, cyber incident tabletop exercises (including at a board level), testing communication flows between compliance, IT and executive teams and regularly reviewing business continuity plans.
Engage subject matter experts: ensure their approach to cyber security is not ‘set and forget’ and engage or employ appropriately qualified professionals to continually review and uplift cyber security capabilities. While the standard of ‘adequate’ cyber security will evolve over time, AFS licensees should take into account the specific deficiencies identified in FIIG’s measures.
Align resourcing with operational and cyber risk exposure: review and assess the adequacy of the human and financial resources allocated to IT and cyber security. This should address both the capacity and the skills of those resources. These functions should be given prominence within the AFS licensee’s organisation commensurate to the risk of failure in these areas.
Consider outsourcing third-party risk: complete due diligence on all third‑party vendors, particularly IT and cloud service providers (i.e those that hold data and are responsible for the security of systems), and ensure this due diligence is ongoing, not limited to the point of engagement.
Make cyber policies clear and accessible: set out cyber security measures and appropriate policies in each compliance manual and/or risk management framework. The measures should be easily signposted, accessible and understood by the relevant personnel in the same way as other crucial compliance controls.
Ensure policies are practical and followed: ensure the policies in place are realistically understood and followed. Paying only lip services to policies, even where those policies are of a gold standard, will be seen as a failing. This also raises broader governance issues and has been of regulatory interest in other areas as well (such as ASIC’s private markets review).
- Deliver regular, meaningful cyber training: ensure that training provided in respect of cyber security measures is regular and meaningful. In addition to training provided to all licensee staff, we would consider it prudent that the responsible managers that are responsible for the oversight of the provision of financial services by a licensee should consider upskilling in this area, or have direct access to experts who can provide input on the way cyber security measures are being implemented as part of the organisation’s provision of financial services.
- Consider cyber security a board-level risk: consider cyber risk and systems adequacy as matters of board‑level responsibility. Directors must actively oversee the implementation and maintenance of adequate risk management systems, including cyber security controls, and ensure that known vulnerabilities are appropriately escalated and remediated. A failure to establish meaningful reporting lines, interrogate management assurances, or address identified deficiencies may expose directors to scrutiny. The duty of care and diligence requires directors to treat cyber resilience as a foreseeable and material regulatory risk, and to ensure that governance frameworks are not only designed appropriately but are operating effectively in practice.
Next steps
Reach out to our HW Funds Team or Cyber, Privacy & Data Protection Team if you have questions about your cyber security obligations or need guidance reviewing or enhancing your current practices.
We can provide tailored advice and practical support to help ensure your organisation meets regulatory expectations and is well-prepared to manage cyber risks effectively.
Contact
