On 9 February 2026, the Australian Federal Court handed down a landmark ruling in ASIC v FIIG Securities Limited, ordering the fixed-income firm to pay $2.5 million in penalties for cybersecurity failures spanning more than four years. Justice Derrington delivered his reasons on 13 February 2026. It's the first time the Federal Court has imposed civil penalties for cyber security failures under general AFS licensee obligations.
The ruling deserves close attention - not because of the penalty amount, but because of what the Court said about what organisations owe their stakeholders when it comes to cyber security.
The Court's position: adequate, not perfect
In his reasons, Justice Derrington acknowledged what most security leaders already know from experience: complete protection against cyber attacks is not achievable. Justice Derrington recognised that, in an environment where it is impossible to prevent every cyber attack, "ASIC's very legitimate concern does not seek to impose an unattainable standard of information protection. Rather, ASIC is concerned that entities which are subject to obligations under the Act have adequate cyber protection systems in place."
That word "adequate" is pivotal in this ruling.
A successful breach does not automatically prove that an organisation failed its obligations. The outcome alone is not the measure. What matters is whether you had adequate systems in place: systems appropriate to your context, your data, and your risk profile. The Court found that the standard of adequacy is informed by the nature of the business, the information held about clients, the value of funds under advice and assets held on behalf of clients, the magnitude and potential consequences of cybersecurity risks, and contractual obligations to clients.
And critically, you must be able to demonstrate what you did. The question has shifted from "did we prevent the breach?" to "can we prove we took adequate steps?"
Justice Derrington was direct about the broader significance: the imposition of the penalty "will send a warning to businesses with inappropriate underinvestment in cybersecurity."
What FIIG got wrong
FIIG's failures were fundamental, and they persisted for over four years.
ASIC identified a series of missing controls that most security professionals would consider baseline: no multi-factor authentication for remote access, no qualified staff monitoring threat alerts, no regular penetration testing (it was conducted only once during the four-year period), no structured patching program, no mandatory staff training, and no tested incident response plan.
The technical specifics were damning. FIIG failed to install security patches for known vulnerabilities including EternalBlue and BlueKeep for years. Privileged user accounts were used for routine tasks. Passwords were stored in plain files on the network rather than using secure methods. Carbon Black endpoint detection software was installed on some systems but was not monitored daily by anyone with sufficient expertise to identify and respond to threats.
FIIG employed between 9 and 14 IT staff during the relevant period, but none possessed sufficient cybersecurity expertise or dedicated time to implement adequate measures. The company substantially relied on its Chief Operating Officer and IT infrastructure team for cybersecurity, but those employees had wide-ranging other responsibilities.
Perhaps most damaging was the gap between policy and practice. FIIG had an IT Information Security Policy and a Cyber and Information Security Policy on paper. It simply failed to implement the measures those policies identified. The Court found that adherence to FIIG's own documented procedures could have enabled earlier detection and prevented some or all of the data from being exfiltrated.
In other words, FIIG wrote down what it should do and then didn't do it. The documentation became evidence against them.
The cost of compliance over the relevant period would have been approximately $1.2 million. Instead, FIIG incurred $2.5 million in penalties, $500,000 in ASIC's costs, and nearly $1.5 million in its own remediation costs, plus incalculable reputational damage and the exposure of 18,000 clients' sensitive data on the dark web. The consequences, as ASIC Deputy Chair Sarah Court put it, "far exceeded what it would have cost FIIG to implement adequate controls in the first place."
What this means for incident response teams
This ruling reshapes the operating context for every SOC, CIRT, and incident response function in Australia, particularly within regulated industries. Key points:
• Documentation is now a legal artefact. Every control decision, every risk acceptance, every playbook, every response action is potential evidence. The Court and ASIC examined not just whether FIIG had security tools, but whether those tools were monitored, whether alerts were acted on, and whether response procedures were exercised. Incident response teams need to treat their case records, timelines, and decision logs as materials that may one day be examined under forensic regulatory scrutiny.
• Tested plans, not just written ones. ASIC specifically cited the absence of a tested incident response plan as a failure. The regulator set out expected operational cadences: daily monitoring of endpoint detection, annual incident response testing, quarterly control reviews, and defined patching timeframes. Having a plan on a shared drive is not the same as having a tested, exercised capability.
• Detection and response times are now measurable obligations. FIIG admitted that adequate controls would have enabled earlier detection. The intrusion began on 19 May 2023. The Australian Cyber Security Centre alerted FIIG on 2 June. FIIG's own investigation didn't begin until 8 June, despite numerous firewall email alerts flagging suspicious activity from 23 May onwards. This timeline will be the benchmark against which future response capabilities are measured. The clock is always running, and you need to be able to show the timestamps.
• The policy-practice gap is a liability. If your playbooks say one thing and your team does another, the playbooks become evidence of a known gap. FIIG's own policies identified measures that it then failed to implement. Every disconnect between documented process and operational reality is now a demonstrable failure, not just an internal finding from a maturity assessment.
• Resourcing decisions are defensible positions. The Court found FIIG failed to allocate sufficient financial resources, qualified staff, and technology. For CISOs and security leaders who have been advocating for more investment, this ruling provides a legal reference point: the $1.2 million compliance cost versus the total consequences makes the business case starkly. But it also means that decisions to under-resource or to accept risk without documented justification become part of the evidentiary record.
Building defensible security operations with CIRM
This is precisely the challenge that Cybersecurity Incident Response Management (CIRM) platforms are designed to address. The FIIG ruling makes it clear that security operations need to be not just effective, but demonstrable. Your security program must be provable.
Cydarm's CIRM platform was built around this principle - that incident response is as much about evidence, process, and accountability as it is about technical response:
• Comprehensive case management and audit trails. Every action taken during an incident - every analyst note, every escalation, every decision - is captured in Cydarm's case timeline with full attribution and timestamps. When a regulator or a court asks "what did you do, and when?", you have a complete, contemporaneous record. Not a reconstruction. Not a recollection. A record.
• Playbooks that are used, not just documented. Cydarm implements editable playbooks using a consistent, open-source format that embeds directly into your response workflow. Analysts don't need to find the playbook and then follow it - the playbook is attached to the case. This closes the policy-practice gap that proved so damaging for FIIG, and means your documented procedures and your actual procedures are the same thing.
• Automated reporting for regulatory compliance. Cydarm generates situational and operational reports directly from incident data. When you need to report to a regulator, a board, or as the FIIG case shows, a court, the reporting is drawn from the same source of truth as your response activities. No manual reconstruction, no inconsistencies between what happened and what you reported.
• Metrics that demonstrate adequacy. The Court examined whether FIIG's controls were proportionate to its risk profile. Cydarm tracks incident types, response times, and operational metrics that allow security leaders to demonstrate not just that they responded, but that their response capability is appropriate to their context. When ASIC expects daily monitoring, annual testing, and quarterly reviews, you need data that shows you did it.
The standard is now set
The Federal Court has established a clear benchmark. Cyber security doesn't need to be perfect, but it does need to be adequate, and this means deliberate, documented, and defensible.
For security leaders, the practical takeaway is straightforward: every control, every decision, every risk acceptance should be documented with the assumption that you may one day need to explain it to a judge. Your security program must be demonstrable as well as protective.
Cydarm's CIRM platform helps organisations build exactly this kind of defensible security operations, where the evidence of adequate response is generated as a natural byproduct of doing the work, not as an afterthought.
The Court has made its position clear. The question now is whether your incident response capability can withstand the same level of scrutiny that FIIG's could not.