On 9 February 2026, the Federal Court ordered FIIG Securities Limited to pay $2.5 million in penalties, plus $500,000 in costs, plus the expense of engaging an independent expert to overhaul their cyber security programme.
FIIG's failures weren't sophisticated or exotic. They were fundamental: no multi-factor authentication, no adequate penetration testing, no qualified personnel monitoring threats, no mandatory cyber security training, no tested incident response plan.
For those of us who have been advocating for board cyber education and emphasising that effective cyber security requires practical solutions and clear guidance, the FIIG case is validation. The fundamentals matter. Proven approaches work. And boards that understand this can prevent their organisations from becoming the next regulatory case study.
At Insicon Cyber, we've long maintained that cyber security must span from the boardroom to the server room. Directors need sufficient education to ask the right questions and provide informed oversight. Technical teams need the resources and support to implement controls properly. And organisations need integrated approaches that connect strategic governance with operational delivery.
ASIC Deputy Chair Sarah Court stated: "This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFS licensee obligations, setting a clear licence-to-operate expectation for robust cyber resilience."
The fundamentals we've been teaching boards about for years are now legally enforceable standards with multi-million dollar penalties for non-compliance.
The trajectory is undeniable:
2022: RI Advice - Federal Court finding, no financial penalty. Many boards treated this as a cautionary tale rather than a regulatory red line.
2025: Australian Clinical Labs - $5.8 million penalty for M&A cyber failures. Some boards rationalised this was specific to acquisitions, not applicable to ongoing operations.
2026: FIIG Securities - $2.5 million penalty for general operational failures. This isn't about special circumstances. This is about basic cyber security hygiene being a fundamental requirement to hold a licence.
If you're thinking "we're not an AFS licensee, so this doesn't apply," you're missing the signal that regulators across all sectors are moving in the same direction.
Here's what makes the FIIG case particularly instructive: every failure they experienced could have been prevented with straightforward, well-understood controls and practical guidance.
Between March 2019 and June 2023, FIIG failed to:
No suitably qualified people or appropriate technological resources
No multi-factor authentication, weak passwords, poor access controls, inadequate firewall configuration, no regular penetration testing
No structured plan for security updates and patches
No qualified IT personnel monitoring alerts 24/7
No mandatory cyber security awareness training
No tested cyber incident response plan
These aren't exotic security measures. They're the fundamentals we teach in every board cyber education session. Multi-factor authentication is readily implementable. Penetration testing is available through managed services. Security awareness training is straightforward. Incident response testing can be conducted through tabletop exercises that take hours, not months.
The result of not implementing these practical solutions? 385 gigabytes of confidential information stolen. 18,000 clients notified their data was compromised, including driver's licences, passport information, bank account details, and tax file numbers.
This is exactly the type of sensitive personal information that every healthcare organisation, aged care provider, legal firm, financial services entity, and government agency holds across Australia and New Zealand.
One of the most striking elements of the FIIG case is what it reveals about board-level understanding and oversight. For four years, from 2019 to 2023, fundamental security controls weren't implemented. This suggests the board either didn't know to ask about these controls, or didn't understand their importance when they did ask.
This is precisely why we've been advocating for structured board cyber education. Directors don't need to become technical experts. But they do need sufficient literacy to:
"Do we have multi-factor authentication?" "When was our last penetration test?" "How often do we test our incident response plan?"
When management responds, directors need enough knowledge to assess whether the answer is adequate or requires follow-up.
If management says "we're planning to implement that next year," directors need to understand whether that timeline is acceptable or represents unacceptable risk exposure.
Directors should understand how cyber security connects to strategic objectives, regulatory obligations, and enterprise risk management.
Boards that understand cyber risk are better positioned to ensure adequate budget, personnel, and technology are allocated.
The FIIG case demonstrates what happens when boards lack this foundation. Practical controls that should have been in place weren't. Questions that should have been asked apparently weren't. Oversight that should have been provided was absent.
For Australian and New Zealand boards, the lesson is clear: board cyber education isn't optional professional development. It's a prerequisite for fulfilling your governance obligations in 2026.
Post-FIIG, every board across Australia and New Zealand must answer these questions with documented evidence:
Can we demonstrate adequate financial, technological and human resources allocated to cyber security?
Have we implemented fundamental security controls?
Do we have a structured plan for system updates and patches?
Do we have qualified personnel monitoring for threats 24/7?
Is cyber security awareness training mandatory and documented?
When was our incident response plan last tested?
These aren't technical questions requiring IT expertise. They're governance questions that educated boards can ask and assess. If you've received board cyber education, you'll recognise these as the fundamentals. If you haven't, you're operating with a knowledge gap that the FIIG case proves is no longer acceptable.
Can't confidently answer these questions? Contact Insicon Cyber for a confidential cyber risk review tailored to your board's needs.
While New Zealand hasn't yet seen Federal Court-scale penalties, the regulatory expectations are converging:
Australia: ASIC has now established clear precedent with measurable penalties for cyber security failures.
New Zealand: The Office of the Auditor-General's "Mind the Gap" report (April 2025) found governors need to do more to reduce cyber security risk. The National Cyber Security Centre reported 1,315 incidents between April and June 2025. More than half of New Zealand's SMEs experienced an online threat in the six months to September 2025.
The threat landscape is identical on both sides of the Tasman. The regulatory expectations are converging. Trans-Tasman boards should assume New Zealand enforcement will follow Australia's trajectory. The question is whether you'll wait for New Zealand's equivalent of FIIG, or act now.
The Old Calculation: "Comprehensive cyber security is expensive. We'll manage the residual risk."
The New Reality:
ASIC stated explicitly: "The consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place."
For an organisation of FIIG's size, comprehensive cyber security protection (24/7 SOC monitoring, regular penetration testing, mandatory training, tested incident response, board advisory, Essential Eight implementation) costs significantly less than $2.5 million annually.
The practical solutions and guidance we provide deliver continuous protection, reduce insurance premiums, support regulatory compliance, build stakeholder trust, and enable confident operations.
The mathematics is stark: comprehensive cyber security is no longer expensive compared to the alternative. It's essential and economically rational.
Many Australian and New Zealand organisations work with separate providers: one consultant for compliance, another for penetration testing, another for training, another for incident response, and perhaps a managed service provider for IT operations.
This fragmentation breaks the connection from the boardroom to the server room. Boards receive high-level briefings that don't connect to operational reality. Technical teams implement controls without understanding strategic priorities. And when an incident occurs, nobody has end-to-end accountability.
When a cyber incident occurs, fragmentation becomes acutely problematic:
This is why we've been advocating for integrated approaches that genuinely span from the boardroom to the server room:
At the Boardroom Level: Education that builds director literacy, advisory that translates threats into business risk, governance frameworks that enable informed oversight, and reporting that provides meaningful visibility.
At the Strategic Level: Risk assessments that inform resource allocation, compliance frameworks aligned with business objectives, incident response planning that includes board decision-making, and security culture programmes that cascade from leadership.
At the Operational Level: 24/7 monitoring and response, regular testing and vulnerability management, continuous training and awareness, and documented controls that can withstand regulatory scrutiny.
The Integration: Every operational control connects to a strategic objective. Every board decision translates to operational implementation. Every risk identified at the technical level is communicated to governance. Every governance priority is resourced and delivered operationally.
This isn't theoretical. It's the practical approach that prevents organisations from becoming the next FIIG. When boards understand cyber risk through proper education, when proven solutions are implemented systematically with clear guidance, and when accountability flows seamlessly from the boardroom to the server room, organisations achieve genuine resilience.
The Federal Court has established a clear, legally enforceable standard built entirely on fundamental, practical controls:
Notice what's missing from this list: artificial intelligence, quantum encryption, blockchain, or any other complex technology. This practical standard is built on fundamentals that have been best practice for years.
These are the practical solutions and clear guidance we've been proposing. They're achievable for organisations of any size. They don't require nation-state budgets or exotic expertise. They require:
FIIG's failures occurred when these were well-understood best practices. The Federal Court found FIIG should have known better and acted sooner.
For trans-Tasman boards: would your organisation meet the FIIG standard if examined by a regulator? If the answer is "no" or "uncertain," you have a gap demanding immediate attention.
The FIIG case has established the standard. The question is whether your board can confidently demonstrate compliance, or whether gaps exist that require immediate attention.
We'll assess your organisation's posture against the FIIG standard, identify gaps in controls, resourcing, or governance, provide clear, board-appropriate guidance on priorities and timelines, and deliver actionable recommendations that span from boardroom oversight to server room implementation.
This isn't a technical audit that overwhelms directors with jargon. It's a board-focused assessment that provides the clarity and confidence you need to fulfil your governance obligations and protect your organisation from becoming the next regulatory case study.
The cost of a confidential cyber risk review is a fraction of the $2.5 million penalty FIIG faced. The value is the certainty that your organisation meets the standard regulators now enforce.
Contact Insicon Cyber today to schedule your confidential cyber risk review. Our team has deep expertise across Australia and New Zealand, understands both the technical controls and the governance expectations, and can provide the practical guidance your board needs.
Don't wait for your own $2.5 million message. Act now.
The warnings have become reality. The theoretical duty of care is now enforced with multi-million dollar penalties. Board-level accountability is codified in Federal Court precedent.
And here's the critical insight: the solutions aren't complex. FIIG's failures were all preventable with straightforward, well-understood controls and practical guidance. Multi-factor authentication. Regular penetration testing. System patching. 24/7 monitoring. Security training. Incident response testing.
These are the practical solutions we've been advocating. They work. They're achievable. And they're now legally required.
But practical solutions need educated boards to ensure they're implemented properly. Directors who understand cyber risk can ask the right questions, assess the adequacy of management responses, recognise when timelines are unacceptable, and ensure resources are allocated appropriately.
And both educated boards and practical solutions need integration from the boardroom to the server room. Strategic governance must connect to operational delivery. Board decisions must translate to technical controls. Technical risks must communicate to governance oversight. Fragmented approaches create the accountability gaps that FIIG demonstrated.
The costs are quantified: $2.5 million for FIIG, $5.8 million for Australian Clinical Labs, plus legal costs, compliance programmes, operational disruption, and reputational damage. The cost of getting it right, including a confidential cyber risk review for your board, is measurably less than the cost of failure.
FIIG had four years to implement practical controls, educate their board, and create integrated accountability. They didn't. The consequences exceeded what those solutions would have cost.
Your board has the benefit of learning from these failure.
The licence to operate now requires robust cyber resilience built on fundamentals. The Federal Court has established the standard. And the cost of failure is too high to accept.
Contact Insicon Cyber for a confidential cyber risk review. We'll provide the board education, practical guidance, and boardroom-to-server-room integration your organisation needs to meet the FIIG standard with confidence.
About Insicon Cyber
Insicon Cyber delivers integrated cyber security solutions from the boardroom to the server room. We work with organisations across Australia and New Zealand, combining Board Cyber Education and Advisory with 24/7 Security Operations Centre services, Managed Security Services, and Compliance frameworks.
Our approach is built on three principles validated by the FIIG case:
We don't complicate cyber security. We make it understandable at board level, implementable at operational level, and defensible at regulatory level.
ASIC Resources:
Australian Signals Directorate:
New Zealand Resources:
Additional Context:
Insicon Cyber Services: