Viewing entries tagged
Reasonable steps

FIIG and beyond: How regulators are converging on the same cyber standard

Comment

FIIG and beyond: How regulators are converging on the same cyber standard

By Chong Shao

On 9 February 2026, the Australian Securities and Investments Commission (ASIC) announced that the Federal Court ordered FIIG Securities Limited to pay $2.5 million in pecuniary penalties, following ASIC action over cyber security failures spanning more than four years.

This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general Australian Financial Services (AFS) licence obligations. ASIC didn’t treat this as a one-off IT mistake. Its message was simple: cyber resilience is now part of doing business.

Whether or not you are in financial services, this case is significant. Across Australia’s regulatory ecosystem, we are seeing a steady convergence towards a practical, outcomes-focused cyber security standard, often described as ‘reasonable steps’.

FIIG in brief and why this outcome matters

ASIC’s media release sets out the core narrative clearly:

  • FIIG’s failures related to protecting thousands of clients from cyber security threats over a sustained period.

  • A 2023 cyber-attack resulted in around 385GB of confidential information being stolen, with highly sensitive client data leaked online (including identity documents and financial identifiers).

  • FIIG notified around 18,000 clients that their personal information may have been compromised. 

  • FIIG admitted that adequate measures suited to a firm of its size and the sensitivity of the data would likely have enabled earlier detection and response, and that complying with its own policies may have prevented some or all of the client information from being downloaded.

There are two takeaways from the FIIG case. Firstly, cyber security hygiene is being treated as a matter of ongoing governance, not just technology. Secondly, regulators and courts are increasingly interested in whether controls are operationalised – that is, implemented, monitored, tested and evidenced – not merely documented.

That shift is not unique to ASIC. It’s part of a broader move (including in privacy regulation) from policy compliance to demonstrable protection.

The cyber hygiene checklist: what regulators now expect as basics

ASIC was unusually specific about what FIIG did not have in place. This gives organisations a simple and helpful prompt: Are we covering the basics, and can we prove it? 

Here’s a practical checklist, using the categories ASIC highlighted:

  • Identity and access

    • Multi-factor authentication for remote access users

    • Strong passwords

    • Access controls for privileged accounts

  • Network and endpoint protection

    • Appropriate configuration of firewalls and security software

  • Testing and scanning

    • Regular penetration testing and vulnerability scanning

  • Patching and updates

    • A structured plan to ensure key software systems were updated to address security vulnerabilities

  • Monitoring

    • Qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks

  • Training

    • Mandatory cyber security awareness training to staff

  • Incident readiness

    • An appropriate cyber incident response plan, tested at least annually.

A key subtext in the FIIG outcome is that the ‘what’ is only half the story. The other half is whether controls are actually in place and operating day-to-day.

Most organisations can point to policies. Fewer can answer simple operational questions like:

  • Do we have multi-factor authentication in place for remote access users, and is it consistently enforced?

  • When did we last run penetration testing and vulnerability scanning, and what did we do about the findings?

  • When did we last test our incident response plan, and what changed as a result?

Operationalising the controls is how ‘reasonable steps’ become real.

The bigger shift: ‘reasonable steps’ is becoming the common standard

It’s tempting to read FIIG as a financial services story: AFSL obligations, ASIC enforcement, court-ordered penalties. But the more important trend is cross-regime.

A similar ‘reasonable steps’ story has been playing out under privacy law. The OAIC has been increasingly explicit about its enforcement posture, including civil penalty proceedings anchored in APP 11.1 (security) and the expectation of ‘reasonable steps’ to protect personal information. 

In Australian Clinical Labs, the Federal Court imposed $5.8 million in civil penalties, including $4.2 million for failing to take reasonable steps under APP 11.1 to protect personal information held on Medlab Pathology’s IT systems. The Court’s analysis focused on concrete security shortcomings – such as weak authentication, inadequate logging, lack of file encryption, unsupported systems and limitations in antivirus controls – reinforcing the same core message as FIIG: principles-based obligations are now being tested against real-world cyber hygiene.

When you put FIIG alongside recent privacy enforcement, a clear pattern emerges. Through different regulators and different statutes, there is a shared test: do you have security controls that match your data and risk profile, and can you demonstrate that in practice?

The shared test also points to why silos don’t work. You can’t assess whether controls are proportionate without understanding what data you hold, why you hold it, how long you keep it, and what expectations you’ve set with customers. In practice, cyber hygiene, data governance and privacy compliance end up being assessed together – because together they explain whether your safeguards are reasonable for your context.

Regulators are rarely interested in the elegance of any single framework. They’re interested in whether your organisation:

  • invested appropriately (people, process, technology) 

  • operated controls consistently over time to manage data risk

  • learned and improved

  • can demonstrate that through clear records.

Turning checklists into confidence: a practical next step

For many organisations, the right response to FIIG is not a massive multi-year program. It’s a practical sequence:

  1. Start with the data – confirm what sensitive data you hold, where is it held and who can access it; then check that you have the FIIG ‘baseline’ controls in place for that environment.

  2. Validate the controls work in practice – and that they’re prioritised around your highest-risk data and systems.

  3. Make it easy to demonstrate – keep clear, simple records that link your data and governance decisions to the controls you operate.

How IIS can help

We help organisations translate ‘reasonable steps’ into something practical. Depending on where you are starting from, that can include:

  • A short, targeted review of your current cyber hygiene controls, focusing on the gaps that matter most and what you can readily demonstrate.

  • Bringing privacy, security and data governance together so you have one joined-up view of what data you hold, how it's protected, and who is accountable.

  • Sharper governance and reporting for executives and boards – clear ownership, a realistic view of risk, and a sensible uplift plan rather than a long list of ‘to-dos’.

  • Practical incident response exercises that test how things work under pressure and result in concrete improvements.

Please contact us if you have any questions or would like assistance.

Comment