ASIC vs FIIG Securities: When Inadequate Cybersecurity Becomes a Civil Penalty
ASIC vs FIIG Securities: When Inadequate Cybersecurity Becomes a Civil Penalty
For years, financial regulators have spoken about the importance of cybersecurity. On March 25, 2026, Kennedys Law published its analysis of a case where a regulator stopped talking and started penalizing. The Australian Securities and Investments Commission (ASIC) successfully pursued civil penalties against FIIG Securities for inadequate cybersecurity — establishing that failure to maintain adequate cyber defenses is not merely an operational shortcoming but a violation of the institution's obligations to its clients and the financial system.
The case is Australian, but its implications are global. For DORA-regulated European institutions, it previews the enforcement philosophy that the European Banking Authority, the ECB, and national competent authorities are likely to adopt when DORA's penalty framework matures.
The ASIC vs FIIG Case: What Happened
FIIG Securities is a fixed-income broker-dealer that suffered a significant cyber incident resulting in unauthorized access to client data. ASIC's enforcement action focused not on the breach itself — breaches happen — but on the systemic cybersecurity deficiencies that made the breach possible and the institution's failure to implement adequate controls despite known risks.
Kennedys Law's analysis identified the specific failures that ASIC highlighted:
| Cybersecurity Failure | ASIC Finding | DORA Equivalent |
|---|---|---|
| No multi-factor authentication for remote access | Failed to implement basic access controls | Art. 9(4)(c): Access management policies |
| Outdated and unpatched systems | Failed to maintain current threat protection | Art. 7: ICT systems management |
| No network segmentation | Flat network enabled lateral movement | Art. 9: ICT security policies |
| Inadequate monitoring and logging | Could not detect intrusion for extended period | Art. 10: Detection capability |
| No incident response plan | Ad-hoc response delayed containment | Art. 17: ICT incident management |
| Insufficient employee training | Staff unable to recognize social engineering | Art. 13: Digital operational resilience training |
The ASIC enforcement was groundbreaking because it framed cybersecurity not as a technical matter but as a licensee obligation. FIIG Securities held an Australian Financial Services Licence (AFSL), which requires the licensee to operate "efficiently, honestly and fairly." ASIC argued — and succeeded — that failing to implement basic cybersecurity constitutes a failure to operate the business efficiently, thereby breaching the licence conditions.
The Enforcement Philosophy: From Advisory to Punitive
The ASIC vs FIIG case represents a shift in regulatory enforcement philosophy from advisory to punitive. This shift is visible across multiple jurisdictions:
The critical precedent is that ASIC did not require proof that the cybersecurity failures caused specific client harm. The existence of the deficiencies itself — the gap between what a reasonable licensee should have implemented and what FIIG actually implemented — was sufficient for enforcement action.
This is directly relevant to DORA. Article 50 of DORA establishes the penalty framework, requiring Member States to lay down "effective, proportionate and dissuasive" administrative penalties for DORA violations. The ASIC approach — penalizing the absence of controls rather than the occurrence of harm — is consistent with DORA's design, which establishes prescriptive requirements for ICT risk management, not just outcomes.
Mapping FIIG Failures to DORA Articles
The specific cybersecurity failures that ASIC identified at FIIG Securities map almost exactly to DORA's requirements. This is not coincidental — DORA codifies the cybersecurity baseline that regulators globally consider minimum acceptable.
No MFA → DORA Article 9(4)(c)
DORA Article 9 requires financial entities to implement "strong authentication mechanisms" and "access control policies." The absence of multi-factor authentication for remote access — particularly after years of industry guidance emphasizing MFA — demonstrates the kind of basic control gap that European supervisors will pursue under DORA.
No Incident Response Plan → DORA Article 17
Article 17 requires financial entities to establish an ICT-related incident management process. This is not optional or aspirational under DORA — it is a binding requirement. A financial entity that has not implemented an incident response plan is in clear violation, regardless of whether an incident has occurred.
Inadequate Monitoring → DORA Article 10
Article 10 requires financial entities to "have in place mechanisms to promptly detect anomalous activities." FIIG's inability to detect the intrusion for an extended period indicates a failure of detection capability that would clearly breach Article 10.
| FIIG Failure | DORA Article | Penalty Risk | Remediation Cost |
|---|---|---|---|
| No MFA | Art. 9(4)(c) | High — basic control failure | Low (€10-50K) |
| Unpatched systems | Art. 7(1) | High — known vulnerability exposure | Medium (€50-200K) |
| Flat network | Art. 9(2) | Medium — inadequate segmentation | High (€200-500K) |
| No monitoring | Art. 10 | High — detection capability absent | High (€100-500K) |
| No IR plan | Art. 17 | High — mandatory requirement absent | Low (€20-100K) |
| No training | Art. 13(6) | Medium — awareness programme required | Low (€10-50K) |
The DORA Penalty Framework: What Europe Has Prepared
DORA's penalty provisions are more explicit and potentially more severe than the Australian framework that ASIC used against FIIG.
Article 50 requires Member States to establish penalties that include at least:
- Administrative pecuniary penalties
- Periodic penalty payments (daily fines for ongoing non-compliance)
- Public statements identifying the responsible person and the violation
- Orders to cease and desist
- Temporary bans on management body members
The European Banking Authority will coordinate enforcement approaches across Member States, but each Member State retains discretion over penalty amounts. As the DORA penalty divergence analysis has explored, this creates a patchwork of penalty regimes that will converge over time as enforcement precedents accumulate.
What the FIIG Case Means for European DORA Enforcement
The ASIC vs FIIG precedent signals five developments that European financial institutions should anticipate:
1. Proactive Enforcement Before Breach
ASIC's case was triggered by a breach, but the enforcement focused on pre-existing deficiencies. European regulators are likely to go further: DORA's supervisory examination framework under Articles 46-49 allows competent authorities to assess compliance proactively — through on-site inspections, off-site reviews, and information requests. Institutions can be penalized for control deficiencies found during examinations, without waiting for a breach to expose them.
2. Personal Accountability
The ASIC case explored whether individual directors bore responsibility for the cybersecurity failures. DORA Article 5(2) places explicit responsibility on the management body for approving and overseeing the ICT risk management framework. Directors who fail to exercise adequate oversight can face personal penalties, including temporary bans from management positions.
3. Proportionality Will Be Tested
DORA's proportionality principle means that smaller financial entities are held to a lower standard than systemically important institutions. But the FIIG case suggests that there is a floor below which proportionality does not apply: basic controls like MFA, patching, and incident response planning are expected regardless of size. European enforcement is likely to adopt a similar position.
4. Documentation as Evidence
ASIC relied heavily on the absence of documentation — no written IR plan, no evidence of risk assessments, no records of security testing. Under DORA, the documentation requirements are explicit and detailed. The absence of required documentation is itself a compliance violation and the easiest violation for supervisors to identify.
5. Third-Party Risk Accountability
While the FIIG case focused on the institution's own controls, DORA extends accountability to third-party risk management. A European institution that suffers a breach through a third-party provider with FIIG-level cybersecurity deficiencies faces dual exposure: the breach itself and the failure to conduct adequate third-party due diligence.
Recommendations for DORA-Regulated Entities
The FIIG case provides a clear playbook for what regulators will target. European institutions should:
- Conduct a FIIG-style self-assessment. Map the FIIG failures against your own control environment. If any of the same deficiencies exist — no MFA, unpatched systems, flat networks, no IR plan — address them immediately. These are the low-hanging enforcement targets.
- Document everything. The most common enforcement finding is not that controls are absent, but that there is no documentation proving they exist. Document your ICT risk management framework, your testing results, your third-party assessments, and your board reporting.
- Test your incident response. Having a plan is necessary but not sufficient. The plan must be tested, and the test results must be documented. An untested IR plan is almost as problematic as no plan at all.
- Brief your board. Directors need to understand that DORA creates personal accountability for ICT risk oversight. The Article 5 obligation is not delegable — the board must approve and actively oversee the framework.
- Review your assessment maturity. Use structured assessment tools to identify gaps before the supervisor does. The difference between self-identified gaps with remediation plans and supervisor-identified gaps without plans is the difference between a remediation letter and a penalty notice.
The ASIC vs FIIG case is not an Australian curiosity. It is a preview of the enforcement future under DORA. The financial institutions that learn from it will be the ones that avoid repeating it.
Voir aussi: DORA Penalties Decoded | DORA Enforcement Outlook 2026 | DORA's Real Test Starts Now
Resume en francais
Le 25 mars 2026, Kennedys Law a analyse l'action d'execution historique de l'ASIC australien contre FIIG Securities, qui a obtenu des sanctions civiles pour cybersecurite inadequate — sans exiger la preuve d'un prejudice specifique aux clients. Les defaillances identifiees (absence de MFA, systemes non patchees, reseau plat, pas de plan de reponse aux incidents, surveillance inadequate) correspondent presque exactement aux exigences de DORA (Art. 7, 9, 10, 13, 17). Pour les entites europeennes, l'affaire prevoit l'approche d'execution sous DORA : sanctions proactives avant toute violation, responsabilite personnelle des dirigeants (Art. 5(2)), documentation comme evidence, et application d'un plancher minimum de controles independamment de la proportionnalite. Le cadre de sanctions DORA (Art. 50-52) est plus explicite et potentiellement plus severe que le cadre australien, incluant des amendes periodiques, des declarations publiques et des interdictions de gestion.