Australia’s corporate watchdog, the Australian Securities and Investment Commission (ASIC), has set its sights on companies that lack adequate cybersecurity preventions and protections. Company directors should recognise now more than ever that good corporate governance requires robust cyber planning to prepare for, prevent and reduce the risk of cybercrime.  Businesses that fail to take precautions and those that deal with cyber threats on a reactive basis risk significant reputational and financial loss.  Two actions commenced by ASIC provide practical insight into minimum standards required for an adequate cyber posture.

Cyber risk is a foreseeable business risk. Every organisation must have active oversight of foreseeable cyber risk, including the ability to prepare for and attempt to prevent a cyber incident (as well as respond to, recover from, operate during and reflecting and dealing with the aftermath, the most expensive part).

There are three cyber risks: business & operational, reputational, and legal & compliance.

The director’s duties cases make clear that directors cannot abdicate their cyber responsibility any more than they can avoid financial or health and safety obligations.  The board and directors must have active oversight of foreseeable cyber risk.  Secondly, the Court cases tell us that three factors are relevant: (1) the magnitude of the risk, (2) the probability of its occurrence and the expense, and (3) the difficulty and inconvenience of taking action.

There are four keys to preparation and prevention – people, process, technology and data (PPTD).  It might feel like front-end loading the cost, but the aftermath of the incident is much more expensive.  If you are still at the starting block or a director on a board, start with the organisation’s critical business systems; key networks and its data.  The regulator is coming if the preparation and prevention elements of an organisation’s cyber posture are inadequate.  Take notice of two recent ASIC actions, demonstrating that the regulator is on high alert.

ASIC recently commenced proceedings against FIIG Securities Limited (FIIG), a financial services licensee, after Russian ransomware operator ALPHV—the same group which stole millions of Star Entertainment’s documents last year—compromised 385 gigabytes of FIIG’s client confidential information in 2023.  The confidential information was published on the dark web and included sensitive personal information such as driver’s licences, passports, bank details, and tax file numbers.

In proceedings commenced on 12 March 2025, ASIC alleges FIIG failed to take adequate steps to protect itself and its clients from cybersecurity risks and that these failures exposed FIIG to the ransomware attack to an unreasonable extent in breach of ss 912A(1)(d) and 912A(5A) of the Corporations Act 2001 (Cth) (Corporations Act).  By way of relief, ASIC seeks:

1. declarations under s 1317E that FIIG (i) failed to have available the necessary technological and human resources to prevent the attack from occurring; (ii) failed to implement reasonable cybersecurity measures; and (iii) failed to do all things necessary to ensure that its services were provided efficiently, honestly and fairly;
2. a pecuniary penalty under s 1317G for an amount that the Federal Court considers appropriate; and
3. an order under s 1101B that FIIG undertake a compliance programme and commission an independent expert to report to ASIC on its cybersecurity measures.

ASIC chair Joe Longo said, in respect of the incident, that ‘[c]ybersecurity isn’t a set and forget matter.  All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the Australian Cyber Security Centre.’[1]  This is reflected in the long list of alleged non-compliances set out in ASIC’s Concise Statement, which assert that (among other things) FIIG had insufficient technological, financial and human resources to ensure compliance with its legal obligations.  These allegations are instructive in that ASIC has provided explicit guidance on FIIG’s shortcomings which should now serve as minimum standards for similar financial services licensees to include in their cyber posture.  Such measures include:[2]

• Adopt a cyber incident response plan approved by the organisation and communicated and accessible to all employees.
• Manage access to accounts on networks, computer systems and applications.
• Engage in cyber scanning from time to time to assess vulnerabilities.
• Develop ‘next generation’ firewalls.
• Configure policies to disable outdated authentication protocols.
• Use real time analytics to counter attacks that bypass firewalls.
• Regularly update and patch systems and applications.
• Require multi-factor authentication for remote access users.
• Regularly require IT personnel to monitor software to identify and respond to any unusual activity.
• Require security awareness training for all new employees.
• Have a process to review and evaluate the effectiveness of existing cybersecurity controls.
• Restrict how operating system administrators use their day-to-day accounts.
• Conduct regular penetration tests of FIIG’s perimeter both externally and internally.
• Disable unused services, accounts and applications.
• Monitor the computing environment at all times.
• Have event logs reviewed by a security administrator at least every 90 days.

The ASIC v FIIG litigation follows a recent decision of the Federal Court in which ASIC successfully pursued RI Advice Group Pty Ltd (RI Advice), also a financial services licensee, for breaches of s 912A(1)(a) of the Corporations Act by failing to have adequate cybersecurity risk management practices in place.  RI Advice was ordered to engage a third-party expert to report on its cybersecurity measures and work with that expert to uplift its cyber measures within a timeframe stipulated in the Orders.  RI Advice was also ordered to pay $750,000 in enforcement costs incurred by ASIC.   

RI Advice experienced nine cybersecurity incidents of hacking, ransomware, phishing emails, and an unknown agent accessing servers between June 2014 and May 2020.  One such incident included a $50,000 payment by a client of RI Advice following a fraudulent email urging them to transfer funds.

RI Advice accepted that for much of the relevant time, its documentation, controls and risk management systems were inadequate and its attempts to improve its cyber posture were too late and too little.[4]  Justice Rofe identified the following shortcomings as the reasons for RI Advice’s cyber failings:[5]

• computer systems which did not have up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including passwords being shared between employees, the use of default passwords, and other security details being held in easily accessible places or being known by third parties.

To date, ASIC has brought proceedings for inadequate measures against cybersecurity risk under the financial services licensee provisions in the Corporations Act. These cases serve as a caution to all businesses that do not have in place adequate cyber standards.  We anticipate that proceedings could be commenced in the future for breaches of directors’ duties (such as under s 180 and s 181 of the Corporations Act) which, if made out, could put directors at risk of personal liability. 

Both ASIC v FIIG and ASIC v RI Advice contain instructive guidance on the minimum standards ASIC expects for compliance with risk management obligations.  These standards should be incorporated into each organisation’s cyber management policies and reviewed periodically.  It is now time for boards to allocate sufficient resources (financial, technological and human) to ongoing management of cyber risk, with the Federal Court having clearly endorsed ASIC’s expectations of continuous monitoring against cyber attacks.

In an earlier blog post, we addressed key changes arising from the Cyber Security Act 2024 (Cth) and the need for businesses to have robust ransomware response plans to improve their cybersecurity preparedness and mitigate any risks from regulators and bad actors.

The message is clear: prepare and attempt to prevent – proactivity must feature in your company’s cyber posture.

• Organisations must have the ability to prepare for and attempt to prevent a cyber incident.
• A proactive system of managing cyber risk is essential. Prevention and preparation programs are mandatory. 
• A whole of enterprise approach is necessary – people, process, technology and data – PPTD.
• Boards and Directors must have active oversight of the foreseeable risk – the Circle of Active Oversight.
• The shortcomings of RI Advice were explicitly detailed by the Federal Court, and those of FIIG have been alleged.  These should be reviewed and addressed as part of cyber-preparedness in every organisation.
• Each entity handling sensitive information must devote sufficient financial, technological and human resources to the ongoing management of cyber risk and possess the requisite resources to respond in the event of an attack.
• Directors could face personal liability if their cyber security practices are inadequate.
• ASIC is not demanding perfection, but is mandating attention to preparation and prevention.
• Three cyber risks: business operational risk, reputational risk, and legal and compliance risk.
• If you are still at the starting block, commence with identifying the organisation’s critical business systems, networks and data.

Key Cyber and Emerging Tech Contacts: