ASIC invokes FIIG ruling to galvanise firms on AI threats

Binaya Dahal

Journalist

11 May 2026

The Australian Securities and Investments Commission (ASIC) has invoked its recent court win against FIIG Securities to press financial firms, urging them to lift cyber resilience standards as frontier artificial intelligence rapidly amplifies security risks.

In an open letter to licensees and market participants on Friday, the corporate regulator said entities should act immediately rather than wait for further technological or regulatory clarity, stating that core cyber security controls must be robust enough to withstand AI-accelerated threats.

ASIC commissioner Simone Constant said companies must take “urgent, focused action” under a principles-based, model-agnostic approach and treat cyber resilience as a core licensing obligation rather than an information technology function.

“Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber-attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same,” Constant said.

“Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.

“The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”

Earlier this year, the Federal Court ordered fixed-income specialist FIIG Securities to pay $2.5 million in penalties after a 2023 cyber-attack exposed the personal data of about 18,000 clients, including passport details, tax file numbers and bank account information.

The ruling was the first of its kind in Australia where the firm faced civil penalties for cyber security failures under general Australian Financial Services licence obligations, which ASIC described as a “clear licence-to-operate expectation” for robust cyber resilience.

Building on that precedent, the regulator has called on firms to reassess cyber plans, strengthen governance and prioritise critical assets, while improving escalation pathways, access controls, and continuous validation of core cyber defences.

It has also urged them to adopt layered security architectures, tested incident response and business continuity plans, stronger third-party oversight, and selective use of defensive AI, embedded through active governance rather than static security controls.