The Federal Court’s View on Adequate Cyber Security Protection

The Federal Court has recently clarified what constitutes adequate cyber security protection for organisations holding an Australian Financial Services (AFS) license.

For executives, risk leaders, and security professionals, the message is unmistakable: cyber security can no longer be treated as a purely technical concern. It is an ongoing responsibility that sits squarely within enterprise governance, risk management, and resilience.

Background: ASIC v FIIG Securities

On 13 February 2026, the Federal Court delivered its decision in ASIC v FIIG Securities Limited, imposing a $2.5 million penalty on the AFS licensee for failing to maintain adequate cyber security protections.

While the case arose within the financial services sector, its significance extends well beyond it. The judgment provides practical guidance on what “adequate” cyber security means — guidance that is relevant to organisations across all industries.

What This Means for Organisations

The decision highlights four core principles organisations should consider when evaluating the adequacy of their cyber security arrangements for both their own operations and their customers.

1. Controls alone are not enough

Implementing cyber security controls — even those aligned to recognised frameworks — is only the beginning. These controls must be actively maintained, monitored, and integrated into a broader, functioning cyber security risk management system to remain effective over time.

2. Adequacy is contextual and constantly evolving

Cyber security is not static. What is considered adequate today may quickly become insufficient as threats, technologies, and business environments change. Organisations must regularly review and update their cyber security posture to keep pace with the threat landscape.

3. Resourcing is critical

The Court emphasised the importance of having the right mix of skilled personnel, technology, and financial investment. Effective protection cannot be achieved or sustained without appropriate and ongoing resourcing.

4. Use the ACSC Essential Eight as a benchmark

Although the Court did not mandate a specific framework, the shortcomings identified in the case closely align with the controls outlined in the ACSC Essential Eight Maturity Model. This framework provides a practical and widely recognised reference point for appropriate cyber security measures.

As cyber security expectations continue to rise, organisations will need to re-evaluate both their technical investments and their access to skilled expertise to maintain adequate protection.

Adequate Protection Goes Beyond Technical Controls

According to the Court, adequate cyber security protection comprises three interconnected elements:

• Security measures and controls, together with their effective implementation and ongoing maintenance

• Risk management systems that analyse control effectiveness and enable timely, reliable decision‑making

• Sustained access to appropriate resources, including skilled professionals, technology, and funding

  
  

While it may be unrealistic to prevent every cyber incident, organisations are expected to maintain a level of protection that is reasonable and appropriate to their circumstances. Importantly, adequacy is context‑specific rather than absolute.

Why Context Matters

Determining whether cyber security protection is adequate requires regular consideration of an organisation’s specific risk environment, including:

• The nature and scale of the business

• The type and sensitivity of information and systems being protected

• The value of assets under the organisation’s control

• The likelihood and potential impact of cyber threats

• Any contractual or regulatory obligations owed to clients or stakeholders

The Importance of Resourcing Cyber Security Properly

Many organisations struggle with increasing cyber security complexity. The Court recognised that protection outcomes depend on the interaction between controls, risk management processes, and adequate resourcing.

In the FIIG case, deficiencies in resourcing directly contributed to ineffective cyber security outcomes.

Why capability matters

Technical controls and risk frameworks quickly lose value without access to current security data, skilled interpretation, and expert oversight. Without these inputs, cyber security decision‑making becomes unreliable and ineffective.

Cyber Security Measures and Risk Management

Rather than prescribing a definitive list of controls, the Court highlighted numerous failings observed in FIIG’s approach. Although no specific framework was endorsed, the deficiencies identified closely match the gaps addressed by the ACSC Essential Eight, reinforcing its relevance as a practical baseline.

An effective cyber risk management system should:

• Identify and assess relevant cyber risks

• Implement and maintain controls to address those risks

• Continuously monitor control effectiveness

• Ensure cyber security outcomes align with approved strategies, policies, and governance frameworks

As cyber security becomes a standard component of enterprise risk, stronger integration between technical teams, risk functions, and executive governance will be essential.

Integrating Cyber Security into Enterprise Risk Management

The balance between technological investment and skilled human resources is changing. Disconnected tools, unclear accountability, and limited expertise — as seen in this case — significantly undermine cyber security effectiveness.

At the same time, organisations face growing pressure to provide timely, evidence‑based security insights to support executive decision‑making. In fast‑moving threat environments, weak visibility and delayed responses can directly impact operational continuity and resilience.

Adapting to a Changing Risk Landscape

Modern cyber security requires agile operating models that support rapid detection, analysis, and response. Increasingly, this involves multi‑disciplinary collaboration between cyber security, technology, and risk teams to address emerging threats before they disrupt business operations.

Reference: Huntsman (huntsmansecurity.com)

Diagram: Adequate cyber security protection as a multi‑disciplinary process integrating controls, risk management systems, and organisational resources.

Looking Ahead

The judgment reflects a broader trend: cyber security expectations are rising, while resource constraints and siloed operations remain common challenges.

To respond, organisations are increasingly turning to solutions that enhance human expertise with automation, continuous measurement, and near real‑time risk insight. These capabilities are becoming essential for maintaining adequate protection in an evolving threat environment.

Conclusion

The ASIC v FIIG Securities decision makes it clear that adequate cyber security is not defined by controls alone. It requires an ongoing, integrated approach that combines effective measures, informed risk management, and appropriate resourcing.

Organisations that fail to evolve their cyber security operating models risk not only regulatory consequences, but also significant impacts to their operations and overall resilience.

Strengthen Your Cyber Security Protection

Maintaining adequate protection today depends on continuous visibility, assurance of control effectiveness, and risk‑driven decision‑making.

Ultimate IT supports organisations by enabling continuous monitoring, near real‑time threat visibility, and active cyber security risk management.

Speak to an expert today.

References

huntsmansecurity.com/blog/the-federal-court-on-adequate-cyber-security-protection/

Cybersecurity enforcement intensifies: lessons from FIIG Securities’ $2.5m compliance penalty – Lexology – practical know-how

https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-021mr-asic-action-sees-fiig-securities-ordered-to-pay-2-5-million-over-cyber-security-failures