Breach to Boardroom: Australian Federal Court Hands Down First-Ever Cyber Fines
By David Baines, Cyber Security Specialist.
For a long time, cybersecurity has been treated as an IT problem. Something you can outsource or tick off a required checklist. Leadership sets the budget and IT handles the rest.
In the past five months two first-time Federal Court penalties have changed the cybersecurity landscape:
- In October 2025, Australian Clinical Labs was fined $5.8 million – the first-ever civil penalty under the Privacy Act 1988.
- In February 2026, FIIG Securities was fined $2.5 million following its own cyberbreach.
These cases send one clear message to business owners and directors:
- Cybersecurity governance belongs in the boardroom.
- You can delegate the task – but you cannot delegate the responsibility.
This is no longer a technical issue to be left to IT or outsourced to a managed service provider. It is a governance obligation with real financial consequences.
Two Companies, One Message
Australian Clinical Labs – $5.8 Million
In October 2025, the Federal Court ordered Australian Clinical Labs (ACL) to pay $5.8 million in civil penalties following a severe cyber breach. This was historic – the first time penalties were imposed under the Privacy Act 1988.
The Court found that ACL had failed to take “reasonable steps” to protect sensitive personal and health information.
The key issues were:
- Inadequate security safeguards
- Failure to properly manage known risks
- Insufficient governance oversight
This handling resulted in three penalties and the Office of the Australian Information Commissioner (OAIC) made it clear that the penalty was designed to send a strong message to every organisation that handles sensitive personal data. Constant data security, timely breach investigation, and prompt reporting to OAIC are not optional – they are obligations in the Privacy Act under which they operate. The consequences of this are now very costly (OAIC, 2025).
The breach itself wasn’t the main issue. The failure to properly govern cyber risk was.
FIIG Securities – $2.5 Million
Fast forward to this month, February 2026, the Federal Court imposed a $2.5 million-dollar penalty on FIIG Securities – marking the first time civil penalties have been ordered for cybersecurity failures under the Australian Financial Services (AFS) licence obligations.
Attackers exploited known vulnerabilities and the alarming issue was that FIIG had actually identified cybersecurity as a risk and had documented policies in place. The problem, however? The policies were not properly implemented, monitored or enforced (Saarinen, 2026). The Court found:
- Known weaknesses were not fixed in a timely manner
- Security controls were insufficient
- Risk management processes were inadequate
Australian Securities and Investments Commission (ASIC) determined that FIIG failed to allocate enough financial, technological, and human resources to manage its cyber risks – for a period of more than four years.
ASIC Deputy Chair Sarah Court made a good point: “In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.“
What These Cases Mean
These penalties showcase three important realities:
1. Taking “reasonable steps” means provable execution.
Both ASIC and OAIC are proving that cybersecurity is a board-level responsibility. It is no longer enough to have a policy document sitting in a drawer or to assume that because someone else is managing your systems, you are protected from liability. Courts are now examining what boards knew, what they asked, what they documented, and what they did (Dew, 2026).
2. You can outsource the function – not the accountability.
You can appoint an MSP, a CISO, or external cyber consultants, but ultimately responsibility lies with the organisation. Cyber risk sits on the same level as financial oversight, legal compliance, and risk management as a core board responsibility.
3. Regulators are willing to press charges.
ASIC has gone so far as to include cyber-attacks, data breaches, and the handling of these in its ‘2026 Key Issues Outlook’. Meaning these penalties are just the beginning (ASIC, 2026).
Ask Yourself
Cyber hackers can target anyone, regardless of business size. ACL and FIIG Securities received a collective $8.3 million dollars in penalties, the first civil penalties ever imposed under the Privacy Act 1988. The message they are sending is clear: Cybersecurity belongs in the boardroom.
It is no longer just an IT department issue, no longer something directors can assume has been “taken care of.” So, ask yourself this:
- Do you consider cybersecurity a board-level issue or are you currently treating it as something IT handles?
- If you are outsourcing your IT services, do you actually know what your IT company is doing to protect your business and clients?
- Are they marking their own homework?
- Can they at minimum show you proof and documentation before they have to show ASIC the same?
If you cannot clearly articulate your organisation’s current cyber posture, you do not have adequate oversight. So, to keep you and your business out of the fire:
- Obtain independent assessment.
- Demand evidence.
- Get reporting you can understand.
You can delegate the task. You cannot delegate the responsibility.
References
ASIC. (2026, February 9). ASIC action sees FIIG Securities ordered to pay $2.5 million over cyber security failures. Asic.gov.au. https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2026-releases/26-021mr-asic-action-sees-fiig-securities-ordered-to-pay-2-5-million-over-cyber-security-failures/
Dew, L. (2026, February 11). FIIG penalty signposts greater ASIC cybersecurity scrutiny. Money Management. https://www.moneymanagement.com.au/fiig-penalty-signposts-greater-asic-cybersecurity-scrutiny/
Juha Saarinen. (2026, February 9). FIIG penalised $2.5m for cyber security failures. ITnews. https://www.itnews.com.au/news/fiig-penalised-25m-for-cyber-security-failures-623490
OAIC. (2025, October 9). Australian Clinical Labs ordered to pay penalties in relation to Medlab Pathology data breach in first for Privacy Act. OAIC. https://www.oaic.gov.au/news/media-centre/australian-clinical-labs-ordered-to-pay-penalties-in-relation-to-medlab-pathology-data-breach-in-first-for-privacy-act
