An AFS Licensee First: Receiving an Order to Pay AU$2.5 Million for Cybersecurity Failures

Jun 16 2026
Browse archives for June 16, 2026
Posted in

Cybersecurity

Tagged with , , , , , , , , , , , , ,
Share

By: Cameron Abbott, Daniel Knight, Rob Pulham, Alex Parker, Madison Jeffreys, Emre Cakmakcioglu and Annaliese Filippis

In a key decision against an Australian financial services licence (AFSL) holder, the Federal Court of Australia has ordered the AFSL holder to pay AU$2.5 million in penalties for inadequate cybersecurity measures. The Australian Securities and Investments Commission (ASIC) took action following a cyberattack on the AFSL holder’s IT systems, resulting in approximately 385GB of data being downloaded from its servers. 

This is the first time civil penalties have been imposed for cybersecurity failures pursuant to general AFSL obligations. The Court found the AFSL holder failed to comply with the following obligations under the Corporations Act 2001 (Cth):

  • Efficient, honest, and fair financial services (s 912A(1)(a)): the AFSL holder lacked an adequate incident response plan such as monitoring threat alerts or providing mandatory cybersecurity awareness training.
  • Adequate resources (s 912A(1)(d)): the AFSL holder delegated responsibility for its IT security measures to staff without adequate skills or knowledge and did not dedicate sufficient financial resources towards adequate cybersecurity measures.
  • Adequate risk management systems (s 912A(1)(h)): the AFSL holder failed to implement, maintain and monitor controls outlined in its risk management system, including under its IT Information Security Policy, Cyber and Information Security Policy, and its annual audits of custodial services. 

In addition to the AU$2.5 million penalty and $500,000 in costs awarded to ASIC, the AFSL holder must undertake a compliance programme which involves engaging an independent expert to ensure its cybersecurity and cyber resilience systems are reasonably managed. Importantly, the court found the penalties and remediation costs far exceeded what it would have cost the AFSL holder to implement adequate controls in the first place.

Key Takeaways:

  • AFS licensees must fully implement controls in their risk management systems and maintain adequate resources, systems and training.
  • ASIC will penalise underinvestment in cybersecurity, with penalties likely to exceed the costs of initially implementing adequate controls. 

You can read more from ASIC’s media release here.

Copyright © 2026, K&L Gates LLP. All Rights Reserved.