ASIC Just Fined FIIG Securities $2.5 M for Cybersecurity failures

The last 10 days have delivered a landmark regulatory ruling, more ransomware hitting Australian organisations, and a critical vulnerability rated 10 out of 10. Here's what matters.

🔐 4 things law firm leaders should know right now:

1. ASIC just fined FIIG Securities $2.5M for cybersecurity failures — a first. The Federal Court imposed Australia's first civil penalty for cyber failures under AFS licence obligations. FIIG had no MFA for remote access, ran one pen test in four years, and had no qualified staff monitoring alerts. The fine was 20% of their net assets. ASIC's message: the cost of the breach far exceeded what compliance would have cost. If your firm holds client data and funds, this precedent applies to you.

2. Qilin ransomware has already posted 55 victims in 2026 — and they're accelerating. Qilin claimed over 1,000 victims in 2025 (including Australian targets like Metricon Homes) and shows no signs of slowing. They don't exclude healthcare, schools, or professional services. Law firms handling sensitive client data sit squarely in their target profile.

3. ASD issued an alert for a CVSS 10.0 vulnerability (CVE-2026-21858). Actively exploited in the wild. Allows unauthenticated remote code execution through form-based workflows. If your firm runs the affected systems, patch immediately — this is as critical as it gets.

4. Australian insurer Prosura breached — attackers sent fraudulent emails to policyholders. The breach compromised customer data and was used to deliver fake policy modification emails to real clients. For law firms: your insurer's breach can become your data exposure. Know who holds your data and how they protect it.

🔧 Tool: Microsoft Secure Score Free. Already in your M365 tenant. Most firms I review score below 50%. It benchmarks your configuration against Microsoft's security baseline and tells you exactly what to fix. Start there before buying anything new.

💡 Tip: After the FIIG ruling, review your own cyber controls documentation. ASIC found that FIIG had policies — they just didn't follow them. The gap between "documented" and "implemented" is now a $2.5M gap.

📖 Resource: The ASD's ACSC Annual Cyber Threat Report 2024-25 — the average cost of cybercrime for large Australian businesses hit $202,700 (up 219% year-on-year). Over 1,200 incidents responded to. If your board hasn't seen this data, send it to them: Cyber Gov Threat Report

💬 Quote: "The consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place." — ASIC Deputy Chair Sarah Court, February 2026

If any of this raised a governance or insurance question for your firm, happy to compare notes → [Cyber Chat]

— John