The Cybersecurity Remediation Gap has a Real Price Tag

In early February, Australia's Federal Court imposed a civil penalty on FIIG Securities of $2.5 million for failing to maintain adequate cybersecurity over a four-year period. The Court also ordered FIIG to pay $500k towards ASIC’s costs. ASIC brought the case after a 2023 breach that saw 385GB of confidential client data (including passports, driver's licences, and bank details) stolen and some client information appearing on the dark web.

In the judgment, Justice Derrington set out a series of baseline controls that were missing or only partially implemented at FIIG, including patch management, vulnerability scanning, regular penetration testing, multi factor authentication for remote access, and effective EDR coverage and monitoring.

Two numbers from the case stand out. The cost of compliance over the four-year period would have been approximately $1.2 million. The fine was $2.5 million, on top of $1.5 million in direct remediation costs. Underinvestment in security cost FIIG more than three times what adequate protection would have.

The Judge was direct: the penalty is intended to send a warning to businesses that underinvest in cybersecurity.

For financial services organisations in Australia - and those watching closely from across the Tasman - the signal is clear. The case shows that regulators expect known vulnerabilities to be addressed, and "we couldn't get to it" is not a defence.

This is where the remediation gap matters. Many organisations know where their application vulnerabilities are. The challenge is fixing them. Developer-led remediation takes time - often many months - particularly in legacy or third-party applications where code changes are slow, expensive, or not possible at all.

If you're reviewing your exposure in light of this ruling, we'd welcome a conversation.