ARC NEXUS
Independent Cyber Governance
Board Governance Insights

Cyber accountability is now evidence, not assertion

What ASIC v FIIG means for how Australian Boards evidence who owns and oversees cyber risk.

By Ashwin Ram, Founder and Managing Director, ARC Nexus
Published 4 July 2026 · Last reviewed 4 July 2026 · 5 min read

On 9 February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million for cyber security failures. ASIC described it as the first time the Federal Court had imposed a civil penalty on a financial services licensee for cyber security failures under the general AFS licensee obligations.

The headline was the number. The signal for Boards sits elsewhere. For directors, the lesson is not to become technologists. It is to know what would evidence that cyber risk was owned, challenged and governed.

ASIC did not argue that being attacked made FIIG liable. The Court was explicit that a cyberattack does not, on its own, establish a failure to meet statutory obligations, and that ASIC was not seeking an unattainable standard. The finding was narrower, and harder to dismiss. Across more than four years, and despite knowing the risks it carried, FIIG admitted, and the Court accepted, that it lacked adequate cyber controls, resources and risk management systems. Part of that failure is the part Boards should sit with. Some controls were missing outright. Others existed in policy but were not fully implemented, maintained, monitored or resourced, and FIIG had not put people with the skill, responsibility and time in place to own that work.

The Court was direct about why the penalty mattered. It was set to send "a warning to businesses with inappropriate underinvestment in cybersecurity."

That is a different test from the one many Board cyber conversations are still built around.

The question has moved

For a decade, Board cyber discussions have circled a question management can answer with a dashboard. Are our controls adequate? FIIG, and the live Fortnum matter alongside it, move that question onto governance ground, where the Board's own role has to be evidenced.

ASIC's case against Fortnum Private Wealth was filed in July 2025 and remains live. A directions hearing set for 13 July 2026 was vacated, and the matter is now listed for directions on 28 September 2026. It is instructive precisely because it is not, at its core, about a firewall. ASIC alleges inadequate policies, frameworks, systems and controls, inadequate oversight and monitoring of authorised representatives' cyber risk and cyber resilience, and a risk management system that did not document roles and responsibilities, or enable cyber issues to be identified, reported and escalated. Who was accountable. What they owned. Whether it can be shown.

This is the question underneath the frameworks a Board is measured against. The Corporations Act duty of care. APRA CPS 234 and CPS 230. The ASX Corporate Governance Principles. The AICD and Cyber Security Cooperative Research Centre principles. They do not all operate the same way. Some are law, some are prudential standards, some are market guidance, some are Board guidance, and they do not all apply to every entity. But they point in one direction. Accountability for cyber-risk oversight should be clearly defined, properly approved, and recorded, not left to inference. The last of those, the record, is the part most often assumed rather than demonstrated.

The Board question
Can your Board evidence who is responsible for cyber-risk oversight, which forum owns it, and how that oversight was exercised and recorded?

"We discuss it regularly" is not that answer. Discussion is not a record. Intent is not a delegation. A capable CISO is not, in itself, a governance trail. The discipline directors already apply to financial reporting applies here: the test of a cyber report is not whether the dashboard looks polished, but whether the Board can see the material risks, the limits of assurance, and the decisions and escalations that followed, in a form that supports judgment.

The director-level dimension

No proceedings were brought against FIIG's directors. Even so, ASIC has been explicit that the exposure can be personal. Its then Chair, Joe Longo, said that where Boards do not give cyber security and resilience sufficient priority, that creates "a foreseeable risk of harm to the company" and exposes directors to potential ASIC enforcement action for failing to act with reasonable care and diligence, the duty in section 180 of the Corporations Act. ASIC also identified cyber-attacks, data breaches and operational resilience in its 2026 Key Issues Outlook, and framed the FIIG outcome as setting "a clear licence-to-operate expectation for robust cyber resilience." A licence to operate is a Board-level idea, not a technical one.

Cyber is a non-financial risk, and non-financial risk oversight is where regulatory attention has lately concentrated. There is a subtlety here that is easy to miss: the comfort of a reasonable decision only holds for decisions the Board actually made. A Board that never turned its mind to cyber has not made a judgment it can stand behind. Which is why the record matters: it is the difference between oversight that happened and oversight that was assumed.

For a director, the stronger position is not "we trusted management." It is a record of informed oversight: who owned the risk, what the Board was told, what it challenged, what was escalated, and what was followed up. A record of passive receipt is weak evidence of oversight. A record of active oversight is the point.

What evidenced accountability looks like

It is unglamorous. That is the point. It lives in artefacts a Board already produces, used with intent rather than left to inference.

  • A Board or committee charter that names the forum accountable for cyber-risk oversight.
  • A recorded delegation showing how that responsibility flows, and to whom.
  • Reporting papers and minutes that show the forum exercised the oversight it owns, on a defined cadence.
  • An accountability map a regulator, an auditor, or a court could follow without your explanation.

None of this requires a platform or a transformation programme. It requires the Board to treat its own governance as evidence, and to test whether that evidence exists before anyone else does.

The questions worth asking at the next meeting

Not simply "are we secure?" That question invites a technical answer. The Board's question is whether cyber risk is being governed within appetite, and whether the evidence would show informed oversight if it were tested. Directors do not need management to walk them through every control. They need to know whether the governance would withstand scrutiny. A few questions usually expose the gap:

Questions worth asking
  1. 1.Where is cyber risk formally owned in our governance structure?
  2. 2.What is reserved to the Board, and what has been delegated to management?
  3. 3.Does our reporting show cyber risk running within the appetite the Board approved?
  4. 4.What independent assurance tells us that reporting is reliable?
  5. 5.If a material incident happened tomorrow, what record would show our escalation, challenge, decisions and follow-up?

If those answers depend mainly on verbal explanation rather than charters, delegations, minutes, assurance and an accountability map, the Board has an evidence gap to close before it is tested externally. FIIG is the reminder that cyber governance is now tested through evidence, not intention.

Not assumed. Evidenced.

Court findings and admissions are distinguished from allegations throughout. The Fortnum Private Wealth matter remains undetermined. This is governance commentary, not legal advice.

Ashwin Ram, Founder and Managing Director of ARC Nexus

Ashwin Ram (GAICD, CISM) is the Founder and Managing Director of ARC Nexus, an independent cyber governance advisory practice for Australian Boards, Audit and Risk Committees and senior leaders. He combines formal governance training with more than fifteen years in cybersecurity.

Sources

Key regulatory, case and framework sources for this article are set out below.

From article to assessment

Testing this on your own Board

This article reflects one of the questions an ARC Nexus review is built to answer: whether accountability for cyber oversight is clear, evidenced and decision-useful. A confidential briefing determines whether a Board Cyber Governance Review is warranted, and how it would be scoped.

Request a confidential Board briefing