If you sit on an Australian board, start with the sentence that should stop you. In June 2026 a court fined two executives $1.1 million between them, and banned them from running any company for a combined thirteen years — for negligence. Not fraud. Failing to escalate a risk they should have caught. The duty they breached, section 180 of the Corporations Act, is the same duty that makes cyber security your problem, personally. And ASIC has said, in writing, that cyber is where it is looking next. There is no bespoke cyber law doing this. The duty of care every director already owes, and the licence conditions every AFSL holder already carries, are enough.
The precedent: RI Advice
In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court declared that RI Advice had breached sections 912A(1)(a) and (h) of the Corporations Act — the obligations to provide financial services efficiently, honestly and fairly, and to maintain adequate risk-management systems — by failing to have adequate cybersecurity documentation and controls across its authorised representative network. The finding followed nine cyber incidents over roughly six years, including an intrusion that compromised thousands of clients’ personal information.
The Court made two points that still frame every board’s exposure. Cyber risk cannot be reduced to zero, but it can and must be materially reduced through adequate controls to an acceptable level. And adequacy is a question for the court, informed by qualified expert evidence — not a matter of management’s own assurance. Notably, no pecuniary penalty was imposed; the case was about establishing the obligation, not punishing it.
The escalation: FIIG
The punishment came later. In ASIC v FIIG Securities Limited [2026] FCA 92, the Federal Court imposed a $2.5 million penalty on the licensee after cyber-security failures over a four-year period culminated in the theft of roughly 385GB of confidential client data belonging to about 18,000 clients. It was the first time civil penalties were awarded for cyber failures under an AFSL holder’s general obligations. RI Advice established that the duty existed. FIIG established what ignoring it now costs.
The expectation, now in writing: 26-092MR
On 8 May 2026, ASIC Commissioner Simone Constant issued open letter 26-092MR to AFS licensees, market participants and their directors. Its trigger was frontier artificial intelligence and the way it intensifies existing cyber risk; its substance is a set of expectations aimed squarely at the boardroom. The letter sets out twelve specific actions and four governance expectations, anchors the legal standard in the FIIG judgment — cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of the business — and instructs that the letter itself be tabled and discussed at the ultimate board and risk governance committees.
One line captures the shift in what ASIC will accept as evidence: boards are expected to be able to evidence their cyber position, not merely assert it. Dashboards, management assurances and a signed policy are assertions. Test results, independent findings and a documented external view are evidence. Commissioner Constant’s framing was blunter still — the clock, she said, is at a minute to midnight.
Where directors sit in this
ASIC’s cyber cases so far — RI Advice, FIIG — have run through the licensee, not the individuals. Do not read comfort into that. The pathway to personal liability is not theoretical; it is the most active area of ASIC enforcement, and it is built on the “stepping-stones” approach: a company’s contravention becomes the basis for alleging that its directors breached the duty of care and diligence under section 180(1). A director who could have ensured a foreseeable risk was managed, and did not, is exactly the fact pattern that duty is built for.
It is already producing seven-figure personal penalties. In ASIC v Bekier [2026] FCA 756, handed down on 17 June 2026, the Federal Court penalised two former Star Entertainment executives a combined $1.1 million and disqualified them for thirteen years between them — the former CEO $700,000 and six years, the former general counsel $400,000 and seven — for negligent failures to escalate risk under s180. ASIC’s Chair called it the most significant governance case of his tenure. The subject was money laundering. The duty is identical for cyber, and ASIC has told boards, in 26-092MR, that cyber is where it is now looking. The question is not whether a director can be reached for a cyber failure. It is when.
A BlackFlag Advisory assessment gives a board the artefact ASIC now asks for: an independent, external, point-in-time record of what the organisation exposes to the internet, rated as risk, mapped to the s912A obligations and the 26-092MR expectations, and ready to table. It is passive and accesses no systems. It is the difference between a board that can evidence its position and one that can only describe it.
Sources & references
- ASIC 26-092MR — Open letter on cyber resilience (8 May 2026)
- ASIC v FIIG Securities Limited [2026] FCA 92 — ASIC media release 26-021MR
- ASIC v RI Advice Group Pty Ltd [2022] FCA 496 — Federal Court of Australia
- Corporations Act 2001 (Cth) — ss 180, 912A (Federal Register of Legislation)
- ASIC 22-104MR — Court finds RI Advice failed to adequately manage cybersecurity risks (attestations; independent expert order)