ASIC Set the Duty. Then It Set the Price.
Cyber risk is a licence and director-duty obligation — and boards must now evidence it, not assert it.

Can your board evidence its cyber position, or only describe it? ASIC’s 26-092MR expects evidence of control effectiveness. A passive external assessment is where that evidence begins.

Assess Your Exposure →

If you sit on an Australian board, start with the sentence that should stop you. In June 2026 a court fined two executives $1.1 million between them, and banned them from running any company for a combined thirteen years — for negligence. Not fraud. Failing to escalate a risk they should have caught. The duty they breached, section 180 of the Corporations Act, is the same duty that makes cyber security your problem, personally. And ASIC has said, in writing, that cyber is where it is looking next. There is no bespoke cyber law doing this. The duty of care every director already owes, and the licence conditions every AFSL holder already carries, are enough.

2022
The rule. RI Advice — a court confirms cyber is a licence obligation and a director’s duty of care
Source: ASIC v RI Advice [2022] FCA 496
$2.5M
The company pays. FIIG Securities — the first cyber civil penalty, after 385GB was stolen from 18,000 clients
Source: ASIC v FIIG [2026] FCA 92
$1.1M
The directors pay. Star executives fined personally and disqualified for 13 years under s180 — for negligence, not fraud
Source: ASIC v Bekier [2026] FCA 756

The precedent: RI Advice

In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court declared that RI Advice had breached sections 912A(1)(a) and (h) of the Corporations Act — the obligations to provide financial services efficiently, honestly and fairly, and to maintain adequate risk-management systems — by failing to have adequate cybersecurity documentation and controls across its authorised representative network. The finding followed nine cyber incidents over roughly six years, including an intrusion that compromised thousands of clients’ personal information.

The Court made two points that still frame every board’s exposure. Cyber risk cannot be reduced to zero, but it can and must be materially reduced through adequate controls to an acceptable level. And adequacy is a question for the court, informed by qualified expert evidence — not a matter of management’s own assurance. Notably, no pecuniary penalty was imposed; the case was about establishing the obligation, not punishing it.

The escalation: FIIG

The punishment came later. In ASIC v FIIG Securities Limited [2026] FCA 92, the Federal Court imposed a $2.5 million penalty on the licensee after cyber-security failures over a four-year period culminated in the theft of roughly 385GB of confidential client data belonging to about 18,000 clients. It was the first time civil penalties were awarded for cyber failures under an AFSL holder’s general obligations. RI Advice established that the duty existed. FIIG established what ignoring it now costs.

Every time, the gap was already known This is the thread ASIC keeps pulling, and it matters more than any penalty figure. RI Advice relied on written attestations from its adviser network that the required controls were in place; a review found they were not — the paper said one thing, the systems another. It had engaged independent experts after its 2017 breach, then took nearly three years to act on their recommendations. FIIG went further still: the Court’s finding was specifically that it failed to implement controls it had already identified in its own risk framework. It never ran a vulnerability scan, tested only its external perimeter, and sat on its own alerts — and an ASD warning — for days. In both cases the Court ordered an independent expert review as remediation. Neither firm was undone by an unknowable threat. Each was undone by a known gap that no one had independently verified was closed.
On the “Medibank” framing It is a common shorthand to attribute financial-services cyber liability to the Medibank matter. That is the wrong file. Medibank’s consequences ran through the OAIC (civil penalty proceedings under the Privacy Act) and APRA (a capital add-on). ASIC’s directors’-and-licensees’ cyber line runs through RI Advice and FIIG — distinct regulators, distinct statutes, distinct obligations. For directors weighing personal exposure, the distinction is not pedantic; it determines which duty is being tested.

The expectation, now in writing: 26-092MR

On 8 May 2026, ASIC Commissioner Simone Constant issued open letter 26-092MR to AFS licensees, market participants and their directors. Its trigger was frontier artificial intelligence and the way it intensifies existing cyber risk; its substance is a set of expectations aimed squarely at the boardroom. The letter sets out twelve specific actions and four governance expectations, anchors the legal standard in the FIIG judgment — cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of the business — and instructs that the letter itself be tabled and discussed at the ultimate board and risk governance committees.

One line captures the shift in what ASIC will accept as evidence: boards are expected to be able to evidence their cyber position, not merely assert it. Dashboards, management assurances and a signed policy are assertions. Test results, independent findings and a documented external view are evidence. Commissioner Constant’s framing was blunter still — the clock, she said, is at a minute to midnight.

Where directors sit in this

ASIC’s cyber cases so far — RI Advice, FIIG — have run through the licensee, not the individuals. Do not read comfort into that. The pathway to personal liability is not theoretical; it is the most active area of ASIC enforcement, and it is built on the “stepping-stones” approach: a company’s contravention becomes the basis for alleging that its directors breached the duty of care and diligence under section 180(1). A director who could have ensured a foreseeable risk was managed, and did not, is exactly the fact pattern that duty is built for.

It is already producing seven-figure personal penalties. In ASIC v Bekier [2026] FCA 756, handed down on 17 June 2026, the Federal Court penalised two former Star Entertainment executives a combined $1.1 million and disqualified them for thirteen years between them — the former CEO $700,000 and six years, the former general counsel $400,000 and seven — for negligent failures to escalate risk under s180. ASIC’s Chair called it the most significant governance case of his tenure. The subject was money laundering. The duty is identical for cyber, and ASIC has told boards, in 26-092MR, that cyber is where it is now looking. The question is not whether a director can be reached for a cyber failure. It is when.

Fined, or jailed? Be precise about the threat, because precision is what makes it real. Section 180 is a civil penalty provision: a negligent director faces personal fines of up to $1.565 million per contravention and disqualification from managing companies — not prison. Jail, up to fifteen years, is reserved for dishonest conduct, not negligence. No Australian director has been imprisoned for a cyber failure, and on negligence alone, none will be. But a career-ending disqualification and a seven-figure personal penalty, uninsurable in part and awarded on the balance of probabilities, is not a lesser threat. It is the one that is actually happening.

A BlackFlag Advisory assessment gives a board the artefact ASIC now asks for: an independent, external, point-in-time record of what the organisation exposes to the internet, rated as risk, mapped to the s912A obligations and the 26-092MR expectations, and ready to table. It is passive and accesses no systems. It is the difference between a board that can evidence its position and one that can only describe it.

Sources & references

Is Your Cyber Position
Evidenced, or Just Asserted?

A BlackFlag Advisory assessment gives your Board an independent, external view of what your organisation exposes — mapped to your licence obligations and ASIC’s expectations, before an incident makes it an enforcement question.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.