When Prevention Fails: Why Encryption Must Be a Board-Level Cybersecurity Control
On 10 February 2026, the Federal Court of Australia ordered financial services firm FIIG Securities to pay a $2.5 million penalty, plus $500,000 toward ASIC’s legal costs, following a 2023 ransomware incident that exposed confidential client data.
Approximately 385 gigabytes of sensitive information including passport details, driver’s licences, tax file numbers, and bank account data were stolen and later published on the dark web. Around 18,000 clients were affected.
Beyond the financial penalty, the ruling sets an important precedent:
Cybersecurity is now clearly a board-level governance obligation under an Australian Financial Services licence.
This decision signals a shift in regulatory expectations. It also raises a critical question for every organisation holding sensitive data: If attackers gain access to your systems, is your data still protected?
Ransomware Has Evolved. Has Your Data Protection?
Modern ransomware attacks are no longer just about encrypting systems and demanding payment.
Today’s attackers:
- Infiltrate networks
- Move laterally
- Exfiltrate large volumes of sensitive data
- Then encrypt systems
- And threaten public release
This “double extortion” model means that even if systems are restored, regulatory, legal and reputational damage may already be done. In this environment, prevention alone is not enough.
Firewalls, monitoring, penetration testing, and multi-factor authentication are essential controls but no defence is perfect. The reality is that determined attackers sometimes get through.
When they do, encryption becomes the last line of defence.
Data Stolen vs. Data Compromised
There is a critical difference between:
- Data being stolen, and
- Data being readable and usable
If sensitive information is strongly encrypted at the database, file, or field level and encryption keys are properly protected and separated, stolen data may be operationally useless to attackers.
Publication on the dark web does not automatically equal exposure if the data is unreadable.
This distinction increasingly matters to regulators, boards, and insurers.
Sensitive Identity Data Carries Elevated Risk
Financial institutions and enterprises routinely store:
- Passport details
- Driver’s licence numbers
- Tax file numbers
- Banking information
- Personal contact details
This type of information is highly valuable for identity theft and fraud. Regulators worldwide now expect organisations to apply strong technical safeguards to protect it.
Encryption of high-risk fields and databases significantly reduces the impact of a breach. It limits downstream identity fraud, reduces regulatory exposure, and demonstrates responsible governance.
Cybersecurity Is Now a Governance Obligation
The Federal Court ruling reinforces a broader trend: cybersecurity oversight is no longer confined to IT departments.
Boards are expected to:
- Understand cyber risk exposure
- Ensure adequate controls are implemented
- Verify that sensitive data is appropriately protected
- Demonstrate that governance frameworks are enforced
Encryption is not merely a technical feature – it is a measurable governance control.
When properly implemented, it provides boards with defensible evidence that client data remains protected even in the event of compromise.
Policies Alone Do Not Protect Data
Many organisations have cybersecurity policies. Fewer enforce them through strong technical controls.
Encryption provides enforcement.
Unlike procedural controls, encryption does not depend on human behaviour at the moment of attack. If correctly deployed, it operates automatically and continuously.
But not all encryption delivers equal protection.
Not All Encryption Is the Same
Some common approaches such as full disk encryption or basic native database encryption primarily protect against physical theft or basic storage compromise. However, if encryption keys are accessible within the same environment, or if privileged insiders can access decrypted data freely, exposure risks remain.
Effective encryption strategies require:
- Protection at the file and database level
- Field-level encryption for high-risk identity data
- Strong key management with separation of duties
- Restricted access to encryption keys
- Centralised oversight and auditability
Without proper key control, encryption can become a compliance checkbox rather than a true security control.
Ransomware May Be Inevitable. Data Exposure Is Not.
No organisation can guarantee that it will never be targeted.
But organisations can determine the outcome.
When attackers extract data, encryption determines whether an organisation faces:
- A contained incident with limited exposure, or
- A full-scale regulatory and reputational crisis
The difference lies in whether sensitive data remains unreadable.
The Board-Level Questions to Ask
In light of increasing regulatory enforcement, boards and executive teams should consider:
- What categories of sensitive data do we store?
- Is that data encrypted at rest?
- Are high-risk identity fields encrypted separately?
- Where are our encryption keys held?
- Who has access to them?
- Is there separation between system administrators and key custodians?
- Could stolen data be used immediately by an attacker?
These are governance questions – not just IT questions.
A New Era of Accountability
The Federal Court decision underscores a broader global shift. Regulators increasingly view cybersecurity failures as governance failures.
Encryption is not a silver bullet. It does not replace prevention. But it fundamentally changes breach impact.
In an era of sophisticated ransomware and escalating regulatory scrutiny, encryption must move from being optional or peripheral to being central in any serious cyber risk management strategy.
Because when prevention fails, encryption determines what happens next.