The Hidden Liability in Every M&A Deal: Why Cyber Governance Maturity Is Now a Valuation Factor
The FIIG Securities case should be required reading for every board member and executive involved in mergers and acquisitions.
In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million in penalties plus $500,000 in costs following a 2023 ransomware attack that exposed approximately 385 gigabytes of sensitive client data, including passport details, bank account information, and tax file numbers belonging to around 18,000 customers.
FIIG was acquired by Nomura Research Institute-owned Australian Investment Exchange (AUSIEX) in June 2025 and is now a subsidiary of the latter entity.
The Australian Securities and Investments Commission (ASIC) found that FIIG had failed to implement adequate cybersecurity measures across a four-year period.
There was no multi-factor authentication for remote access, no tested incident response plan, insufficient qualified personnel, and no regular penetration testing or vulnerability scanning.
The controls existed on paper only and were not operationalised.
That distinction is the most important lesson this case offers. And it is one that M&A due diligence consistently fails to interrogate.
Traditional Due Diligence Has a Structural Blind Spot
When your organisation evaluates an acquisition target, your diligence process almost certainly covers financial performance, legal exposure, commercial contracts, audit history, and policy documentation.
Your cyber review may examine whether frameworks such as Essential Eight are nominally in place, review tool inventories, and consider external audit summaries or penetration test results.
What is rarely tested rigorously is whether compliance is actually operationalised.
There is a fundamental difference between an organisation that has adopted a security framework and one that has embedded that framework into its daily operational workflows.
Many organisations can demonstrate that they have policies in place, own dozens of security tools, and conduct periodic audits.
Far fewer can demonstrate that they continuously measure control effectiveness, integrate compliance into IT service management workflows, govern third-party suppliers in real time, or provide executive leadership with live visibility of compliance drift.
FIIG could not demonstrate the latter, so ASIC and the Federal Court drew a direct line between that gap and a $3 million liability.
When You Acquire a Company, You Acquire Its Governance Failures
Cyber risk is now vicarious in M&A. When your organisation acquires a target, you do not merely acquire its revenue, its customers, and its contracts.
You also acquire its embedded control weaknesses, supplier governance gaps, cultural approach to compliance, and latent regulatory exposure.
If compliance exists primarily as documentation, rather than as an automated, continuously measured operational reality, that exposure transfers with the shares.
A breach may not yet have occurred. A regulatory investigation may not have begun yet.
But if lawful obligations are not demonstrably operationalised at the time of acquisition, your organisation inherits that structural weakness in its entirety.
In today’s regulatory environment, where ASIC has demonstrated its willingness to pursue civil penalties for cybersecurity failures, that risk is not theoretical; it is priced in. And if you have not priced it, you have overpaid.
The New Standard: Operational Service Compliance
Boards are increasingly expected to provide assurance that cybersecurity obligations are continuously monitored, independently evidenced, integrated across third-party suppliers, linked to contractual service commitments, and visible at the executive level.
The shift from policy compliance to operational service compliance represents a materially different standard of governance maturity.
Achieving it requires continuous control monitoring, automated evidence collection, clear accountability frameworks, integration with service management platforms, and real-time reporting on supplier performance and compliance.
Without this operationalisation, your organisation (and the targets you acquire) remain dependent on manual reporting, retrospective reviews, and fragmented tooling. These are conditions that obscure risk rather than govern it.
There are also conditions that regulators and courts are no longer willing to accept as evidence of due diligence.
The Due Diligence Question Has Changed
The core question in cyber due diligence is no longer: “Has this organisation experienced a breach?”
It is: “Can this organisation prove that its lawful obligations are continuously operationalised across its internal teams and third-party supply chain?”
If the answer to that question relies on static dashboards, quarterly audit summaries, or manual attestations, governance maturity has not been structurally embedded.
And if it has not been embedded, it has not been priced correctly.
Governance Maturity Is Becoming Part of the Deal Multiple
In 2026 and beyond, enterprise value will increasingly reflect the maturity of operational governance, the coherence between policy, tooling, and contracts, the visibility of third-party compliance, and the ability to evidence lawful security obligations in real time.
The organisations that recognise this early and invest in the infrastructure to demonstrate it will not only reduce their own regulatory exposure, but also negotiate acquisitions from a position of genuine strength, with the evidence to support a more accurate valuation of any target they consider.
The FIIG case is a clear signal of the direction of regulatory intent in Australia.
The question for your board is not whether this standard will be applied to your organisation or the assets you acquire. It is whether you will be ready when it is.
Because compliance is no longer a reporting exercise. It is an operational discipline. And in M&A, operational discipline directly influences valuation.