Industries · Financial Services
Cyber security for Australian financial services.
Financial services firms hold client data that attracts serious attention from attackers and serious scrutiny from regulators. Getting the security posture right matters for both reasons.
IronSights works with financial advisers, mortgage brokers, family offices and wealth management firms across Australia. ISO 27001 certified, Microsoft certified, and based in Sydney.
Threat landscape
Why financial services firms are targeted.
Financial services was the second-most impacted sector in Australia in 2024, accounting for 11 per cent of forensic incident response cases according to CyberCX's 2025 DFIR report. The reasons are not complicated. Your clients trust you with income records, asset details, tax returns, identity documents and in many cases ongoing access to their financial accounts. That information has real value on criminal markets, and the people after it know that financial services firms often have legacy systems, inconsistent controls and staff handling sensitive data across multiple platforms.
Business email compromise has overtaken ransomware as the most common attack type in Australian incident response caseloads. In FY2024-25 there were 91 confirmed BEC incidents across Australian organisations, an 86 per cent increase on the prior year. For financial services firms, BEC typically targets payment redirection, trust account transfers and client settlement instructions. The financial loss is immediate. The reputational damage takes longer to recover from.
Ransomware has not disappeared. It has shifted. Groups like ALPHV now combine encryption with data exfiltration, publishing client records publicly when ransoms are not paid. FIIG Securities lost approximately 385 gigabytes of data affecting around 18,000 clients in a 2023 attack traced to vulnerabilities that had sat unpatched for four years.
Credential theft remains the most common entry point. Attackers obtain staff credentials through phishing, purchase them from earlier breaches, or run password spray techniques against Microsoft 365 and aggregator portals. Once inside a tenant with weak access controls, lateral movement is straightforward.
How we help
How IronSights supports financial services firms.
The firms we work with are not looking for theory. They want to know what their actual exposure is, what needs to change, and how to demonstrate to ASIC, their PI insurer and their board that they are managing cyber risk properly.
Fortify — managed security
Our managed cyber security service. Around-the-clock monitoring across endpoints, identities, email and cloud. Rapid containment when something goes wrong. Monthly uplift and a posture report your board can read and your practice manager can action. For firms without a dedicated security function, it provides the ongoing coverage that self-managed environments rarely sustain.
Microsoft 365 security
Most Australian financial services firms run on . We harden those environments: policies, enforcement, Defender for Business, DMARC, DKIM and SPF, improvement, and for data classification and sensitivity labelling. Client financial records, identity documents and trust deeds get automatically detected, labelled and controlled.
Penetration testing
External network, internal network and web application penetration tests using a methodology. Every engagement produces a risk-rated report with an executive summary your board can read and technical guidance your IT team can act on. Thirty-day free retest included. ASIC has specifically identified in enforcement proceedings as a control expected of AFSL holders.
Audit and assurance
We assess organisations against maturity levels, baseline requirements, and . Board-ready report, prioritised remediation roadmap and, where relevant, a compliance evidence pack for regulators, insurers and due diligence processes.
Incident response
Available 24 hours a day. containment, investigation, notification support and insurance claim documentation. Financial services firms with AUSTRAC reporting obligations should factor in the interaction between NDB notification duties and AUSTRAC secrecy provisions when building their incident response plans.
Security reviews
Most new clients start here. We identify your highest-priority gaps, give you a clear picture of where you stand against your regulatory obligations, and recommend the right next steps. No obligation to proceed further.
Compliance
Understanding your cyber security obligations.
The regulatory picture for Australian financial services firms is not straightforward. There is one distinction worth getting right before anything else.
CPS 234
APRA's CPS 234 standard has been in force since 1 July 2019. It applies to authorised deposit-taking institutions, general insurers, life companies, private health insurers and RSE licensees.
It does not apply to most financial advisers, mortgage brokers, family offices or smaller AFSL holders who are not also APRA-regulated. This gets confused regularly in industry commentary. If you hold an AFSL but not a separate APRA licence, CPS 234 is not your primary framework. Your obligations sit in the Corporations Act and the Privacy Act.
Corporations Act s912A
AFSL holders have enforceable cyber security obligations under Corporations Act 2001 s912A(1). ASIC draws on three subsections: s912A(1)(a) requires services to be provided efficiently, honestly and fairly; s912A(1)(d) requires adequate technological resources; s912A(1)(h) requires adequate risk management systems.
In ASIC v FIIG Securities [2026] FCA 92, the Federal Court ordered $2.5 million in penalties plus $500,000 in costs. FIIG admitted breaching s912A. Two vulnerabilities had gone unpatched from 2019 until a 2023 attack exfiltrated 385GB of data affecting 18,000 clients.
ASIC v Fortnum Private Wealth (NSW Supreme Court, filed July 2025) alleges inadequate supervision of authorised representatives' cyber risk frameworks. Fortnum denies the conduct. The matter is before the courts.
NDB scheme and 2024 reforms
Financial services firms are covered by the Privacy Act 1988. The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals when a breach is likely to cause serious harm.
The Privacy and Other Legislation Amendment Act 2024 added new obligations. From 10 December 2026, firms using automated or algorithmic decision-making for consequential decisions, including loan assessments and fraud scoring, must disclose this in their privacy policies under APP 1.7. Tiered civil penalties now apply, with mid-tier interferences attracting penalties of up to approximately $3.13 million.
Reporting entity obligations
Mortgage brokers, financial advisers handling designated services and other AML/CTF Act reporting entities must comply with Privacy Act obligations when handling personal information for AML/CTF purposes. This applies even to small businesses below the $3 million annual turnover threshold that would otherwise be exempt from the Privacy Act.
The AML/CTF Amendment Act 2024 extends Tranche 2 reforms from 1 July 2026, bringing additional designated service providers into the regime. If your business model is changing, your AML/CTF obligations may be changing with it.
Common risks
What we see when we work with financial services firms.
Weak identity controls
The most common finding across every segment of financial services is inadequate control over user identities. MFA is either not enforced or configured with gaps: legacy authentication protocols still active, MFA bypassed via session token theft, admin accounts without phishing-resistant authentication. A compromised staff credential is often enough to reach client records, payment systems and internal communications in a single step.
Excessive administrator access
Two or three people hold global admin rights to the Microsoft 365 tenant and use those same accounts for everyday email and document work. When one account is compromised, the attacker has full control. Separating admin accounts from standard user accounts and implementing Privileged Identity Management is straightforward to set up. It rarely gets done.
Poor offboarding
A broker or adviser leaves. Their Microsoft 365 account is disabled, but their access to aggregator portals, CRM platforms and document sharing tools stays active because nobody updated a shared password spreadsheet. Former staff retain access to systems containing current client data.
Third-party application risk
Financial services firms connect many applications to their Microsoft 365 environment: CRM platforms, document management tools, e-signature software, compliance systems. Each connection is a potential entry point. Most firms have no clear picture of which applications have access to their tenant or what permissions those applications hold.
Data without classification or controls
Client files containing tax file numbers, bank statements, income declarations and identity documents sit in shared SharePoint folders with broad internal access and no restrictions on external sharing. When a staff account is compromised, an attacker can reach years of client records without triggering any alerts.
No tested incident response plan
Most firms have a written policy. Few have tested whether it works. When a ransomware event or BEC incident occurs, the practical questions, who makes the call, what gets isolated first, who contacts the insurer, when does the OAIC need to be notified, need answers that do not depend on locating the right document under pressure.
Who we work with
Financial services businesses we work with.
Financial advisers
AFSL holders and their authorised representatives face direct ASIC scrutiny on cyber security. The Fortnum proceedings have put the licensee-AR relationship under fresh scrutiny. Advisers managing client portfolios, handling sensitive personal information and working across multiple platforms need security controls that reflect both the trust clients place in them and the expectations regulators have now made explicit.
Mortgage brokers
Mortgage brokers collect some of the most sensitive personal and financial data in any service profession. Income records, asset declarations, bank statements, tax returns, credit reports and identity documents pass through a typical broker's workflow before, during and after each deal. Multiple aggregator portals, a CRM, file-sharing tools and a Microsoft 365 environment mean the attack surface is broader than most broking practices realise.
Family offices
Family offices manage concentrated wealth, often across multiple entities with complex ownership structures and a justified expectation of privacy. They are attractive targets partly because of what they hold, and partly because the security posture rarely reflects it. A breach here carries personal consequences for the individuals involved, not just business consequences for the entity.
Wealth management firms
Wealth management firms handle client portfolio data, beneficial ownership information and in many cases discretionary authority over client assets. Transaction monitoring obligations, compliance reporting and the sensitivity of client information create a demanding operational environment. When a breach occurs, the consequences reach the clients whose financial position has been exposed.
SMSF trustees
SMSF trustees hold retirement savings across ATO portals, administration platforms and investment accounts, often with a small team carrying broad system access. Email-based investment instructions and auditor document sharing widen the attack surface further. A breach here lands directly on members' retirement savings, so the controls need to reflect what is at stake.
Mortgage aggregators
Mortgage aggregators sit at the centre of large broker networks where security maturity varies widely from one practice to the next. The central platform is a high-value target in its own right, and the supervision obligations that come with an aggregator licence now extend to the cyber posture of the brokers underneath it. Setting a minimum standard across the network, and protecting the data that flows into the centre, is the core challenge.
Case study
Mortgage broking firm, Sydney.
A Sydney mortgage broking firm with twelve brokers across two offices came to IronSights before a planned expansion. Their Microsoft 365 environment had grown without structure, the team was managing access to eight aggregator portals through a shared spreadsheet, and client documents containing payslips, tax returns and identity records were moving through shared inboxes with no consistent handling. They wanted to fix that before taking on more staff and more clients.
Getting the Microsoft Secure Score to a defensible position
Their Secure Score was 34 when we started. Legacy authentication was still on. MFA was not enforced across the tenant. Several admin accounts were being used for everyday work. We disabled legacy authentication, configured Conditional Access to enforce MFA on every sign-in, separated admin accounts from standard user accounts and deployed Defender for Business across all devices. Six weeks later the score was 79. The firm had a documented baseline they could hand to their PI insurer and reference in future compliance reviews.
Sorting out aggregator portal access
Running credentials across AFG, Connective, Finsure and five other portals through a shared spreadsheet is something a lot of broking practices do. It works until someone leaves. We implemented a business password manager and enrolled every broker individually. Each portal got unique credentials stored against that person's account. Adding a new broker or removing one who has left takes a couple of minutes from a single admin console. The practice manager now has a full audit trail.
Classifying client documents with Microsoft Purview
We set up Microsoft Purview with sensitivity labels matched to how the firm actually handles documents. Client financial and identity records are now automatically detected and labelled Highly Confidential. Those labels restrict printing, external forwarding and unapproved sharing without asking brokers to make manual decisions on every file. When Privacy Act questions arise with clients or in audits, the firm has documented evidence of how they handle client data rather than having to piece together an answer from memory.
The full engagement took eight weeks. It was not a glamorous project. It was credential hygiene, access controls and document classification, done properly across a practice that had outgrown its informal approach.
Further reading
Related insights.
ASIC cyber security obligations for AFSL holders
ASIC is suing AFSL licensees for cyber failures. Understand what s912A requires and what enforcement looks like in practice.
Read more →ComplianceFIIG Securities cyber penalty: lessons for AFSL holders
A hacker spent 20 days on FIIG's network and took 385GB of client data. ASIC named seven absent controls and the court ordered $3 million.
Read more →TechnicalThe Essential Eight for Australian financial services
ASIC treats the Essential Eight as a minimum standard for AFSL holders. What each control means and which maturity level applies to your firm.
Read more →ComplianceAPRA CPS 234 explained
Six years on, APRA's reviews still find the same gaps: control testing not frequent enough, third-party risk assumed, boards attesting without evidence.
Read more →Threat intelligenceBusiness email compromise in Australian financial services
BEC overtook ransomware as the most common attack type in Australian IR caseloads in FY2024-25. Here is how it works and what stops it.
Read more →Common questions
Asked by buyers like you.
Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.
Does APRA CPS 234 apply to my financial planning practice?
Probably not directly. CPS 234 applies to APRA-regulated entities: authorised deposit-taking institutions, general and life insurers, private health insurers and RSE licensees. Most financial planning practices, mortgage broking businesses and family offices are not APRA-regulated. Your primary obligations flow from the Corporations Act if you hold an AFSL, and from the Privacy Act. Larger firms holding both an AFSL and an APRA licence face both frameworks simultaneously.
What does ASIC actually require for cyber security?
ASIC holds AFSL holders to obligations under three subsections of s912A(1): to provide services efficiently, honestly and fairly; to maintain adequate technological resources; and to maintain adequate risk management systems. There is no fixed technical standard, but enforcement proceedings have established a working benchmark. Courts have found deficiencies in vulnerability scanning, penetration testing, endpoint protection, MFA, security awareness training, firewall configuration and incident response planning. If you cannot demonstrate those controls are in place, you have enforcement exposure.
What happened in the FIIG Securities case?
In ASIC v FIIG Securities [2026] FCA 92, the Federal Court ordered FIIG to pay $2.5 million in penalties plus $500,000 in ASIC's costs. FIIG admitted breaching s912A(1)(a) and (h). Two vulnerabilities, EternalBlue and BlueKeep, had gone unpatched from 2019 until a 2023 ransomware attack exfiltrated approximately 385 gigabytes of data affecting around 18,000 clients. Civil penalties for cyber security failures are now an established enforcement outcome.
What is the Fortnum Private Wealth case about?
ASIC filed proceedings in the NSW Supreme Court against Fortnum Private Wealth in July 2025, alleging failure to maintain adequate cyber security policies and failure to supervise the cyber risk frameworks of its authorised representatives. ASIC alleges that a September 2022 attack on one Fortnum AR resulted in over 9,000 clients' data published on the dark web. Fortnum denies the conduct and the matter is before the courts. The proceeding signals that ASIC views licensees as responsible for their AR networks' cyber posture, not only their own.
Do I need to notify ASIC or APRA if we have a cyber incident?
It depends on your regulatory status. APRA-regulated entities must notify of material incidents within 72 hours under CPS 234. AFSL holders with no APRA licence have no direct Corporations Act notification obligation to ASIC, but if the incident qualifies as a notifiable data breach under the Privacy Act, notification to the OAIC and affected individuals is required without unreasonable delay. AML/CTF reporting entities face an additional layer: AUSTRAC secrecy provisions can affect what you are permitted to disclose about incidents involving suspicious matter reports.
What does a notifiable data breach mean for a financial services firm?
A notifiable data breach occurs when personal information is accessed or disclosed without authorisation and there is a real risk of serious harm to the individuals affected. For a firm holding income records, bank statements, tax file numbers and identity documents, most significant breaches will meet that threshold. You must notify both the OAIC and the people affected. The Privacy and Other Legislation Amendment Act 2024 has increased the penalties available to the OAIC for serious or repeated interferences with privacy.
Are mortgage brokers required to comply with AML/CTF laws?
Some are. Mortgage brokers who provide certain credit services or act as intermediaries for designated services under the AML/CTF Act are reporting entities and carry AML/CTF compliance obligations. Those entities must also comply with Privacy Act obligations when handling personal information for AML/CTF purposes, even if they are small businesses below the $3 million turnover threshold that would otherwise exempt them.
What are the new automated decision-making requirements coming in 2026?
From 10 December 2026, firms using computer programs to make consequential decisions about individuals, including loan assessments, fraud scoring and automated onboarding, must disclose this in their privacy policies under APP 1.7, introduced by the Privacy and Other Legislation Amendment Act 2024. If you use algorithmic tools in your client processes and your privacy policy does not address this, it needs updating before that date.
How is business email compromise affecting financial services firms?
BEC overtook ransomware as the most common attack type in Australian incident response caseloads in FY2024-25, reaching 91 confirmed incidents, an 86 per cent increase on the prior year. In financial services, attackers typically compromise a staff email account, monitor correspondence to understand transaction patterns, then intervene at the right moment with instructions that appear legitimate. DMARC, DKIM and SPF configuration, MFA across all accounts, and regular staff awareness training reduce this exposure more than most other controls.
What is Essential Eight and does it apply to my firm?
The Essential Eight is a set of cyber security controls published by the Australian Signals Directorate, mandatory for Commonwealth government entities and widely used by Australian businesses as a practical baseline. For financial services firms, Essential Eight maturity is increasingly relevant in PI insurance renewals, client due diligence and in demonstrating adequate risk management systems under s912A(1)(h). The eight controls are application control, patching, macro settings, user application hardening, admin privilege restriction, operating system patching, MFA and regular backups.
What is a security review and how does it differ from a penetration test?
A security review assesses your posture across people, process and technology. It identifies gaps, prioritises remediation and maps your position against regulatory obligations. It does not involve attempting to exploit vulnerabilities. A penetration test does: it simulates an attacker trying to get in and produces a risk-rated list of confirmed vulnerabilities with remediation guidance. Most firms benefit from starting with a review to understand the full picture, then using penetration testing as part of a broader programme. For firms considering building an internal security function rather than outsourcing, our guide to cyber security roles and salaries in Australia covers what those teams look like and what they cost.
How long does a typical engagement take?
A security review usually runs two to three weeks from initial conversation to report. Most external network penetration tests complete within a week, depending on scope. Fortify takes four to six weeks from contract to full detection going live. Those are averages. Scope determines timeline and we are upfront about that from the first call.
Do you work with firms outside Sydney?
Yes. Most of our work is delivered remotely and we work with financial services firms across Australia. For physical security engagements, CCTV, door access and secure office moves, we operate across metropolitan NSW and can extend nationally where it makes sense.
Start with a review
A structured security review is the quickest way to understand where you actually stand.
We look at your Microsoft 365 environment, identity and access controls, how client data is handled and stored, and whether your incident response plan would hold up under real conditions. You get a practical roadmap at the end.
ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.