Industries · Financial Services · Financial Advisers
Cyber security for Australian financial advisers.
ASIC holds AFSL holders to enforceable cyber security obligations under s912A. Enforcement outcomes have set a clear technical baseline. IronSights helps advisory practices meet those obligations, protect client data, and build a security posture that holds up under regulatory scrutiny.
ISO 27001 certified, Microsoft certified security engineers, Sydney-based. We work with financial advisers, dealer groups and their authorised representative networks across Australia.
Threat context
Why financial advice practices are targeted.
A financial advice practice holds a concentrated record of client wealth: income, assets, liabilities, superannuation balances, estate planning details and identity documents. That information has direct value on criminal markets and indirect value in fraud, identity theft and account takeover. The clients who provided it trusted that it would be protected.
Business email compromise has overtaken ransomware in Australian incident response caseloads. In financial advice, the primary target is settlement instructions and investment authority communications. An attacker who has compromised a staff inbox, or convincingly spoofed one, can intervene in a transaction at exactly the right moment. The financial loss can be immediate and irreversible.
ASIC has made the regulatory consequences of inadequate controls concrete. RI Advice Group (2022) was ordered to implement a cyber security program covering all of its authorised representatives. FIIG Securities (2026) was penalised $2.5 million after admitting to sustained failures in patching, MFA and incident response. Fortnum Private Wealth faces proceedings over its supervision of AR networks, a matter before the courts.
The pattern in enforcement outcomes is consistent: the failures that attract ASIC attention are not sophisticated. They are basic controls, missing or not enforced, over a sustained period.
Common risks
What we find when we work with advisory practices.
ASIC licence exposure
AFSL holders face direct civil penalty risk under s912A for absent cyber controls. RI Advice (2022), FIIG Securities (2026) and the ongoing Fortnum matter have each traced the breach back to controls a competent IT provider would have included by default. Absent MFA, no tested incident response plan, ad hoc patching. The question regulators now ask is not whether something went wrong, but whether the firm maintained adequate controls at the time.
Licensee liability for AR networks
ASIC's proceedings against Fortnum Private Wealth allege that the licensee failed to mandate minimum cyber standards across its authorised representative network and failed to supervise compliance. A dealer group's cyber risk surface extends to every AR it authorises. Whether each AR has MFA enforced, is completing security awareness training and has a functioning incident response process are questions the licensee may need to answer to ASIC.
Multiple platform credentials
A typical financial adviser operates across a practice management platform, CRM, document management tool, Microsoft 365, client portal, product registries and potentially several platform logins. Credentials spread across these systems, often managed inconsistently, create compounding exposure. One phished account can open a path to client records across multiple systems.
Statement of advice and client document handling
SOAs, ROAs, client fact finds, identity documents and investment authority letters contain concentrated personal and financial information. In many practices these documents are stored in shared SharePoint folders with broad internal access. When a staff account is compromised, years of client records are reachable without triggering any alerts.
Business email compromise targeting settlement instructions
Attackers who gain access to an adviser's inbox, or successfully spoof it, can intercept client communications about upcoming transactions and substitute fraudulent payment instructions. Clients have no reason to question an email that appears to come from their adviser. A well-crafted message from a compromised or spoofed account will pass that test. DMARC, DKIM and SPF configuration and MFA on the email account are the two controls that address this most directly.
How we help
Services for financial advice practices and dealer groups.
From a single advisory practice to a dealer group managing an AR network, the controls that address ASIC obligations and real attacker behaviour are consistent. We help you implement them and demonstrate they work.
Fortify — managed security
Around-the-clock monitoring, rapid containment, monthly uplift and a board-ready posture report. For advisory practices without a dedicated security function, Fortify provides the monitoring and response coverage that self-managed environments rarely sustain long-term.
Microsoft 365 security
policies, enforcement, DMARC, DKIM and SPF, Defender for Business, and for classifying SOAs, client fact finds and identity documents. Most advisory practices run on . We harden those environments against the attack paths ASIC has named in enforcement proceedings.
Penetration testing
External network, internal network and simulation tests. ASIC has specifically identified in enforcement findings as a control expected of AFSL holders. Each engagement produces a risk-rated report your board can read and your IT support can act on.
Audit and assurance
An gives you a documented baseline you can hand to your PI insurer, reference in ASIC correspondence and use as a roadmap for remediation. The report is written for board-level readers and designed to be usable, not filed.
Compliance
Regulatory obligations for financial advisers.
ASIC enforcement has made the technical expectations explicit. Here is what the proceedings mean for advisory practices and dealer groups.
s912A obligations for AFSL holders
AFSL holders must provide services efficiently, honestly and fairly (s912A(1)(a)), maintain adequate technological resources (s912A(1)(d)) and maintain adequate risk management systems (s912A(1)(h)). ASIC has made the technical standard clear through enforcement: the ASD Essential Eight is a minimum baseline. The FIIG Securities penalty ($2.5 million plus $500,000 costs, February 2026) established that absent controls over a sustained period is a licence breach, not just an operational gap.
What the AR supervision case means for licensees
ASIC filed proceedings against Fortnum Private Wealth in July 2025 alleging the licensee failed to mandate minimum cyber standards for its authorised representatives and failed to supervise their cyber risk frameworks. ASIC Chair Joe Longo described the alleged failure as exposing clients to an unacceptable level of risk. If your dealer group has not established minimum cyber requirements for your AR network and a process for supervising compliance, the Fortnum matter is directly relevant to your exposure.
NDB obligations and the 2024 reforms
Financial advisers collect income records, tax file numbers, identity documents, superannuation balances and family financial information. A breach involving this data will almost always meet the serious harm threshold, which triggers mandatory notification to the OAIC and affected clients. The Privacy and Other Legislation Amendment Act 2024 increased penalties and from December 2026 will require disclosure of automated or algorithmic decision-making in privacy policies.
Common questions
Asked by advisers like you.
Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.
What controls does ASIC expect a financial advice practice to have in place?
ASIC's enforcement proceedings give a working list. The FIIG Securities matter named seven controls as absent: a tested cyber incident response plan, privileged account management, vulnerability scanning, up-to-date firewalls, regular software patching, MFA for remote users and mandatory security awareness training. Those seven represent a minimum floor. For a practice with a larger client base or more complex systems, ASIC expects controls that reflect that complexity.
Does ASIC hold licensees responsible for the cyber practices of their authorised representatives?
That is what the Fortnum Private Wealth proceedings allege. ASIC filed in the NSW Supreme Court in July 2025, claiming Fortnum failed to establish adequate cyber policies across its AR network and failed to supervise AR compliance with those policies. Fortnum denies the conduct. The case is before the courts. As a risk management matter, dealer groups that have not established minimum cyber standards for their ARs and documented their supervision of those standards are carrying exposure regardless of how the Fortnum case resolves.
What should be in an incident response plan for a financial advice practice?
A useful incident response plan answers the practical questions under pressure: who makes the call when something goes wrong, who isolates which systems, how you contact your cyber insurer, when the OAIC notification clock starts and what information you need to make that assessment, and how you communicate with affected clients. It should be tested, not just written. A tabletop exercise once a year, working through a realistic scenario, is usually enough to find the gaps before an actual event.
Is the Essential Eight mandatory for financial advisers?
Not in the sense that there is a statute that says so. But ASIC has publicly stated it treats the Essential Eight as a minimum standard for AFSL holders. Combined with the enforcement outcomes from FIIG and RI Advice, an advisory practice that cannot demonstrate Essential Eight alignment at an appropriate maturity level has meaningful regulatory exposure under s912A.
How does IronSights work with smaller advisory practices?
Most of our work with advisory practices starts with a security review: a structured assessment of your Microsoft 365 environment, identity controls, how client data is stored and handled, and whether your incident response process would hold up under real conditions. From there, we recommend the next steps matched to your size and risk profile. Some practices want ongoing managed security through Fortify. Others want to address specific gaps and maintain their own posture from there.
Further reading
Related insights.
ASIC cyber security obligations for AFSL holders
Understand what s912A requires, what controls satisfy the standard, and what enforcement looks like in practice.
Read more →ComplianceFIIG Securities cyber penalty: lessons for AFSL holders
ASIC named seven absent controls. The court ordered $3 million. Every AFSL holder needs to understand what happened and why it matters to their licence.
Read more →TechnicalThe Essential Eight for Australian financial services
What each Essential Eight control means for financial services firms, which maturity level ASIC expects, and where assessments find the most common gaps.
Read more →Threat intelligenceBusiness email compromise in Australian financial services
BEC targets payment instructions and settlement processes. How the attacks work and the controls that stop them.
Read more →Also in financial services
IronSights works across the financial services sector.
Start with a review
A structured security review tells you exactly where your practice stands.
We assess your Microsoft 365 environment, identity controls, how client data is stored and handled, and whether your incident response process would hold up under real conditions. The output is a practical, prioritised roadmap you can act on.
ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.