Industries · Financial Services · Wealth Management
Cyber security for Australian wealth management firms.
Wealth management firms handle client portfolio data, beneficial ownership information and, in many cases, discretionary authority over assets. IronSights helps Australian wealth managers meet ASIC obligations and protect what clients have placed in their hands.
ISO 27001 certified. Microsoft certified security engineers. Sydney-based. Security that works alongside the platforms and workflows your firm already depends on.
Threat context
Why wealth management firms are targeted.
Wealth management firms hold a combination that attackers find attractive. Discretionary authority over client portfolios, detailed beneficial ownership records and ongoing transaction access mean a single compromised credential can result in unauthorised transactions, not just data exposure. The value at risk is not abstract.
Transaction monitoring and compliance reporting obligations mean wealth management firms maintain complex software estates. A custody platform, a portfolio management system, a financial planning tool, a compliance system and Microsoft 365 are all connected. Most firms have no complete picture of which applications have access to their Microsoft 365 tenant or what permissions those applications currently hold. Those connections accumulate quietly.
Business email compromise targeting rebalancing instructions and settlement notifications is a documented attack pattern in financial services. Attackers who understand the firm's workflow and communication patterns produce convincing fraudulent instructions timed around legitimate activity. Verification procedures and email authentication controls are both necessary.
ASIC's enforcement trajectory has made cyber security a licence obligation with real consequences. The FIIG Securities matter ($2.5 million penalty, 2026) and the Fortnum proceedings confirm that absent controls over a sustained period is not a minor compliance gap. For wealth management firms, where the scale of potential client harm is significant, ASIC expects controls that reflect the risk.
Common risks
What we find when we work with wealth management firms.
Discretionary authority over client assets
Wealth management firms often hold authority to transact on client accounts without individual instruction for each trade. A compromised platform credential or a successful BEC attack targeting a portfolio manager does not just expose data. It can result in unauthorised transactions. Discretionary authority combined with weak identity controls is a risk category with direct financial consequences for clients.
Complex software and platform estate
A typical wealth management firm connects to a custody platform, a portfolio management system, a CRM, a financial planning tool, a compliance system, a document management platform and Microsoft 365. Each connection is a potential entry point. Most firms have no complete picture of which applications have access to their Microsoft 365 tenant or what permissions those applications currently hold.
Client portfolio data and beneficial ownership records
Portfolio holdings, transaction histories, beneficial ownership structures, investment mandates and client financial plans contain detailed pictures of individual wealth. In the wrong hands this information has direct financial value and can cause serious harm to the people involved. Controls over who can access this data, and alerts when it is accessed in unusual ways, are rarely in place when we first assess a firm.
Staff credential theft targeting platform access
Attackers who obtain staff credentials through phishing or credential stuffing can move from email into custody platform portals, portfolio management systems and client-facing platforms without triggering any alerts if monitoring is absent. The value of the access is not always immediately obvious. Patient attackers observe before acting.
Third-party and custodian risk
Wealth management firms rely on third-party custodians, platform providers and outsourced compliance services that hold or process client information. The firm's obligations under ASIC's s912A and, where applicable, APRA's CPS 234 do not transfer to those third parties. The firm remains responsible for assessing the security posture of every party it relies on and putting contractual protections in place that reflect that responsibility.
How we help
Services built for wealth management environments.
Managed monitoring, penetration testing, ASIC compliance assurance. Controls that address the specific risks wealth management firms face, without adding complexity to the platforms your team depends on.
Fortify — managed security
Around-the-clock monitoring across , endpoints and cloud environments. Rapid containment when a threat is detected. Monthly uplift and posture reporting your board can read and act on. Most wealth management firms without a dedicated security function cannot sustain self-managed monitoring. Fortify fills that gap.
Penetration testing
External network, internal network and simulation tests scoped to your platform connections and user environment. ASIC has cited in enforcement proceedings as a control expected of AFSL holders. Risk-rated report with executive summary and technical guidance.
Microsoft 365 security
, enforcement, DMARC configuration, for client portfolio documents and investment mandates. Third-party application audit and guest access review to find and close connections that have built up without oversight.
Audit and assurance
, and compliance evidence pack. Board-ready report and prioritised remediation roadmap matched to your ASIC obligations and PI insurance requirements.
Compliance
Regulatory obligations for Australian wealth managers.
ASIC, APRA and the Privacy Act each impose obligations that scale with the complexity of what a wealth management firm holds. The applicable framework depends on the licences held and the client base served.
s912A and the Essential Eight baseline
AFSL holders must maintain adequate technological resources and adequate risk management systems under s912A(1)(d) and (h). ASIC has made the ASD Essential Eight a minimum technical baseline through enforcement proceedings. The FIIG Securities penalty ($2.5 million plus $500,000 costs, 2026) confirmed that absent controls over a sustained period is a licence breach. For wealth management firms with larger client bases and more complex systems, ASIC expects controls that reflect that complexity.
CPS 234 for APRA-regulated entities
Wealth management firms holding APRA licences as RSE licensees or custodians face CPS 234 obligations on top of ASIC requirements. CPS 234 requires an information security capability commensurate with threats, a formal policy framework, a systematic testing programme, third-party vendor assessment and annual board attestation. The 72-hour notification rule for material incidents adds a practical operational dimension to incident response planning.
Client data and NDB obligations
Portfolio holdings, beneficial ownership structures and investment mandates are highly sensitive personal information. A breach involving this data will almost always meet the serious harm threshold for NDB notification. The Privacy and Other Legislation Amendment Act 2024 increased the penalties available for serious or repeated breaches.
Common questions
Questions from wealth managers.
Not in this list? Call us on 1300 004 766 or book a confidential consultation. No obligation.
What ASIC cyber obligations apply to a wealth management firm?
AFSL holders must comply with s912A(1)(a), (d) and (h): providing services efficiently, honestly and fairly; maintaining adequate technological resources; and maintaining adequate risk management systems. ASIC treats the ASD Essential Eight as a minimum technical baseline. The maturity level expected reflects the size and complexity of the business. Enforcement proceedings have established that absent controls over a sustained period is a licence breach with civil penalty consequences. The FIIG Securities matter in 2026 made that concrete.
Does APRA CPS 234 apply to a wealth management firm?
CPS 234 applies to APRA-regulated entities: authorised deposit-taking institutions, general and life insurers, private health insurers and RSE licensees. A wealth management firm that holds an RSE licence as a superannuation trustee faces CPS 234 obligations on top of its ASIC obligations. A firm holding only an AFSL faces ASIC obligations under the Corporations Act and Privacy Act obligations, but not CPS 234 directly.
What should a wealth management firm do first to improve its security posture?
Start with a security review: a structured assessment of the Microsoft 365 environment, identity and access controls, platform connections, client data handling and incident response capability. This gives a clear picture of actual exposure mapped to regulatory obligations. The most common first actions from there are enforcing MFA across all accounts and platforms, running a third-party application audit on the M365 tenant, and testing whether the incident response plan actually works.
How should a wealth management firm manage third-party platform risk?
The obligation under s912A and CPS 234 does not transfer to third-party custodians or platform providers. The firm remains responsible for assessing those parties' security posture and putting contractual protections in place. At a minimum: understand what personal and financial data each third party holds, confirm what security certifications or attestations they maintain, and make sure contracts include notification obligations if the third party suffers an incident affecting your client data.
How does IronSights approach wealth management engagements?
We start by understanding the actual environment: which platforms are connected, where client data sits, what the current Microsoft 365 configuration looks like and whether there is a tested incident response process. We do not apply a generic framework without understanding the specific context first. Our output works for board-level audiences and for the IT support or managed service provider who will carry out the remediation.
Further reading
Related insights.
ASIC cyber security obligations for AFSL holders
What s912A requires, what controls are expected of AFSL holders, and how ASIC has enforced those obligations through civil penalty proceedings.
Read more →ComplianceAPRA CPS 234 explained
Applies where a wealth manager holds an APRA licence. What the standard requires, where regulated entities consistently fall short, and how it interacts with ASIC obligations.
Read more →TechnicalThe Essential Eight for Australian financial services
ASIC's minimum technical baseline for AFSL holders. What each control means for wealth management firms and which maturity level applies.
Read more →ComplianceFIIG Securities cyber penalty: lessons for AFSL holders
ASIC named seven absent controls. The court ordered $3 million. The case confirms that sustained absence of basic controls is a licence breach.
Read more →Also in financial services
IronSights works across the financial services sector.
Start with a review
Security controls that reflect what your clients have entrusted to you.
We assess your environment against the specific risks wealth management firms face: platform connections, identity controls, client data handling, email security and ASIC compliance posture. The output is a prioritised report your board and your IT team can both act on directly.
ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.