Cyber security has been a licensing matter for longer than most AFSL holders realise. What changed recently is that ASIC started proving it in court.
What the Corporations Act requires
The relevant obligations sit in section 912A of the Corporations Act 2001. Section 912A(1)(a) requires financial services to be provided efficiently, honestly and fairly. Section 912A(1)(d) requires adequate financial, technological and human resources. Section 912A(1)(h) requires adequate risk management systems.
None of them mention cyber security by name. ASIC's view, now confirmed through court orders, is that they always covered it.
The Federal Court settled the question on 12 May 2022, finding that RI Advice Group Pty Ltd had breached its AFS licence by failing to manage cyber risks adequately. First time an Australian court had made that connection. Every enforcement action since has followed the same legal path.
What ASIC considers adequate
ASIC has not prescribed a single mandatory framework, but its expectations are clearly stated.
The sits at the centre of them. ASIC treats it as a minimum standard for AFSL holders: application control, patching, macro configuration, user application hardening, restricted administrative privileges, operating system patching, and regular backups. The expected of a boutique planning practice is not what ASIC expects of a large dealer group. But something needs to be in place and actually working.
In November 2023, ASIC published REP 776, the findings from its Cyber Pulse Survey. It named specific gaps and examples of better practice across regulated entities. Read alongside ASIC's 2025 key issues outlook, which confirmed active investigations were underway and that directors are personally responsible for cyber risk, the trajectory was obvious.
Commissioner Simone Constant made the regulatory position explicit in May 2026: cyber resilience is a core licensing obligation. ASIC has also required all regulated entities to formally table its cyber correspondence at the ultimate board and risk governance committee. That is a compliance step, not guidance.
Enforcement is no longer hypothetical
FIIG Securities: $2.5 million and 18,000 affected clients
In February 2025, ASIC sued FIIG Securities in the Federal Court for cyber security failures running from March 2019 to June 2023. During a 20-day window between 19 May and 8 June 2023, a hacker moved through FIIG's network undetected and took approximately 385GB of confidential data from around 18,000 clients.
The Federal Court ordered a $2.5 million pecuniary penalty plus $500,000 in ASIC's costs. FIIG admitted breaching sections 912A(1)(a), (d) and (h).
ASIC named the seven absent controls: a tested , privileged account management, scanning, current firewalls, regular software patching, multi-factor authentication for remote users, and mandatory . None of those are sophisticated requirements. A competent IT provider would include most of them by default.
Fortnum Private Wealth: a supervision failure at network scale
ASIC sued Fortnum Private Wealth in the NSW Supreme Court in 2025, alleging failure to establish adequate cyber policies, frameworks, systems and controls. Fortnum allegedly did not mandate minimum cyber training for its authorised representatives and did not properly supervise cyber risk management across the network.
ASIC Chair Joe Longo described the alleged failure as exposing the company, its representatives and their clients to "an unacceptable level of risk." The case is ongoing. What it confirms for dealer groups is that ASIC's oversight expectations do not stop at the licensee's front door.
Cross-regulator exposure
ASIC is not the only regulator with an interest here.
The Privacy Act's requires notification to the and affected individuals where a breach is likely to result in serious harm. Most incidents involving client financial data will meet that threshold. The Corporations Act's reportable situations regime may also apply, depending on the nature and impact of what happened.
Firms with APRA connections, whether as super trustees or ADIs, also carry the obligations of CPS 234: information security capability, third-party oversight, policy frameworks and incident notification.
FIIG's 2023 breach landed across multiple regulators at once. That is not a worst-case scenario. It is what a significant cyber incident looks like in practice.
What a proportionate response looks like
Proportionality is genuine, and ASIC has acknowledged it. A two-person financial planning firm is not expected to run the same programme as a 200-person dealer group. What both are expected to do is show they assessed their risks and acted on them.
The board piece matters more than most firms treat it. Cyber needs to be on the agenda with real reporting, not a quarterly footnote. Directors are personally accountable and the requirement to table ASIC's cyber correspondence at the board level is a compliance obligation.
On the technical side, the FIIG case removes any ambiguity about what the baseline looks like. MFA on remote access and privileged accounts. Current, monitored firewalls. A patching schedule that is actually followed. A tested incident response plan, not one sitting unread in a folder.
Third-party risk is worth its own conversation. Vendors and managed service providers with access to your environment or client data carry risk that flows back to the licensee. Their controls need to be understood before something goes wrong, not after.
For firms without internal security capability, an MSSP that handles monitoring, patching, detection and response and compliance reporting in one place is often simpler than trying to build across multiple tools and providers.
Frequently asked questions
What are ASIC's cyber security obligations for AFSL holders?
AFSL holders must maintain adequate technological resources, human resources and risk management systems under sections 912A(1)(d) and (h) of the Corporations Act 2001. ASIC uses the ASD Essential Eight as the reference framework for assessing adequacy. Failure to meet these standards is a licence breach and can result in civil penalty proceedings.
Does the Essential Eight apply to financial services firms?
ASIC has stated it considers the Essential Eight a minimum standard for AFSL holders. The required maturity level should reflect the size and complexity of the business. But the framework itself applies.
What happened with FIIG Securities?
ASIC sued FIIG for cyber failures spanning four years. A hacker accessed the network for 20 days in 2023 and stole approximately 385GB of data from around 18,000 clients. In February 2026 the Federal Court ordered FIIG to pay $2.5 million plus $500,000 in ASIC's costs. FIIG admitted breaching three provisions of section 912A.
Can ASIC take action against a dealer group for the cyber practices of its authorised representatives?
Yes. ASIC's case against Fortnum Private Wealth alleges failure to supervise and mandate minimum cyber standards across the AR network. Dealer groups are responsible for the cyber practices of the representatives they authorise.
What is the NDB scheme and does it apply to AFSL holders?
The Notifiable Data Breaches scheme under the Privacy Act requires notification to the OAIC and affected individuals where a breach is likely to result in serious harm. Most AFSL holders are covered entities under the Privacy Act. A significant incident involving client data will typically trigger NDB obligations alongside any ASIC reporting requirements.
IronSights works with Australian financial services firms on security programmes sized to their business and aligned to what regulators expect. A penetration test or the Fortify managed service is a practical way to see where your controls currently sit.
