ASIC has been explicit: the is a minimum standard for AFSL holders. That is not a framework recommendation. It is a regulatory baseline, reinforced by the FIIG Securities penalty and confirmed by Commissioner Simone Constant in May 2026.
For most financial services firms, the Essential Eight is also where a practical security programme starts. The eight controls address the attack techniques most commonly used against Australian businesses. They work on Windows environments, which covers the majority of financial services infrastructure. And they give ASIC, APRA and boards a consistent reference point.
Why the Essential Eight fits financial services
Financial services firms are high-value targets. Client data, financial assets, payment systems and access to managed account platforms all sit on the same network. An attacker who gets in has options.
The FIIG case illustrated the problem. Seven basic controls were absent for four years. A hacker spent twenty days on the network undetected and took 385GB of data from 18,000 clients. None of the missing controls were exotic. , patching, privileged account management, a tested . The Essential Eight covers all of them.
APRA's CPS 234 standard requires a proportionate control framework and a systematic testing programme. The Essential Eight maps directly to both requirements. Aligning with the framework lets an APRA-regulated entity satisfy CPS 234's technical expectations without building a separate control inventory. Read our APRA CPS 234 explainer for the governance obligations that sit above the technical controls.
The eight controls
1. Application control
Prevent unauthorised software from executing on endpoints and servers. Particularly relevant for firms running legacy financial software alongside modern cloud tools, where the software estate is complex and difficult to fully enumerate.
2. Patch applications
Internet-facing applications must be patched within 48 hours of a critical at ML2. Trading platforms, client portals and browsers all qualify. Most financial firms have software estates that make patching manual and ad hoc rather than automated. That is the gap ASIC has named.
3. Configure Microsoft Office macros
Macros in Excel and Word are a primary delivery vector for and . Financial services firms use macro-heavy spreadsheets extensively: modelling, reporting, reconciliation. The control is not to disable all macros. It is to manage exceptions carefully and ensure only signed or business-approved macros run.
4. User application hardening
Disable Flash, unneeded Java, and browser advertising. Most of these settings are not actively harmful to financial services workflows, but they carry attack surface. Adviser workstations that browse extensively benefit most from this control.
5. Restrict administrative privileges
Admin rights on adviser and broker workstations is one of the most common gaps found in financial services assessments. Admin credentials are the most valuable target on a network. The control is straightforward: privilege accounts should be separate from daily-use accounts, and the number of people with admin access should be minimised and regularly reviewed.
6. Patch operating systems
Windows and server OS patching. Financial firms often run line-of-business applications, core financial systems and client platforms that constrain patching cycles. The workaround is not to skip patching. It is to understand the constraint, document the exception and mitigate elsewhere.
7. Multi-factor authentication
ASIC named MFA absence as a key gap in the FIIG case. MFA is the highest-priority control for most financial services firms. Remote access, , practice management software, client relationship platforms, custodians, privileged accounts, all of it. The default position should be MFA everywhere. Exceptions need justification.
8. Regular backups
Daily backups, stored separately from the primary network, tested against actual restore scenarios. recovery depends entirely on backup integrity. An untested backup is not a backup. The number of financial services firms that discover this at the worst possible moment is higher than it should be.
Maturity levels and what they mean for your firm
The Essential Eight is implemented across three maturity levels. The right level for your firm depends on size, regulatory exposure and risk profile.
ML1 is the starting point. Most AFSL holders should be actively working toward ML1 as a baseline. It covers the fundamentals: MFA in place, patching happening, admin privileges restricted, backups being taken.
ML2 tightens the requirements. Critical application vulnerabilities must be patched within 48 hours. -resistant MFA is required for privileged accounts. Application control scope broadens. ASIC's expectations for mid-market firms and larger practices sit at ML2.
ML3 is the most rigorous. It applies to APRA-regulated entities and firms managing large client asset pools. Dealer groups with substantial AR networks typically face ML2 or higher expectations given the breadth of their risk surface.
ASIC has been clear that proportionality is real. A small financial planning practice is not expected to run the same programme as a large dealer group. But something needs to be in place, at a level that reflects the firm's size and risk.
Common gaps ASIC has named
The FIIG case and ASIC's REP 776 findings from 2023 point to consistent gaps across the sector. The ASIC cyber obligations article covers the full enforcement picture. The specific technical gaps that come up repeatedly:
- MFA not enforced on cloud applications, including Microsoft 365, Xplan and practice management platforms
- Admin privileges held by advisers and used for daily work, not separated into dedicated admin accounts
- Macros enabled across the firm without exception management or approval processes
- Backup processes that have never been tested against an actual restore scenario
- No application control on financial workstations
- Software patching manual and ad hoc, with no documented schedule and no evidence of completion
- No formal testing programme, including no of critical systems
Where to start
MFA first. On all remote access, Microsoft 365, cloud-based financial platforms and privileged accounts. It is the highest-return action available to most financial services firms and the control ASIC has named most prominently.
Admin privilege review next. Map who holds admin rights, whether they are justified, and whether those accounts are separate from the daily-use accounts of the same individuals.
Then patching. Automate OS and application patching wherever possible. Document the schedule. Keep records. ASIC does not take a firm's word that patching is happening.
Macro management follows. Audit macro use across the firm, identify who actually needs macros as part of their workflow, disable for everyone else, and implement signed exceptions for those who do.
Backups. Test a restore. Move backup storage off the primary network. Check the retention period against what a ransomware recovery would actually require.
Application control and user application hardening are more complex to implement well. Plan carefully before enforcing. Getting the application inventory right before rolling out control is worth the time.
Frequently asked questions
What maturity level does ASIC expect for AFSL holders?
ASIC has not prescribed a fixed for all AFSL holders, but its enforcement activity and public guidance point to ML1 as the minimum for smaller firms and ML2 as the expectation for mid-market and larger practices. Dealer groups with substantial AR networks face ML2 or higher expectations. The principle is proportionality, but the baseline applies to all.
How does the Essential Eight relate to APRA CPS 234?
CPS 234 requires a proportionate control framework and a systematic testing programme without prescribing a specific technical standard. The Essential Eight satisfies the technical control requirements of CPS 234 and provides the reference point for the testing programme. An entity aligned with the Essential Eight at the appropriate maturity level will generally meet CPS 234's information security capability requirements.
Which Essential Eight control is most commonly missing in financial services firms?
Based on ASIC's enforcement findings and assessment experience, MFA on cloud applications is the most common gap. Many financial services firms have MFA on corporate email but have not extended it to practice management software, client portals, custodian platforms or remote access. Admin privilege management is the second most common finding.
Do authorised representatives need to comply with the Essential Eight?
The licence obligation sits with the AFSL holder. But the Fortnum case indicates that dealer groups are expected to mandate minimum cyber standards for their authorised representatives and supervise compliance. Whether each AR has adequate controls in place, and whether the licensee can demonstrate oversight of that, are questions ASIC is now actively asking.
How does a penetration test relate to the Essential Eight?
Penetration testing is the primary mechanism for verifying that Essential Eight controls are working in practice, not just configured on paper. APRA's CPS 234 explicitly requires a systematic testing programme. For ASIC, a tested programme is evidence of adequate risk management systems. A test scoped to the Essential Eight controls gives the clearest picture of where the gaps are.
IronSights works with Australian financial services firms on Essential Eight assessments and implementation. A penetration test scoped to your control environment shows where you sit against the maturity levels ASIC expects. The Fortify managed service covers the ongoing patching, monitoring and incident response that the framework requires.
