Cyber risk is compliance risk: What ASIC’s enforcement actions mean for AFSL holders

Our second article for Cyber Security Awareness Month explores the increasing convergence of cyber risk and financial lines exposures, evidenced by recent ASIC actions.

”The mistake all of us can make at the moment, particularly from a leadership perspective, is siloing technology into one area of the business, rather than ensuring it's integrated at the core competency, right across the business. We now have to be experts at – or at least have some level of competency in – technology, how the internet works, how communication technology works. Because if you’re not mastering those then you’re not engaging in the way the world works.”

Abigail Bradshaw, Director-General, Australian Signals Directorate (ASD)¹

Cybersecurity failures are no longer viewed solely as technical issues, they are being treated as governance and compliance failures, with significant implications for directors, officers, and financial lines insurers. In this article we consider recent ASIC civil penalty proceedings, offering guidance on what constitutes ‘reasonable’ cyber risk management in the eyes of the regulator. 

What are your AFSL obligations? 

Australian Financial Services (AFS) licensees have a general obligation to provide efficient, honest and fair financial services. They must comply with the conditions of their AFS licence and obligations under the Corporations Act 2001 (Cth)(Corporations Act).

As an AFS licensee, your obligations under s 912A(1) include the following: 

How to ensure your business’ AFSL obligations are met? 

If you are an AFS licensee, you must be mindful of the nature of your business, the nature and extent of the information you hold, and the value of the assets you hold when assessing the risk of adverse consequences for you and your clients. In today’s landscape, AFS licensees are subject to the risk of a cyber incident, loss of ability to provide financial services, unauthorised impersonation of you or your clients to third parties, direct or indirect financial loss, theft of confidential or personal information, and potential exposure to civil penalties and claims for damages.

You can best protect yourself by ensuring your financial services are provided efficiently, honestly and fairly (s 912A(1)(a)) through adequate cybersecurity measures and adequate resources (s912A(1)(d)), and adequate risk management systems (s 912A(1)(h)). If you have authrorised representatives (Ars), ensure they are adequately trained and competent to provide the financial services covered by the licence (s 912A(1)(f)).

What are adequate cybersecurity measures? 

To meet your obligations under s 912A(1)(a), adequate cybersecurity measures are those that are in place to protect its clients from the risks and consequences of a cyber intrusion. These measures should be proportionate to the nature, scale, and complexity of the business and the sensitivity of the information it holds. This includes implementing appropriate technical controls, maintaining up-to-date systems and software, and having clear policies and procedures for detecting, responding to, and recovering from cyber incidents.

What are adequate resources? 

To meet your obligations under s 912A(1)(d), a business must ensure it has adequate financial, technological and human resources. The key focus here is on ensuring that appropriate technical cybersecurity measures are in place, supported by the presence of an employee with the necessary technical expertise to implement, monitor, and maintain those measures and the broader risk management systems.

What are adequate risk management systems? 

Under s 912A(1)(h), this means a risk management system that adequately identifies and evaluates the risks posed which result in the AFSL holder being able to adopt controls to manage or mitigate those risks to a reasonable level. While the standard of “adequacy” is ultimately one for the Court to decide, the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field.

Guidance on what this means in practice 

In 2022 ASIC, the corporate regulator, was successful in civil penalty proceedings against RI Advice, however until recently there had been few material developments in this area. Recent ASIC civil penalty proceedings over the last few months, however, show that the regulator is continuing its enforcement approach. 

Recap: RI Advice - Confirmed breach of AFSL obligations

In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court found Australian Financial Services licensee, RI Advice, breached its license obligations under s 912A(1)(a) to act efficiently and fairly when it failed to have adequate risk management systems under s 912A(1)(h) to manage its cybersecurity risks. 

The finding comes after a significant number of cyber incidents occurred at authorised representatives (ARs) of RI Advice between June 2014 and May 2020. Of importance, RI Advice needed to identify the risks that the ARs faced in the course of providing financial services pursuant to RI Advice’s licence, including in relation to cybersecurity and cyber resilience, and have documentation, controls and risk management systems in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across the AR network. Although most of the historic issues (poor password practices, and lack of up-to-date antivirus software, or filtering or quarantining of emails) were later addressed by significant improvements in 2021, the Court found that RI Advice’s steps to remediate were inadequate and should have been addressed much earlier. 

In line with Her Honour Justice Rofe’s decision, AFS licensees need to be mindful that it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

Alleged breaches 

In ASIC v FIIG Securities Limited², ASIC alleges that FIIG’s conduct exposed FIIG and its clients to the risk of cyber intrusion and the adverse consequences to a heightened and unreasonable extent. ASIC alleges that if FIIG had adequate cybersecurity measures, it would have detected suspicious activity on its network and identified the compromise, and therefore could have prevented the threat actor’s access, download and publication of the stolen data. In total, ASIC alleges FIIG contravened one or more of the ss 912A(1)(a), 912A(1)(d), 912A(1)(h), 912A(5A). 

In the most recent civil penalty proceedings commenced by ASIC against Fortnum Private Wealth Ltd,³  ASIC alleges that the volume and sensitivity of personal information collected by Fortnum in the course of its business highlighted the critical need to identify and mitigate cybersecurity risks, both within the organisation and among its ARs. ASIC’s allegations highlightthe importance of having robust policies, frameworks, systems, and controls in place to effectively manage those risks.

Despite being an attractive target for threat actors and facing a heightened risk of cyber-related attacks, ASIC alleges Fortnum failed to:

1. provide its ARs with education and training;
2. ensure it supervised its ARs’ conduct (i.e monitor ARs’ compliance with the relevant cybersecurity policy); 
3. have any employees with specialised expertise or experience in cybersecurity or engage any when it developed its cybersecurity policy; 
4. have a risk management system in place designed to identify and evaluate cybersecurity risks across its ARs. 

Overall, ASIC alleges that Fortnum breached sections 912A(1)(a) and 912A(5A) of the Corporations Act by failing to implement an adequate cybersecurity policy to manage and mitigate cyber risks affecting both the business and its ARs. ASIC also alleges Fortnum failed to provide adequate cybersecurity education or training, and did not establish effective processes, systems, or frameworks to oversee and monitor its ARs in relation to cybersecurity risk and resilience. 

Both FIIG Securities Limited and Fortnum Private Wealth Ltd deny the allegations.

How can your business avoid breaching its AFSL obligations? 

To avoid breaching AFSL obligations, businesses must adopt a proactive, well-resourced, and risk-aware compliance approach. This includes implementing strong governance, risk management, and compliance frameworks that reflect the scale and complexity of business operations. With cyber threats posing a growing risk to financial services, businesses must also embed cybersecurity into their compliance strategy, ensuring systems, data, and client information are protected through robust controls and incident response planning. Competent personnel, regular monitoring, and a culture of accountability are essential to maintaining compliance and meeting ASIC’s expectations under the Corporations Act.

Key take-aways for your business

Adequate risk management system + resourcing: 

Have a documented proportionate and implemented cybersecurity risk management framework (policies, procedures, standards) and adequate resourcing, to ensure it is properly complied with.  

Adequate Cybersecurity Measures + Training: 

Implement baseline technical controls such as firewalls, patching, MFA, backups, and logging, and enforce people and process controls, including mandatory security awareness and role-specific training.

Expert Cyber Preparedness + Response: 

Engage skilled cyber experts to assess the risks faced by your business in its operations and IT environment and ensure you have incident response plan readily available. 

¹“The head of the Australian Signals Directorate is calm in a crisis and thrives amid chaos”, Qantas magazine, October 2025, p189.

²ASIC’s Concise Statement

³The Originating Process and Concise Statement