← Back to Resources Regulation & Compliance

Cyber Security for Financial Planners: What Your AFSL Obligations Now Require

ASIC has now won Federal Court proceedings against two AFSL holders for cyber security failures. The cases make clear that cyber security is not a technology issue sitting alongside your AFSL obligations — it is part of them. Here's what that means in practice for financial planners and advice licensees.

22 February 2026  ·  8 min read  ·  Regulation & Compliance

For most of the last decade, cyber security guidance for AFSL holders sat in the category of "good practice" — something ASIC encouraged, referenced in regulatory guides, and increasingly mentioned in its corporate plans. That changed in 2022 when the Federal Court found that inadequate cyber security risk management by RI Advice Group constituted a breach of its AFSL obligations under section 912A of the Corporations Act. It changed again, more definitively, in February 2026 when the Federal Court ordered FIIG Securities to pay $2.5 million in penalties — the first time civil penalties have been imposed on an AFSL holder specifically for cyber security failures.

ASIC has also commenced proceedings against Fortnum Private Wealth for allegedly failing to ensure its authorised representatives undertook adequate cyber security training — a case that directly implicates small advice licensees and their supervision obligations.

Taken together, these cases establish a clear regulatory position: cyber security is an AFSL compliance obligation, ASIC will pursue it through the courts, and the standard of conduct expected is proportionate to the nature of data held and the value of assets managed.

$3M
penalty ordered against FIIG Securities in February 2026 for cyber security failures under AFSL obligations
4 yrs
the period of FIIG's non-compliance — the breach continued from 2019 to 2023 without detection
s912A
of the Corporations Act — the general AFSL obligation that cyber security failures now breach

The Two Cases That Define the Standard

Federal Court — 2022

ASIC v RI Advice Group Pty Ltd [2022] FCA 496

Nine separate cyber security incidents over six years. Client files containing names, addresses, dates of birth, financial information, health information, and copies of identity documents were accessed by unauthorised parties. The Court found that RI Advice had contravened sections 912A(1)(a) and (h) of the Corporations Act by failing to have and implement adequate cyber security policies, plans, procedures, strategies, and frameworks. The Court specifically noted that RI Advice had "taken too long to implement and ensure such measures were in place across its authorised representative practices."

Federal Court — February 2026

ASIC v FIIG Securities Limited [2026] FCA 92

A cyber attack beginning March 2023 resulted in approximately 385GB of data being exfiltrated and published on the dark web, affecting around 18,000 clients. FIIG was unaware of the attack until alerted by the Australian Cyber Security Centre more than two months after it began. The Court imposed $2.5 million in penalties — the first civil penalties for AFSL cyber security failures — finding that FIIG's failures were systemic and prolonged across a four-year period. ASIC's case identified specific missing controls including inadequate vulnerability management, insufficient monitoring, and failure to adequately resource cyber security functions.

What Section 912A(1) Actually Requires

Section 912A(1) of the Corporations Act imposes general obligations on AFSL holders. The subsections engaged in both ASIC cases are:

  • Section 912A(1)(a) — the obligation to do all things necessary to ensure that financial services are provided efficiently, honestly, and fairly
  • Section 912A(1)(d) — the obligation to have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by the licence
  • Section 912A(1)(h) — the obligation to have adequate risk management systems

ASIC's position, confirmed by the Court in FIIG, is that cyber security sits squarely within these obligations. An AFSL holder that fails to deploy adequate technological resources, implements inadequate risk management systems, and fails to detect a major data breach for months is in breach — regardless of whether any specific cyber security regulation has been enacted.

The Fortnum proceeding extends this to authorised representatives. ASIC has commenced proceedings against Fortnum Private Wealth for allegedly failing to ensure its authorised representatives undertook a prescribed minimum amount of cyber security training. If that case succeeds, it establishes that a licensee's supervision obligations under section 912A extend to the cyber security practices and training of their ARs — a significant implication for dealer groups and licensees with networks of advisers.

What ASIC Now Expects From AFSL Holders

The FIIG judgment provides the most detailed articulation to date of what ASIC regards as adequate cyber security controls under section 912A. The missing controls alleged by ASIC in that case function as a de facto audit checklist for any AFSL holder assessing their own position.

Controls identified as absent or deficient in ASIC's FIIG proceedings

  • Vulnerability scanning and patch management — systems not being regularly scanned and patched in a timely manner
  • Multi-factor authentication — not required across all systems holding client data
  • Monitoring and detection — insufficient logging and alerting; a months-long breach undetected without external notification
  • Privileged access management — excessive access rights not managed or audited
  • Incident response planning — inadequate documented processes for detecting, containing, and responding to incidents
  • Adequate resourcing — insufficient financial, technological, and human resources allocated to cyber security functions
  • Third-party and supply chain risk — inadequate assessment of vendor and contractor access to systems

ASIC has also stated that it will consider not just whether AFSL holders have risk management frameworks in place, but whether those frameworks are properly and consistently implemented, proportionate to the nature and sensitivity of data held, and subject to adequate board and senior management oversight.

Your Regulatory Obligations

Corporations Act 2001 — s912A

AFSL General Obligations

Adequate technological resources, risk management systems, and efficient and fair service provision — all now engage cyber security. Penalties can exceed $13 million per breach for larger licensees.

Corporations Act — Supervision Obligations

Authorised Representative Oversight

Licensees are responsible for the conduct of authorised representatives. Based on the Fortnum proceeding, this may extend to ensuring ARs undertake adequate cyber security training and maintain adequate practices.

Privacy Act 1988 (Cth)

APP 11 — Data Security

Financial planners hold highly sensitive personal and financial data. The 2024 reforms clarify that "reasonable steps" includes technical and organisational measures. Most licensees far exceed the $3M threshold.

Privacy Act — NDB Scheme

Notifiable Data Breaches

A breach involving client financial data — investments, superannuation balances, health information, identity documents — will typically meet the serious harm threshold, triggering mandatory notification to the OAIC and clients.

Cyber Security Act 2024 (Cth)

Ransomware Payment Reporting

AFSL holders with annual turnover above $3M must report ransomware payments to the ASD within 72 hours from 30 May 2025. A cyber incident may also constitute a "reportable situation" requiring notification to ASIC.

Corporations Act — Best Interests Duty

s961B — Protecting Client Data

Financial planners hold detailed client financial profiles — retirement plans, investment strategies, account balances, estate planning details. Failing to protect that data is inconsistent with acting in the client's best interests.

The Data Financial Planners Actually Hold

A financial planner's client files typically contain some of the most comprehensive personal and financial profiles held by any small business. Across the lifecycle of an advice relationship, a client file might include:

  • Full fact find — income, assets, liabilities, and expenditure
  • Superannuation fund details and balances
  • Investment account details and portfolio holdings
  • Tax file numbers and ATO correspondence
  • Health information gathered for insurance advice
  • Estate planning documents — wills, powers of attorney, beneficiary nominations
  • Identity documents — passports, driver's licences
  • Bank account details
  • Centrelink and government benefits information

This is not a profile that only interests sophisticated attackers. It is precisely the data set used to commit identity fraud, access superannuation accounts, or impersonate a client to financial institutions. The scale of harm a single compromised client file can cause is significant — and the scale of harm across an advice firm's full client book is much larger.

What a Proportionate Response Looks Like for a Small Advice Licensee

ASIC's standard is explicitly proportionate — what is adequate for a firm holding $3 billion in client assets and 18,000 client files is not the same as what is adequate for a boutique practice with 150 clients. But the FIIG and RI Advice cases make clear that proportionality does not mean minimal. The question ASIC will ask is whether the controls implemented were reasonably appropriate given the nature of the business and the data held.

Other ASIC-regulated businesses — including mortgage brokers under their ACL — face similar data sensitivity questions with overlapping obligations. The core security baseline is consistent across these regulated financial services contexts.

For a small advice licensee, a proportionate baseline would typically include:

  1. MFA on every system that holds client data — practice management software, email, cloud storage, financial planning software, and any portals used to access client accounts
  2. Regular software patching — operating systems, practice software, and browsers updated promptly; automatic updates enabled where possible
  3. Secure backup — client data backed up regularly, with at least one copy stored offline or separately from primary systems
  4. Access controls — staff and contractor access limited to what is needed for their role; AR access reviewed when engagement changes
  5. Documented incident response plan — a written process for identifying, containing, and reporting incidents, including who is responsible and what timeframes apply
  6. Cyber security training for all staff and ARs — documented, updated annually, and covering phishing recognition and safe data handling — specifically in scope given the Fortnum proceedings
  7. Written cyber security policy — ASIC expects a documented framework, not just ad hoc practices; documentation is also evidence of a reasonable approach if a breach occurs

Documentation matters both ways. In RI Advice, the Court noted that RI Advice had made improvements over time — but the improvements came too slowly and were inconsistently implemented. Documenting your current security posture, your planned improvements, and your timeline for implementation is evidence of a reasonable approach. The absence of documentation makes it very difficult to demonstrate that reasonable steps were taken.

What ASIC Is Watching in 2026

ASIC's 2026 key issues outlook explicitly identifies cyber attacks, data breaches, and inadequate operational resilience as harmful threats to market confidence and consumers that it will continue to focus on through enforcement. The FIIG case — decided in February 2026 — was accompanied by an ASIC statement confirming that cyber resilience is a "clear licence-to-operate expectation."

ASIC has signalled that its approach will be forensic: not just whether an AFSL holder has a policy, but whether the policy is actually implemented, adequately resourced, and proportionate to the risks faced. Board-level oversight of cyber security is explicitly in scope — ASIC Chair Joe Longo has warned that reckless ill-preparedness for cyber attacks may be treated as a breach of directors' duties under the Corporations Act.

For financial planners and advice licensees, the regulatory direction is unambiguous. Cyber security is not a technology matter to be handled by your IT provider and reviewed occasionally. It is a compliance obligation, and ASIC is now willing to enforce it through the Federal Court.

Assess Your Financial Planning Practice's Cyber Security

Our Financial Planning Health Check covers the controls most relevant to AFSL holders — data protection, access management, third-party risk, incident response readiness, and staff training. Scored results, prioritised recommendations, and a written report you can use to document your compliance posture.

Financial Planning Health Check

Related Articles

Cyber Security for Mortgage Brokers

ACL holders face parallel ASIC enforcement risk to AFSL holders — similar data protection and breach response obligations apply.

Cyber Security for Accountants

Accountants under the TPB Code face overlapping obligations around client data security and breach notification.

Cyber Insurance for Small Business

When a breach occurs, insurance is the financial backstop — understand what policies actually cover for financial services firms.

References

  1. Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92 — Federal Court penalty of $2.5M for systemic cyber security failures under AFSL obligations; February 2026. globalcompliancenews.com
  2. Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 — landmark Federal Court decision; inadequate cyber security risk management constitutes breach of sections 912A(1)(a) and (h) of the Corporations Act 2001. cbp.com.au
  3. ASIC media release, ASIC sues Fortnum Private Wealth for allegedly failing to adequately manage cybersecurity risks, March 2025 — proceedings over failure to ensure ARs undertook adequate cyber security training. asic.gov.au
  4. Corporations Act 2001 (Cth), sections 912A(1)(a), (d) and (h) — general AFSL obligations; efficient, honest and fair services; adequate resources; risk management systems.
  5. AFSL House, What Cyber Resilience & Cyber Risks Mean for an AFSL Holder, 2025 — ASIC enforcement trends; $13M+ penalty exposure; board-level governance expectations. afslhouse.com.au
  6. Holley Nethercote (via Mondaq), Mission impossible? Cybersecurity and privacy for AFS licensees, August 2025 — concurrent obligations under Corporations Act, Privacy Act, Cyber Security Act; ASIC reportable situations. mondaq.com
  7. Assured Support, What are the Most Frequently Asked Compliance Questions?, 2025 — RG 104, RG 259 expectations; outsourcing and offshore risks; cyber governance for AFSLs. assuredsupport.com.au
  8. Privacy and Other Legislation Amendment Act 2024 (Cth) — APP 11 clarification that "reasonable steps" includes technical and organisational measures; effective 10 December 2024.
  9. Cyber Security Act 2024 (Cth), Part 3 — mandatory ransomware payment reporting for entities with turnover above $3M; commenced 30 May 2025. legislation.gov.au
  10. ASIC, 2026 Key Issues Outlook — cyber attacks, data breaches, and inadequate operational resilience identified as top enforcement focus areas. asic.gov.au