Introduction
The Australian Securities and Investments Commission (ASIC) has elevated cyber resilience from a matter of good practice to a primary enforcement priority, signalling a critical shift for every Australian Financial Services Licence (AFSL) holder. With “licensee failures to have adequate cyber-security protections” identified as a key focus, AFSL holders are now under intense scrutiny to demonstrate robust cybersecurity and risk management frameworks.
This guide provides essential information for AFSL holders to navigate these heightened expectations, explaining cyber resilience’s legal and regulatory dimensions under the Corporations Act 2001 (Cth). It offers practical guidance on implementing a defensible risk management framework to meet core compliance obligations and manage cybersecurity failures’ significant legal and financial consequences.
Understanding ASIC’s Focus on Cyber Resilience
ASIC’s Shift to a Primary Enforcement Priority
ASIC has elevated cyber risk from a guidance issue to a primary enforcement battleground. For 2025, ASIC explicitly named “licensee failures to have adequate cybersecurity protections” a top enforcement priority. This marks a significant shift in regulatory posture, from providing best-practice advice to actively pursuing investigations and enforcement actions against non-compliant AFSL holders.
This tougher stance reflects the view that cyberattacks represent a systemic risk to Australia’s financial system, capable of causing widespread consumer harm and eroding market trust.
ASIC Chair Joe Longo notified boards and directors, warning that the regulator will seek to make an example of those who are recklessly ill-prepared for cyberattacks. Consequently, operational cybersecurity failures may be treated as breaches of directors’ duties under the Corporations Act 2001 (Cth), raising the stakes from corporate fines to personal liability.
Key Findings from the ASIC Cyber Pulse Survey
ASIC’s assertive enforcement position is supported by compelling evidence from its industry research. The “Spotlight on cyber: Findings and insights from the cyber pulse survey 2023” (Report 776) revealed what the regulator described as “alarming” deficiencies in the cyber capabilities of regulated entities. This survey provides the statistical foundation for ASIC’s intervention, highlighting systemic weaknesses now firmly in its sights.
The report identified several critical gaps in the cyber resilience of Australian firms, including many AFSL holders. These findings are a blueprint for ASIC’s future audit and investigation programs.
Key weaknesses included:
| Area of Weakness | Key Findings from ASIC’s Survey |
|---|---|
| Third-Party Risk Management | A significant 44% of participating firms reported not managing third-party or supply chain cyber risk. |
| Data Protection | Over half of the respondents (58%) indicated they had limited or no capability to adequately protect confidential information. |
| Incident Response Planning | A third of organisations (33%) admitted to not having a cyber incident response plan, while 35% do not test the plans they have. |
| Adoption of Standards | One in five participants (20%) had not adopted any formal cybersecurity standard, suggesting an unstructured approach to risk management. |
Speak with an AFSL Lawyer Today
Request a Consultation to Get Started.
What Cyber Resilience Means for Your AFSL Licence
The Legal Distinction Between Cybersecurity & Cyber Resilience
The Federal Court’s decision Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 84 clarified the legal distinction between cybersecurity and cyber resilience for AFSL holders.
Cybersecurity is defined as the ability of an organisation to protect and defend its cyberspace from attacks. This primarily focuses on preventative measures, such as:
- Firewalls
- Antivirus software
- Access controls
In contrast, cyber resilience is a broader concept encompassing the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems enabled by cyber sources. It goes beyond mere prevention to include maintaining continuous business operations despite cyber incidents.
For example, while cybersecurity might involve patching software vulnerabilities to prevent breaches, cyber resilience requires testing incident response and recovery plans to maintain service delivery even if a breach occurs. This distinction highlights that cyber resilience is a whole-of-business capability integrating IT, operations, legal, and compliance functions.
Cyber Resilience & Your Core AFSL Obligations (s912A)
Cyber resilience is directly linked to the core obligations of an AFSL holder under section 912A of the Corporations Act 2001 (Cth). This section imposes broad duties on licensees, including:
- Acting efficiently, honestly, and fairly in providing financial services (section 912A(1)(a))
- Having adequate technological resources (section 912A(1)(d))
- Maintaining adequate risk management systems (section 912A(1)(h))
Failure to demonstrate cyber resilience can constitute a breach of these obligations. Specifically:
- If an AFSL holder fails to recover promptly from a cyber incident, resulting in prolonged downtime or loss of access to client data, this breaches the duty to provide services efficiently.
- Inability to withstand foreseeable cyber threats, such as ransomware or phishing attacks, indicates inadequate technological resources.
- Lack of anticipation and planning for cyber risks reflects deficient risk management systems.
The Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 84 case exemplifies these principles. The court found that RI Advice failed to have adequate cybersecurity and cyber resilience measures, including:
- Outdated antivirus software
- Poor password practices
- Insufficient backups
These failures exposed clients to significant risks and constituted breaches of their AFSL obligations.
Therefore, AFSL holders must adopt a proactive and comprehensive approach to cyber resilience. This includes implementing robust cybersecurity controls, developing and testing incident response and recovery plans, and continuously assessing and managing cyber risks. Such measures are essential not only for regulatory compliance, but also for protecting consumers and maintaining trust in the Australian financial system.
Building a Defensible Cyber Resilience & Risk Management Framework
Establishing Board Ownership & Governance
Effective cyber resilience is fundamentally a governance responsibility that starts with the board. ASIC’s guidance clarifies that boards must take “ownership” of the organisation’s cyber strategy, ensuring it is reviewed periodically to assess progress and effectiveness. This approach treats cyber resilience not as a technical issue confined to the IT department, but as a critical management tool for understanding risk and making informed investment decisions.
This responsibility is reinforced by directors’ duties under the Corporations Act 2001 (Cth). A failure to ensure the company takes reasonable steps to protect against foreseeable harm from a cyber threat could be viewed as a breach of the duty of care and diligence.
To meet this standard, board members are expected to become fluent in the language of cyber resilience, enabling them to:
- Ask relevant questions
- Provide meaningful oversight of the firm’s risk management framework
Managing Third-Party & Supply Chain Cyber Risks
A significant weakness identified by ASIC is the failure of many AFSL holders to manage cyber risks originating from their supply chains. As businesses increasingly rely on third-party vendors and cloud service providers, the organisation’s risk perimeter extends beyond its firewalls.
A defensible risk management framework must include a robust program for managing these external relationships. ASIC has outlined several key themes and good practices for managing supply chain risk, which include:
| Practice Area | Description of Good Practice |
|---|---|
| Comprehensive Due Diligence | Organisations must conduct thorough security assessments of potential vendors before onboarding them, understanding their security posture and data handling practices. |
| Contractual Security Obligations | Supplier contracts should include specific, enforceable security requirements, such as mandatory incident notification clauses, minimum control standards, and audit rights. |
| Ongoing Monitoring | Risk management should involve continuously monitoring the security posture of critical suppliers to ensure they remain compliant with required standards throughout the relationship. |
| Defining Risk Appetite | AFSL holders should define their risk appetite concerning third-party suppliers to implement risk management strategies appropriate for the business’s nature, scale, and complexity. |
Implementing ACSC’s 8 Foundational Technical Controls
While cyber resilience is a broad strategy, but it must be built on strong technical security controls. ASIC and the Australian government consistently recommend the Australian Cyber Security Centre’s (ACSC) “Essential Eight” as a baseline of prioritised mitigation strategies.
Implementing these controls can protect against a vast range of common cyberattacks. The Essential Eight provides a clear, actionable framework for AFSL holders to reduce their cybersecurity risk materially.
The eight key strategies are:
| Control Strategy | Description / Purpose |
|---|---|
| Application Control | Prevents the execution of unapproved or malicious programs on workstations and servers, stopping malware from running. |
| Patch Applications | Remediates application security vulnerabilities promptly to prevent attackers from exploiting known weaknesses. |
| Configure Microsoft Office Macro Settings | Blocks macros from the internet and only allows vetted macros to run, addressing a common malware delivery method. |
| User Application Hardening | Configures web browsers and other internet-facing applications to block or disable high-risk features that attackers can exploit. |
| Restrict Administrative Privileges | Limits access to powerful system accounts to only those who require it, making it harder for attackers to gain control of systems. |
| Patch Operating Systems | Ensures operating systems are patched promptly to close security holes that could be exploited. |
| Multi-factor Authentication (MFA) | Requires a second form of verification beyond a password for all users, protecting against unauthorised access from stolen credentials. |
| Regular Backups | Ensures critical data is backed up regularly and stored securely and disconnectedly to enable recovery from incidents like ransomware. |
Speak with an AFSL Lawyer Today
Request a Consultation to Get Started.
Key Failures to Avoid: Lessons from ASIC’s Cybersecurity Enforcement
Learnings from the ASIC v RI Advice Group Case
The landmark case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 84 was a watershed moment for AFSL holders. It established a crucial precedent as the first time ASIC successfully argued in court that failing to manage cybersecurity risks constitutes a breach of core obligations under the Corporations Act 2001 (Cth). This case clearly demonstrated that adequate cyber resilience is not merely an IT best practice but a fundamental legal duty.
The case highlighted several foundational failures in cyber risk management within RI Advice’s authorised representative network. These inadequacies, occurring over a six-year period, revealed a systemic lack of basic cyber hygiene.
Specific issues identified by ASIC and admitted by RI Advice included:
- Using out-of-date or non-existent antivirus software, leaving systems vulnerable to known threats
- Lacking adequate email filtering or quarantining processes for suspicious emails
- Failing to have reliable data backup systems in place or not performing backups at all
- Exhibiting poor password practices, such as sharing passwords among employees and using easily guessable default passwords
A critical finding by the Federal Court was that RI Advice “took too long to implement” remediation plans, even after cybersecurity incidents had occurred, and the risks were known. This delay was a key factor in determining that the firm breached its duty to provide financial services “efficiently, honestly and fairly.”
The case confirmed that while reducing cybersecurity risk to zero is impossible, it is legally required to reduce that risk through adequate documentation and controls materially.
A Compliance Blueprint from the ASIC v FIIG Securities Case
Building on the precedent set by Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 84, ASIC’s subsequent enforcement action against FIIG Securities Ltd provides a more detailed blueprint of the regulator’s current expectations. The proceedings, initiated in March 2025, allege systemic failures over four years that resulted in a significant data breach.
The detailed allegations offer a de facto audit checklist for AFSL holders, targeting technical controls and failures in governance and resourcing. ASIC’s case against FIIG alleges a broad failure to implement necessary cybersecurity measures, which created an unacceptable risk to client data.
The specific failures outlined by the regulator show a more holistic view of what constitutes an adequate risk management framework. These alleged “Missing Cybersecurity Measures” included:
| Category of Failure | Specific Alleged Lapses |
|---|---|
| Governance & Resourcing | A failure to employ or outsource sufficient human resources with necessary skills, and a failure to allocate an adequate budget for cybersecurity. |
| Incident Response | The absence of an annually tested Cyber Incident Response Plan (IRP), leaving the firm unprepared for a real-world event. |
| Access Control | Inadequate management of privileged access accounts, increasing the risk of an attacker gaining widespread system control. |
| Monitoring & Detection | A lack of daily monitoring of security logs by skilled staff, which resulted in a network intrusion going undetected for three weeks. |
| Vulnerability Management | A failure to implement a formal and timely process for patching software and operating systems against known vulnerabilities. |
| Authentication | Not having MFA in place for remote users, a baseline control for protecting against credential theft. |
| Staff Training | The absence of mandatory and recurring security awareness training for all staff to defend against threats like phishing. |
| Policy Implementation | A fundamental failure to implement the security measures contained within its own written policies, rendering them ineffective. |
Mastering Incident Response & Reporting Obligations for Your AFSL
Developing & Testing Your Incident Response Plan
A core principle of cyber resilience is accepting that not all cybersecurity incidents can be prevented. Consequently, an untested IRP is considered inadequate by ASIC, as highlighted in the ASIC v FIIG Securities Limited [2025] FCA QUD 144/2025 case. A plan that only exists on paper is insufficient; it must be a practiced capability that enables your firm to respond effectively during a crisis.
A defensible IRP should be a comprehensive document that outlines the clear roles and responsibilities of your incident response team, covering technical, management, legal, and communications functions. The plan must detail the specific procedures for each phase of an incident, including:
- Detection and analysis
- Containment of the threat
- Eradication of the cause
- Recovery of systems and business operations
Furthermore, the IRP must include a pre-approved communications strategy for engaging with all relevant stakeholders and mandate a formal post-incident review to ensure lessons are learned. Regular testing through drills, tabletop exercises, and full-scale simulations is essential to build organisational muscle memory and identify any gaps in your response strategy before a real incident occurs.
Navigating Reporting to ASIC, ACSC & OAIC
A single cybersecurity incident can trigger complex and time-sensitive mandatory reporting obligations to multiple government agencies. Mismanaging this process can result in significant penalties, compounding the damage from the initial attack. AFSL holders must be prepared to navigate the distinct requirements of ASIC, the ACSC, and the Office of the Australian Information Commissioner (OAIC).
The key reporting obligations include:
| Agency | Governing Legislation / Scheme | Key Reporting Requirement |
|---|---|---|
| Australian Securities and Investments Commission | Corporations Act 2001 (Cth) (Reportable Situations Regime) | Report a significant breach of a core obligation (which includes cyber resilience failures) to ASIC via its portal within 30 calendar days of determination. |
| Australian Cyber Security Centre | Security of Critical Infrastructure Act 2018 (Cth) | For a “critical cybersecurity incident,” report verbally within 12 hours. For an “other cybersecurity incident,” report within 72 hours. |
| Office of the Australian Information Commissioner | Privacy Act 1988 (Cth) (Notifiable Data Breaches Scheme) | If personal information is subject to a data breach likely to result in serious harm, notify affected individuals and the OAIC promptly after becoming aware. |
Speak with an AFSL Lawyer Today
Request a Consultation to Get Started.
Conclusion
ASIC’s elevation of cyber resilience to a primary enforcement priority means AFSL holders must treat it as a core legal obligation under the Corporations Act 2001 (Cth), not just an IT issue. To meet these heightened expectations, firms must implement a defensible framework that includes board-level governance, robust third-party risk management, foundational technical controls, and a tested incident response plan for navigating multi-agency reporting.
Navigating these complex requirements demands specialised expertise to ensure your operations are not only compliant, but also secure against emerging cyber threats. To turn these regulatory challenges into strategic opportunities, contact our experts at AFSL House today for tailored compliance frameworks and trusted guidance on achieving a defensible cyber resilience posture.
