Sign up for free to receive our blogs, regulatory alerts, and monthly updates
Sign upMission Impossible? Cybersecurity and Privacy for AFS Licensees
We are now over halfway into 2025, and the important mission (should you choose to accept) continues to linger: how does your financial services firm manage its cybersecurity and privacy risks and meet its obligations? As use of digital and computer technology – including artificial intelligence – increases, regulators have indicated that “Oops, we did it again” is not an acceptable answer.
Licensees are collecting more personal information than ever, and processes for handling data and sensitive information are becoming more complex. This has led to greater potential for customer harm and legal ramifications for businesses.
Major data breaches are becoming more prevalent. The Office of the Australian Information Commission (“OAIC”) reported that it was notified of 595 data breaches between July and December 2024, ending the year with a total of 1,113 notifications. This represents a 25% increase from 2023 and is the highest annual figure since mandatory data breach notifications began.[1]
In releasing the Report, Australian Privacy Commissioner Carly Kind remarked:
“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase.”[2]
Managing and protecting the integrity, confidentiality and availability of your information, resources and assets are vital to protecting your business and meeting your legal, regulatory and ethical obligations.
In this article, we invite you to join us on three important privacy and cybersecurity missions:
- Understanding the source of privacy and cybersecurity obligations for licensees.
- Exploring examples of ASIC enforcement actions against licensees for inadequate cybersecurity measures.
- Considering practical measures you can take to strengthen your systems and processes.
Mission #1: Understanding the source of cybersecurity obligations for licensees
Ensuring licensees have adequate cybersecurity measures continues to be an enforcement priority for ASIC.[3] When taking enforcement action against licensees in relation to cybersecurity failures in the past, ASIC has relied on the general obligations that apply to licensees under section 912A of the Corporations Act 2001 (“the Corporations Act”) (and section 47 of the National Consumer Credit Protection Act 2009 for credit licensees). The general obligations include the requirement to ensure:
- That financial services are provided “efficiently, honestly and fairly”. This is a standalone obligation that can be breached even where there is no contravention of any other general obligation.
- That adequate cybersecurity risk management systems are in place. Following ASIC’s actions against HSBC Bank Australia Limited (“HSBC”)[4] and FIIG Securities Limited (“FIIG”),[5] it is clear that organisations are expected to have in place appropriate frameworks, policies, resources and controls to identify and adequately manage evolving cybersecurity and cyber resilience risks.
- That there are adequate human, financial and technological resources. Licensees must have adequate resources in place to ensure that they have adequate cybersecurity measures, and comply with their legal obligations, including the other general obligations noted above.
- That representatives are adequately trained, and competent, to provide the financial services covered by the licence. ASIC’s recent enforcement action against Fortnum Private Wealth Limited (“Fortnum”) suggests that the regulator expects licensees to require its representatives to undertake a prescribed minimum amount of cybersecurity education or training to comply with this obligation.[6]
But these are not the only sources of licensees’ privacy and cybersecurity obligations. Licensees are likely to also be subject to a raft of obligations under:
- Privacy Act 1988 – including requirements to destroy or de-identify the personal information, take steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and to report “eligible data breaches”.
- Cyber Security Act 2024 – reporting business entities with an annual turnover exceeding $3 million[7] are obligated to report ransomware payments to the Australian Signals Directorate.
- Directors’ duties – under the Corporations Act, directors must act with reasonable care and diligence, act in good faith in the best interests of the company and for a proper purpose, and not improperly use information or their position.[8]
- Contractual obligations – licensees are likely to have obligations under contractual arrangements with third parties, such as clients, referrers, suppliers, related entities or employees, that relate to the retention and security of information.
- Common law – obligations may also arise under common law principles, such as duties of care in negligence or confidentiality, depending on the circumstances.
Mission #2: Examples of ASIC enforcement actions against licensees for inadequate cybersecurity measures
ASIC’s enforcement actions against licensees offer valuable insights into the regulator’s expectations when it comes to protecting your firm (and your clients) from cyber incidents.
ASIC recently commenced civil penalty proceedings against AFS licensee FIIG. ASIC alleged that FIIG failed over four years to take appropriate steps to protect itself and its clients from cybersecurity risks.[9]
ASIC alleges that FIIG failed to comply with its general obligations to provide financial services efficiently, honestly and fairly, have available adequate resources, and have adequate risk management systems.[10] Among other things, ASIC stated that FIIG failed to appropriately configure and monitor firewalls, sufficiently update and patch software and operating systems in place to protect against cyber-attacks, and failed to provide mandatory training to staff on cybersecurity awareness.[11]
ASIC alleged that given the nature of FIIG’s business, the nature of the information held and the significant value of the assets under its control, FIIG was at a real risk of:
- being subject to an attempted or actual cyber intrusion; and
- that a cyber intrusion could lead to adverse consequences for FIIG and its clients, including:
- the loss of the ability to access or meaningfully deal with its data
- the loss of the ability to operate FIIG’s network or computer system
- its ability to provide financial services covered by its licence
- impersonation of its staff or clients
- financial loss.
ASIC identified in its Concise Statement the cybersecurity measures it considered that FIIG ought to have had in place (but did not), including:
- a cyber incident response plan
- adequate management of privileged access to accounts on FIIG’s networks, computer system and applications
- vulnerability scanning capabilities
- adequate firewalls
- configuration of group policies to disable legacy and insecure authentication protocols
- endpoint detection and response software
- adequate processes regarding patching and software updates
- adequate multi-factor authentication procedures
- adequate security information and event management software and adequate monitoring of this software
- mandatory security awareness training delivered to all employees
- processes to review effectiveness of existing cybersecurity controls on at least a quarterly basis.
ASIC’s enforcement action against FIIG follows ASIC’s successful action against RI Advice Group Pty Ltd (“RI Advice”) in 2022.[12] ASIC launched proceedings after a significant number of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020. The Court declared breaches of the obligations to have adequate risk management systems in relation to cybersecurity and to do all things necessary to ensure that the services were provided efficiently and fairly.[13]
Likewise, in current proceedings against Fortnum, ASIC alleged that Fortum contravened several general obligations under section 912A by failing to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks, after several authorised representatives experienced cyber incidents.[14] ASIC also recently commenced civil penalty proceedings against HSBC, claiming that HSBC had insufficient controls in place to prevent and detect scams. ASIC has alleged that these failures constitute a breach of the obligation to do all things necessary to ensure that the services were provided efficiently, honestly and fairly.[15]
#Mission 3: Practical steps licensees can take
It is imperative that licensees have systems and controls in place to mitigate against cyber incidents. We have set out several practical measures you can take to improve your cybersecurity and privacy measures below.
1. Implement policies and procedures
You should ensure that you have cybersecurity and privacy policies and procedures in place that govern how you manage and protect the integrity, confidentiality and availability of personal information, resources and assets. These policies and procedures might include the following:
- Cyber and Information Management Policy
- Data Breach Response Plan and Register
- Privacy Management Policy
- Document Destruction Schedule
- Business Continuity Plan
- Information Asset Register
You can access template cyber, information management, risk management and privacy policies via the HN Hub.
2. Bring in the experts
ASIC does not prescribe technical standards nor provide expert guidance on operational aspects of cybersecurity. ASIC expects that you will engage IT security experts to ensure that your cybersecurity systems, process and procedures are sufficiently robust. This may include employing or outsourcing from a third party people with the skills, knowledge and experience in IT security. Listen to the advice from your IT security expert. You may need to invest in measures such as endpoint detection and response software, enhanced password practices and back-ups, vulnerability scanning and multifactor authentication.
3. Train and monitor your staff and contractors
You should ensure that all employees and contractors who use your IT resources complete regular privacy and information security awareness training.
All employees and contractors should be subject to appropriate security, intellectual property and confidentiality processes before, during and after termination of their engagement. This includes measures such as limiting access to information or systems (depending on the requirements of their role) and terminating access to IT resources at the end of their employment. Access requirements should be regularly reviewed.
4. Implement information and asset management systems
Ensure that you have clear lines of responsibility for security and management practices within your organisation. This includes allocating responsibility for document destruction once information is no longer required to be kept, in accordance with a document destruction schedule. You may wish to maintain a register of information assets that lists your significant information assets and the relevant information owner to assist with this.
5. Prepare for the worst
You should have a robust incident response plan to help you respond swiftly to a cyber incident. Some organisations are using “war gaming” techniques to better understand and plan their defence against malicious cyber activities, and to test their cyber incident response plans in action. Don’t forget that you may need to report data breaches or ransomware payments to the OAIC[16] or Australian Signals Directorate[17] respectively. A cyber incident may also constitute a “reportable situation”, which must be reported to ASIC.[18]
Contact our team of experts at Holley Nethercote if your licensee needs assistance with uplifting your privacy and cybersecurity policies or engaging with regulators in relation to a cyber incident.
Do you have more questions?
| Contact Us | Our Expert Team | Our Training |
Authors: Tali Borowick (Law Graduate) and Katherine Temple (Special Counsel)
[1] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2024
[2] https://www.oaic.gov.au/news/media-centre/oaic-stats-show-record-year-for-data-breaches
[3] https://www.asic.gov.au/about-asic/asic-investigations-and-enforcement/asic-enforcement-priorities/
[4] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-280mr-asic-sues-hsbc-australia-alleging-failures-to-adequately-protect-customers-from-scams/
[5] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures/
[6] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-143mr-asic-sues-fortnum-private-wealth-for-allegedly-failing-to-adequately-manage-cybersecurity-risks/
[7] Prescribed by the Cyber Security (Ransomware Payment Reporting) Rules 2025.
[8] Sections 180-184 of the Corporations Act 2001.
[9] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures/
[10] Section 912A(1)(a), (d) and (h) of the Corporations Act 2001.
[11] https://download.asic.gov.au/media/0ubnrmym/25-035mr-asic-v-fiig-securities-limited-concise-statement-sealed.pdf
[12] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/
[13] https://download.asic.gov.au/media/zhodijpp/22-104mr-2022-fca-496.pdf
[14] Section 912A of the Corporations Act 2001.
[15] https://www.asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-280mr-asic-sues-hsbc-australia-alleging-failures-to-adequately-protect-customers-from-scams/