Cybersecurity as an AFS Licensee obligation

02 September 2025

Marianne Robinson
Special Counsel
Sparke Helmore Lawyers

Marianne Robinson
Special Counsel
Sparke Helmore Lawyers
t: +61 2 9260 2755

Marianne is one of Australia's leading advisors to mutual companies. She has advised this sector for more than 16 years and has been involved with the creation and regulation of many mutual companies.

Stephen Putnins
Partner
Sparke Helmore Lawyers

Stephen Putnins
Partner
Sparke Helmore Lawyers
t: +61 3 9291 2392

Stephen advises sophisticated clients, principally in the areas of investments, superannuation, and complex financial services regulation.

‘It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’ Her Honour Justice Rofe in 2022.

In response to the increasingly hostile cyber landscape, the Australian Securities and Investments Commission (ASIC) has reminded AFS Licensees of their legal obligations to manage cyber risks – not only within their own operations but also across those of their authorised representatives. To reinforce how seriously ASIC views these obligations, it has already taken legal action against two financial services businesses in 2025 due to inadequate cybersecurity measures.

In March 2025, ASIC initiated proceedings against FIIG Securities Limited (FIIG), alleging that the company had failed to implement proper cyber security measures and in doing so breached multiple obligations imposed on AFS licensees by the Corporations Act 2001 (Cth) (the Corporations Act). In July 2025, ASIC also initiated proceedings against Fortnum Private Wealth (Fortnum), alleging that Fortnum failed to adequately manage and mitigate cybersecurity risks, particularly concerning its Authorised Representatives (AR). These cases build on the seminal case of ASIC v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v RI Advice), where the Court made a declaration that RI Advice had breached its AFS licence obligations to act efficiently and fairly due to its failure to have adequate risk management systems for managing cybersecurity risks. A brief summary of each of these cases is provided below.

History of ASIC’s focus on cybersecurity

In March 2015, ASIC released Report 429 Cyber resilience: Health check, which was a foundational report designed to assist AFS licensees to monitor their cyber risk health. In this report, ASIC emphasises the need for AFS licensees to have adequate risk management systems and resources. Importantly, Report 429 doesn’t focus on broader licensing obligations but instead centres on risk and resource adequacy in the context of growing cyber threats. ASIC has recommended that AFS Licensees adopt the recommendations in the NIST Cybersecurity Framework. Since the release of Report 429, ASIC has published regular cyber readiness reports assessing the cyber resilience of market participants and licensees. These reports are based on self-assessment surveys using the NIST Framework and have revealed varying degrees of readiness across the sector.

Together, these reports have laid the groundwork for ASIC’s regulatory expectations around cyber resilience, clearly signalling that cybersecurity is not only an essential part of prudent risk management, but failure to identify and manage these risks will be an AFS licence breach and expose the Licensee to substantial fines.

Significantly, these publications pre-date the decision in ASIC v RI Advice and set the stage for the current cases, demonstrating that ASIC will take enforcement action to force compliance.

In addition to commencing prosecutions against FIIG and Fortnum, ASIC has increased its focus on the need for AFS Licensees to look at cyber risk as a significant ongoing licensee obligation.

Why is cybersecurity a priority for ASIC?

When providing financial services, AFS Licensees have access to confidential and personal information about clients, including identification documents, tax file numbers, and financial details such as bank account and credit card information. This access makes AFS Licensees likely targets for cyber-attacks and cybercrime.

What are an AFS Licensees obligations regarding cybersecurity?

AFS Licensees are subject to a number of general licence obligations that ASIC has used to initiate proceedings for poor cybersecurity practices. An AFS Licensee has obligations imposed by the Corporations Act (General Licence Obligations) namely to:

do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly (s 912A(1)(a) of the Corporations Act)
to have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements (s 912A(1)(d) of the Corporations Act)
ensure that its representatives are adequately trained and competent to provide financial services (s 912A(1)(f) of the Corporations Act), and
have adequate risk management systems (s 912A(1)(h) of the Corporations Act).
ASIC is using these General Licence Obligations as a basis for arguing that a failure to implement adequate cybersecurity controls is a breach of the obligations to have adequate risk management systems and to provide financial services efficiently, honestly, and fairly. By relying on these broad duties, ASIC has established that cybersecurity risk is not merely a technical issue, but a core element of an AFS Licensee’s ongoing legal obligations.

In addition to the Corporations Act obligations, AFS Licensees are also subject to obligations under the Privacy Act 1988 (Cth) (Privacy Act). The Privacy Act imposes general obligations related to notifiable data breaches as well as an obligation on an organisation to take reasonable steps to protect personal information it holds from misuse, interference, loss and unauthorised access or disclosure. This extends to ensuring it has adequate cybersecurity policies in place. AFS Licensees have an obligation to comply with the financial services laws, which includes the Privacy Act.

Reforms introduced since the 2019 findings of the Hayne Royal Commission mean that a failure to comply with certain AFS licensing obligations – including obligations relating to how cyber risks are addressed – may give rise to civil penalties being imposed on AFS Licensees. The cases initiated by ASIC have resulted in substantial fines.

ASIC v RI Advice (2022)

In ASIC v RI Advice, the Federal Court declared that failure to implement adequate cybersecurity risk management systems could constitute a breach of General Licence Obligations under the Corporations Act. RI Advice as an AFS Licensee operated a third-party AR model, authorising independently owned corporate and individual representatives to provide services under its licence.

Between June 2014 and May 2020, ARs under the supervision of RI Advice suffered nine cybersecurity incidents, many involving phishing, email account takeovers, ransomware attacks and compromised servers that stored sensitive retail client information.
RI Advice admitted that it lacked adequate risk management and controls up to 15 May 2018 and was slow to act thereafter in implementing cybersecurity programs.
Prior to May 2018, RI Advice did not have documentation, controls and risk management systems needed to adequately manage cybersecurity risk across its AR network.
In May 2018, RI Advice implemented a number of ANZ policies that were directed to its structure and IT capabilities, but it failed to fully implement these policies until 2021.
RI Advice admitted that it was, at all material times, required to identify the cybersecurity and cyber resilience risks faced by its ARs in the course of providing financial services under its licence, and to have in place adequate documentation, controls, and risk management systems to address those risks across its AR network.1

Justice Rofe, when imposing a fine of $750,000 on RI Advice, made a declaration that RI Advice contravened the obligation to have adequate risk management systems (s 912A(1)(h)) and that it failed to do all things necessary to ensure that the financial services covered by the licence were provided efficiently, honestly and fairly (s 912A(1)(a)). In doing so, Her Honour stated a number of key principles:

that AFS Licensees are required to identify the risks that ARs face in the course of providing financial services2
that AFS Licensees must have documentation, controls and risk management systems in place that were adequate to manage risk in respect of cybersecurity and cyber resilience3
the public expect the holder of an AFS Licence to have adequate cybersecurity measures, although the content of the cybersecurity measures are to be assessed by reference to the reasonable person qualified in the area of cybersecurity4
whether cyber risk management systems are adequate requires consideration of the risks faced by a business in respect of its operations and IT environment5, and
the courts will assess adequacy of any particular cyber risk management system and will require information from cybersecurity qualified experts.6

ASIC v FIIG Securities (2025)

FIIG Securities is an AFS Licensee that offers retail and wholesale clients access to fixed income securities, bonds and managed discretionary accounts. In the course of running its business FIIG Securities collected contact details, dates of birth, identification documents (such as passports), tax file numbers, Australian Business numbers, bank account details, and assets holdings. FIIG Securities suffered a cybersecurity incident where 385 Gigabytes of confidential data was stolen in a malicious cyber-attack, impacting 18,000 clients.7

ASIC alleges, that FIIG’s failure to have adequate risk management measures was a contravention of ss 912A(1)(h) and 912A(5A) of the Corporations Act. Unlike RI Advice, FIIG Securities did have internal policies; however ASIC alleges that FIIG Securities failed to actually implement the measures listed in these policies. ASIC alleges that this failure to adopt controls to manage and mitigate risks resulted in unreasonable exposure to cybersecurity threats. ASIC has also submitted that FIIG Securities lacked sufficient financial, technological and human resources required to ensure that these measures were in fact implemented.8

Fortnum Private Wealth (2025)

Fortnum Private Wealth is an AFS Licensee that authorised a number of ARs. Between January 2021 and September 2022, five of Fortnum’s ARs experienced cybersecurity incidents, including compromised email accounts, phishing attacks, and a significant data breach affecting approximately 9,828 clients, whose details ASIC alleges were published on the dark web.

Unlike RI Advice, Fortnum had a Cyber Policy that required all of its ARs to complete a self-assessment questionnaire regarding their cybersecurity and IT setup. ARs were also required to submit an attestation form confirming the cybersecurity measures they had implemented. The Fortum Cyber Policy indicated that Fortnum would annually review each AR to determine whether the cybersecurity strategy was effective; however, this review allegedly did not occur.

ASIC alleges that Fortnum’s Policy was inadequate to address its cybersecurity risks, as the measures were vague and overly lenient. Specifically, ASIC alleges that Fortnum breached its General Licence Obligations, for the following reasons:

The Cybersecurity Policy did not require ARs to consult Fortnum if they answered “no” or “unsure” in their Self-Assessment.
The Cybersecurity Policy allowed ARs to consult external consultants without verifying those consultants’ qualifications.
The Cybersecurity Policy failed to mandate improvements based on negative or uncertain responses in Self-Assessments.
The Cybersecurity Policy made key cybersecurity strategies, such as the Essential Eight, optional rather than mandatory.
Fortnum failed to mandate a minimum level of cybersecurity training, and limited training to content related only to the April 2021 and May 2023 Policies.
Fortnum failed to implement any cybersecurity-specific supervision or oversight systems.
Fortnum lacked staff or consultants with cybersecurity expertise, including during the development of the April 2021 Policy.

The proceedings against Fortnum demonstrates the strong position ASIC is willing to take, especially where AFS Licensees authorise multiple ARs. The ‘licensee for hire’ model has always put the AFS Licensee at risk of compliance breaches, even without the need to ensure the compliance arrangements incorporate robust cybersecurity risk management. ASIC is showing that it expects robust and active supervision and management of Ars especially when there are multiple Ars. AFS Licensees are also required to provide adequate oversight of their Ars and to effectively manage the cybersecurity risks relevant to those Ars and the licensee itself.

How does an AFS Licensee ensure it meets ASIC’s expectations?

So what does an AFS Licensee need in order to ensure that it has adequate cybersecurity management systems and policies?

To ensure cybersecurity management systems and policies are adequate, AFS Licensees need to consider the guidance provided through ASIC’s Statement of Claim regarding both FIIG Securities and Fortnum Private Wealth Securities. Some necessary measures include development a Cyber Incident Response Plan, implementing patch updates, establishing detection/response programming, and conducting vulnerability scanning.

A key element in these cases is the history of cybersecurity-related incidents faced by the AFS Licensees. If an AFS Licensee has experienced multiple cybersecurity incidents, it should urgently review its policies and procedures to ensure they are sufficient. Furthermore, where an AFS Licensee authorises several ARs, that Licensee should also assess the nature and extent of cyber risk faced by those ARs and adopt appropriate oversight mechanisms and group-wide policies. If a policy is to be updated, it should be implemented swiftly.

Where to next for AFS Licensees?

With three cybersecurity related enforcement actions now brought by ASIC, it is reasonable to assume that more enforcement proceedings are likely to follow. ASIC is not only focusing on AFS Licensees that authorise a large number of ARs but all licensees as seen with ASIC’s recent action against FIIG Securities.

ASIC has already announced that enforcement against ‘Licensee failures to have adequate cyber-security protections’ is one of its 2025 priorities.9 It is now essential for AFS Licensees to implement cybersecurity controls to ensure ongoing compliance and protection against future threats.

Our multi-disciplined team can assist with a range of services including working with clients to write and develop their cyber compliance plans, staff training for cyber risk, reviews of existing compliance policies including AR contracts and working with cyber risk experts whose technical expertise is required.

1 ASIC v RI Advice, [28].

2 ASIC v RI Advice, [28].

3 ASIC v RI Advice, [28].

4 ASIC v RI Advice, [49].

5 ASIC v RI Advice, [54].

6 ASIC v RI Advice, [55].

7 ASIC Sues FIIG Securities for Systemic and Prolonged Cybersecurity Failures’ (Media Release, 23 July 2025)

8 Australian Securities and Investments Commission, Concise Statement: ASIC v FIIG Securities Limited (Concise Statement, 23 July 2025)

9 ASIC enforcement priorities | ASIC

We would like to acknowledge the contribution of Robert Fraser, Ella Sourdin Brown.