Skip to content

Industry · Financial services

IT and cybersecurity for Australian financial services firms.

Financial advisers, authorised representatives, retirement planners, financial brokers, accounting firms with financial-services work, SMSF administrators, wealth managers, boutique investment firms and mid-tier dealer groups. If your practice holds client money, financial records, tax data or a seat in the advice chain, the same set of obligations and questionnaires is now landing on your desk. Larger APRA-regulated institutions (big ADIs, major super funds, general insurers) aren't our target sweet spot; that's a different delivery model, and we'll say so upfront.

What's actually different in financial services

Financial services IT in 2026 is mostly oversight and evidence.

The technical controls in a well-run financial-services environment aren't exotic. MFA, EDR, backups, allowlisting, logging, offboarding. The hard part is evidence: proving to ASIC, APRA (where applicable), the broker, the platform, the licensee or the auditor that the control is operating, has been operating, and will continue to operate. Most firms we assess have the controls in name but can't produce the evidence when someone digs in.

The harder part is third-party oversight. Platform providers, advice-software vendors, practice-management systems, CRM platforms, SMSF admin tools, tax software, modelling tools: every outsourced system introduces a new surface and a new set of access credentials. CPS 234, ASIC guidance, licensee annexures and broker questionnaires all now require documented oversight of those relationships. Someone needs to read the vendor's assurance report, track their breach history, keep the access register honest, and escalate when a vendor's posture changes. That "someone" is a real role, not a spare-time activity.

The Fortnum proceedings reshaped the conversation overnight. ASIC's position is that licensees must set and enforce minimum cyber controls on their ARs, and that failing to do so is a failure of the licence obligations. Every dealer group has responded by tightening annexures, requiring attestations, and auditing more actively. This isn't hostile, it's rational: their licence depends on your posture. Getting ahead of the annexure is cheaper than getting caught short at audit.

We run the day-to-day IT, the cybersecurity layer, and the oversight function together. One team owns the tenants, the devices, the identities, and the vendor register. Nowhere for a problem to fall between providers, and a cleaner answer on the day ASIC, your broker, your licensee or your auditor asks.

Live right now ·  financial services

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

ASIC v Fortnum Private Wealth (July 2025)

ASIC filed civil penalty proceedings against Fortnum for allegedly failing to set minimum cyber-training and security controls for its authorised representatives after the 2022 Wealthwise breach. The directions hearing is listed for July 2026. Every AFSL licensee group in the country has now started pushing MFA, EDR, baseline controls and staff training onto their ARs in writing. If you're an AR, expect your next licensee audit to ask for evidence, not intent. If you're a licensee, your obligations to your ARs just got explicit.

Licensee cyber annexures, landing in 2025/26

Every major dealer group (Fortnum, Count, Centrepoint, Oreana, Infocus, WT Financial, Lifespan, Clearview, Insignia) has pushed a tightened cybersecurity policy onto their AR base in the last 12 months. Most ask for phish-resistant MFA, EDR on every endpoint, documented patch cadence, cybersecurity awareness training, a managed password vault, HR-driven onboarding/offboarding, a written IR plan, and periodic evidence of controls. They're not suggestions. They're the basis of the next AR audit.

Cyber insurance renewal 2025/26 is an audit

Underwriters for financial-services firms are no longer quoting without MFA on every account, EDR on every endpoint, tested backups, DMARC email authentication, staff phishing training and a written incident response plan. "We'll fix it after renewal" is why firms are being declined outright. The Fortnum proceedings are accelerating this.

ASIC 2026 enforcement priorities

Operational resilience, third-party risk and data governance are explicit in ASIC's enforcement priorities for non-APRA licensees this year. Translation: ASIC will look at the controls before they look at the advice.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for financial services in Australia.

AFSL obligations (Corps Act s912A / s912D)
IT and data-handling obligations under an Australian Financial Services Licence: client-data protection, record retention (typically 7 years), reasonable steps to protect against cyber incidents, and reportable-situations notification to ASIC under s912D. Applies to licensees directly; cascades to ARs through the licensee annexure.
ASIC RG 104 / RG 271
ASIC's regulatory guides on AFSL adequacy, cyber risk, operational resilience and complaints-handling. RG 104 sets out ASIC's expectations around IT systems for meeting AFSL obligations; the Fortnum proceedings are ASIC making RG 104 enforceable in practice.
Licensee cyber annexure
The single document most likely to land in your inbox first if you're an authorised representative. Each dealer group has its own, they're all broadly similar, and they reflect what the licensee needs to defend to ASIC under its own AFSL obligations. We read it with you, map it against what you're already running, and either close the gaps or give you a plan the licensee will accept.
APRA CPS 234
For APRA-regulated entities (smaller super funds, life insurers, health funds): information-security capability commensurate to information-asset vulnerabilities, controls, 72-hour material-incident notification and third-party oversight. The prudential framework is larger, and the enterprise-scale end of it (big ADIs, major super funds) sits outside our sweet spot, but CPS 234 legitimately reaches the smaller end of APRA-regulated clients we support.
Privacy Act 1988 + APPs
Client personal information, tax file numbers, and financial records are sensitive. Tranche 1 reforms (2024) introduced a statutory tort for serious invasions of privacy. Tranche 2 is expected to remove the small-business exemption from mid-2026 for approximately 100,000 businesses, including most accounting firms and adviser practices that currently sit under the $3M turnover threshold.
Mandatory ransomware payment reporting
Under the Cyber Security Act 2024, businesses with turnover above $3M must report ransomware payments to ASD within 72 hours. Commenced 30 May 2025 and is now the standard expectation in incident-response planning.
ACSC Essential Eight
Not yet mandated for financial services, but now the de-facto benchmark cyber insurers score renewals against, licensees write into AR agreements, and platforms reference in their third-party questionnaires. See /essential-eight for the maturity model and how we move clients through it.

Common questions

The things financial services clients ask us first.

Our licensee just sent us a new cybersecurity annexure to sign. What do we actually need to action?
Read it once, line by line, with someone who knows the controls. Most annexures ask for the same eight-ish things: phish-resistant MFA across every account, EDR on endpoints, managed patching, cybersecurity awareness training at fortnightly cadence, a zero-knowledge password manager with SSO, written onboarding and offboarding procedures, a documented incident response plan, and tested backups. We map the annexure against what you're already running, close the specific gaps, and document the controls so your licensee audit is a conversation about facts rather than intent. Faster is better; licensees tend to ask again 12 months later.
Our platform (Netwealth / HUB24 / Praemium / Macquarie Wrap) just sent us a third-party risk questionnaire. How do we answer it?
Honestly, and with specifics. Platforms run these questionnaires to document third-party oversight for their own regulators and insurers; they read the answers. The common questions: what controls are in place, who operates them, what's the incident response process, how is access governed, how are ex-staff offboarded. We've completed enough of these for financial-services firms to know which answers need to be specific (you have MFA, but on every system not just email) and which need evidence attached. We fill them in with you, not for you.
We're a 4-person advisory firm. Is this level of IT really necessary?
For most practices yes, because the obligations don't scale with headcount. A 4-person firm handles the same category of client data as a 40-person firm. The licensee's annexure asks the same questions. The insurer's renewal questionnaire asks the same questions. The platform's third-party review asks the same questions. What scales is the cost of getting it wrong: at 4 people an incident can end the practice, at 40 it's survivable.
Our cyber insurance renewal questionnaire keeps getting longer. Can you help?
Yes. Broker questionnaires now run 20 to 40 pages for mid-sized financial-services firms and directly affect premium, excess, and coverage. We've completed enough of them to know which answers the broker actually scores, which trigger follow-up (and sometimes a declined quote), and where "yes" is a lie that bites at claim time. We fill them in with you, not for you.
Can our staff use Microsoft 365 Copilot, ChatGPT Enterprise or Claude for Work on client financial data?
Yes if you're on an enterprise tier with the right data-handling terms, and you've governed how it's used. The risk isn't the model; it's what data enters it and whether the tool trains on inputs. We help clients pick the enterprise tier that fits the rest of the stack, write an acceptable-use policy aligned to AFSL and ASIC guidance, and block consumer tiers (free ChatGPT, free Claude, free Gemini) at DNS level so "just don't use AI" isn't the whole answer. Blanket bans don't hold; governance does.
What should we do if we think an adviser or admin staff member clicked a phishing link?
Right now: don't click anything else, don't delete the email, ring us. The first hour of containment is where most of the damage is prevented. We isolate the account, verify whether credentials were entered or session cookies harvested, check for forwarding rules or OAuth grants that wouldn't be caught by a password reset, and document the timeline. If it was nothing, we close the ticket with a written record you can show your licensee if asked. If it was real, the 72-hour ransomware reporting clock starts immediately for firms above $3M turnover.
We use XPLAN / AdviserLogic / Iress / Practifi / MyProsperity / Class / BGL. Does that change the IT conversation?
Not fundamentally. Those are your practice or administration applications; we manage the environment they run inside: Microsoft 365 tenant, device configuration, identity, backup, network, offboarding. Application-level workflow support stays with the software vendor, but we own the boundary. We also track the vendor's own security posture (breach history, certifications, data residency) as part of your vendor register, because your licensee, your broker and your platform all expect that oversight now.
We're a small AFSL with outsourced everything. Is that safer or riskier?
Both, depending on how it's managed. Outsourcing reduces attack surface you manage directly; it increases attack surface a third party manages on your behalf. CPS 234 and ASIC guidance both require oversight of third parties, which means regular reviews of their security posture, access, and breach history. We perform that oversight and maintain the paperwork for it.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit