Blog

Our second article for Cyber Security Awareness Month explores the increasing convergence of cyber risk and financial lines exposures, evidenced by recent ASIC actions.

”The mistake all of us can make at the moment, particularly from a leadership perspective, is siloing technology into one area of the business, rather than ensuring it’s integrated at the core competency, right across the business. We now have to be experts at – or at least have some level of competency in – technology, how the internet works, how communication technology works. Because if you’re not mastering those then you’re not engaging in the way the world works.”

Abigail Bradshaw, Director-General, Australian Signals Directorate (ASD)¹

Cybersecurity failures are no longer viewed solely as technical issues, they are being treated as governance and compliance failures, with significant implications for directors, officers, and financial lines insurers. In this article we consider recent ASIC civil penalty proceedings, offering guidance on what constitutes ‘reasonable’ cyber risk management in the eyes of the regulator. 

What are your AFSL obligations? 

Australian Financial Services (AFS) licensees have a general obligation to provide efficient, honest and fair financial services. They must comply with the conditions of their AFS licence and obligations under the Corporations Act 2001 (Cth)(Corporations Act).

As an AFS licensee, your obligations under s 912A(1) include the following: 

Section 912A(1)(a)	do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly
Section 912A(1)(d)	have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements
Section 912A(1)(f)	ensure that its representatives are adequately trained and are competent, to provide those financial services
Section 912A(1)(h)	have adequate risk management systems

How to ensure your business’ AFSL obligations are met? 

If you are an AFS licensee, you must be mindful of the nature of your business, the nature and extent of the information you hold, and the value of the assets you hold when assessing the risk of adverse consequences for you and your clients. In today’s landscape, AFS licensees are subject to the risk of a cyber incident, loss of ability to provide financial services, unauthorised impersonation of you or your clients to third parties, direct or indirect financial loss, theft of confidential or personal information, and potential exposure to civil penalties and claims for damages.

You can best protect yourself by ensuring your financial services are provided efficiently, honestly and fairly (s 912A(1)(a)) through adequate cybersecurity measures and adequate resources (s912A(1)(d)), and adequate risk management systems (s 912A(1)(h)). If you have authrorised representatives (Ars), ensure they are adequately trained and competent to provide the financial services covered by the licence (s 912A(1)(f)).

What are adequate cybersecurity measures? 

To meet your obligations under s 912A(1)(a), adequate cybersecurity measures are those that are in place to protect its clients from the risks and consequences of a cyber intrusion. These measures should be proportionate to the nature, scale, and complexity of the business and the sensitivity of the information it holds. This includes implementing appropriate technical controls, maintaining up-to-date systems and software, and having clear policies and procedures for detecting, responding to, and recovering from cyber incidents.

What are adequate resources? 

To meet your obligations under s 912A(1)(d), a business must ensure it has adequate financial, technological and human resources. The key focus here is on ensuring that appropriate technical cybersecurity measures are in place, supported by the presence of an employee with the necessary technical expertise to implement, monitor, and maintain those measures and the broader risk management systems.

What are adequate risk management systems? 

Under s 912A(1)(h), this means a risk management system that adequately identifies and evaluates the risks posed which result in the AFSL holder being able to adopt controls to manage or mitigate those risks to a reasonable level. While the standard of “adequacy” is ultimately one for the Court to decide, the Court’s assessment of the adequacy of any particular set of cyber risk management systems will likely be informed by evidence from relevantly qualified experts in the field.

Guidance on what this means in practice 

In 2022 ASIC, the corporate regulator, was successful in civil penalty proceedings against RI Advice, however until recently there had been few material developments in this area. Recent ASIC civil penalty proceedings over the last few months, however, show that the regulator is continuing its enforcement approach. 

Recap: RI Advice – Confirmed breach of AFSL obligations

In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Federal Court found Australian Financial Services licensee, RI Advice, breached its license obligations under s 912A(1)(a) to act efficiently and fairly when it failed to have adequate risk management systems under s 912A(1)(h) to manage its cybersecurity risks. 

The finding comes after a significant number of cyber incidents occurred at authorised representatives (ARs) of RI Advice between June 2014 and May 2020. Of importance, RI Advice needed to identify the risks that the ARs faced in the course of providing financial services pursuant to RI Advice’s licence, including in relation to cybersecurity and cyber resilience, and have documentation, controls and risk management systems in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across the AR network. Although most of the historic issues (poor password practices, and lack of up-to-date antivirus software, or filtering or quarantining of emails) were later addressed by significant improvements in 2021, the Court found that RI Advice’s steps to remediate were inadequate and should have been addressed much earlier. 

In line with Her Honour Justice Rofe’s decision, AFS licensees need to be mindful that it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

Alleged breaches 

In ASIC v FIIG Securities Limited², ASIC alleges that FIIG’s conduct exposed FIIG and its clients to the risk of cyber intrusion and the adverse consequences to a heightened and unreasonable extent. ASIC alleges that if FIIG had adequate cybersecurity measures, it would have detected suspicious activity on its network and identified the compromise, and therefore could have prevented the threat actor’s access, download and publication of the stolen data. In total, ASIC alleges FIIG contravened one or more of the ss 912A(1)(a), 912A(1)(d), 912A(1)(h), 912A(5A). 

In the most recent civil penalty proceedings commenced by ASIC against Fortnum Private Wealth Ltd,³  ASIC alleges that the volume and sensitivity of personal information collected by Fortnum in the course of its business highlighted the critical need to identify and mitigate cybersecurity risks, both within the organisation and among its ARs. ASIC’s allegations highlightthe importance of having robust policies, frameworks, systems, and controls in place to effectively manage those risks.

Despite being an attractive target for threat actors and facing a heightened risk of cyber-related attacks, ASIC alleges Fortnum failed to:

1. provide its ARs with education and training;
2. ensure it supervised its ARs’ conduct (i.e monitor ARs’ compliance with the relevant cybersecurity policy); 
3. have any employees with specialised expertise or experience in cybersecurity or engage any when it developed its cybersecurity policy; 
4. have a risk management system in place designed to identify and evaluate cybersecurity risks across its ARs. 

Overall, ASIC alleges that Fortnum breached sections 912A(1)(a) and 912A(5A) of the Corporations Act by failing to implement an adequate cybersecurity policy to manage and mitigate cyber risks affecting both the business and its ARs. ASIC also alleges Fortnum failed to provide adequate cybersecurity education or training, and did not establish effective processes, systems, or frameworks to oversee and monitor its ARs in relation to cybersecurity risk and resilience. 

Both FIIG Securities Limited and Fortnum Private Wealth Ltd deny the allegations.

How can your business avoid breaching its AFSL obligations? 

To avoid breaching AFSL obligations, businesses must adopt a proactive, well-resourced, and risk-aware compliance approach. This includes implementing strong governance, risk management, and compliance frameworks that reflect the scale and complexity of business operations. With cyber threats posing a growing risk to financial services, businesses must also embed cybersecurity into their compliance strategy, ensuring systems, data, and client information are protected through robust controls and incident response planning. Competent personnel, regular monitoring, and a culture of accountability are essential to maintaining compliance and meeting ASIC’s expectations under the Corporations Act.

Key take-aways for your business

Adequate risk management system + resourcing: 

Have a documented proportionate and implemented cybersecurity risk management framework (policies, procedures, standards) and adequate resourcing, to ensure it is properly complied with.  

Adequate Cybersecurity Measures + Training: 

Implement baseline technical controls such as firewalls, patching, MFA, backups, and logging, and enforce people and process controls, including mandatory security awareness and role-specific training.

Expert Cyber Preparedness + Response: 

Engage skilled cyber experts to assess the risks faced by your business in its operations and IT environment and ensure you have incident response plan readily available. 

---

¹“The head of the Australian Signals Directorate is calm in a crisis and thrives amid chaos”, Qantas magazine, October 2025, p189.

²ASIC’s Concise Statement

³The Originating Process and Concise Statement

Google, Meta and Microsoft spent almost $80bn over the last quarter on artificial intelligence infrastructure, but investors had markedly different reactions to their plans to increase this historic spending spree.

Alphabet shares rose almost 7 per cent in after-hours trading on Wednesday as the Google parent boosted its capital expenditure plans for 2025 by $8bn to $93bn, and delivered a record $100bn in quarterly revenue.

By contrast, Meta plunged almost 9 per cent — potentially wiping $160bn from its valuation when markets open on Thursday — as Mark Zuckerberg’s company signalled much higher AI spending, which could top $100bn next year.

The varied reaction to their earnings and spending plans “underscores how sensitive investors are to how quickly the AI build-out can deliver revenue”, said Dec Mullarkey, managing director of $300bn asset manager SLC Management. 

“Investors are worried that the rush to grab market leadership may cause an overshoot,” he added. “No one needs reminding that history is full of episodes of technology exuberance that eventually left the early investors battered.”

Microsoft — which became the third company to surpass a $4tn valuation this week after finalising its restructuring pact with OpenAI — also suffered a share price drop.

Its stock fell 4 per cent, despite beating profit estimates and posting a 39 per cent jump in revenue at its key Azure cloud computing unit.

It reported capital expenditure was $35bn in the quarter, a 74 per cent increase year-on-year and $5bn more than expected. Executives forecast spending of almost $140bn next year.

Chief executive Satya Nadella told analysts that the software group was building “planet scale” cloud infrastructure and plans to double Microsoft’s data centre footprint over the next two years.

Google and Microsoft, which both sell cloud computing to other businesses, had an easier time showing investors that elevated spending on chips, data centres and electricity will lead to income.

After a slow start in the AI race, chief executive Sundar Pichai said that the Gemini App, its main consumer AI product, now has 650mn monthly users, up from 450mn in July, and closing in on ChatGPT’s 800mn.

Pichai added that growth in its cloud unit “was driven by enterprise AI products, which are generating billions in quarterly revenues” and that it had an order backlog for computing services worth $155bn.

The 15 per cent boost to core search advertising revenue also helped address concerns that ChatGPT is taking market share and AI is cannibalising traditional search.

“We believe this performance demonstrates successful AI integration across ad-based platforms,” said Angelo Zino, an analyst at CFRA Research. “Google’s ability to maintain margins while scaling AI infrastructure demonstrates effective use of spending.”

Zuckerberg, meanwhile, had to defended huge spending on infrastructure for Meta’s own use, as the tech group vies to be the first to build artificial superintelligence. 

He said it was “the right strategy to aggressively frontload building capacity”. He added that any excess data centre space could be repurposed to serve Meta’s core advertising functions, which he said were “compute starved”.

A 26 per cent increase in quarterly revenue to $51.2bn failed to mollify the market, as investors fretted that Meta’s huge outlay on chips and staff has yet to produce a large language model as capable as rivals.

The social media company said capex could hit $72bn by year-end and that spending growth would be “notably larger” in 2026, implying a number far in excess of an earlier forecast for $105bn.

Zuckerberg has also been luring engineers to his elite “TBD” lab with pay packages in the hundreds of millions of dollars, which Meta warned would be a big contributor to expenses as full-year costs appear in its results.

Investors were disappointed by a rise in research and development costs, which accounted for 30 per cent of revenue, the highest level in more than two years. Its operating margin narrowed 3 percentage points to 40 per cent.

“Expenses are growing faster than revenue,” said Gene Munster at Deepwater Asset Management. “Next year it’s going to be more like 18 per cent revenue growth and 35 per cent expense growth.”

Meta disclosed a $15bn one-off charge related to changes in President Donald Trump’s tax bill that depressed net income 83 per cent to $2.7bn.

Meta has indicated that its AI efforts are unlikely to generate meaningful revenue this year or in 2026. Zuckerberg on Wednesday promised that his new superintelligence team were focused on “novel” work that could be rapidly rolled out to 3.5bn users on Facebook, WhatsApp and Instagram, and could make money via advertising, commerce or subscriptions. 

Investors worry Zuckerberg’s quest to dominate advanced AI is disconnected for Meta’s underlying business despite his insisting that it can improve advertising ranking and recommendations.

Brian Wieser, an analyst at advisory firm Madison and Wall, said Google and Microsoft “are doing much more from a tech perspective. Meta’s actual business is selling ads.”

“There [are] so many more arrows in the quiver for Google and Microsoft,” he added.