A watershed moment for cyber accountability
A watershed moment for cyber accountability
It is the first time the Court has imposed penalties to a financial services company for cyber security failures under the general obligations of an Australian Financial Services (AFS) licence. The message to boards and executives is unmistakable: cyber resilience is now a licence-to-operate issue, and failing to embed basic cyber hygiene can amount to a breach of core legal and governance obligations.
ASIC’s successful Federal Court action, resulting in a $2.5 million penalty, reinforces that cyber risk management is not optional. The findings were not driven by sophisticated attack techniques, but by foundational control gaps - failures in access management, security monitoring, staff awareness, and incident response practices. Regulators now expect these baseline safeguards to be embedded, monitored, and demonstrably effective.
What happened?
The company failed to implement and maintain cyber security controls relative to its size and the sensitivity of the client data it held. Those failures worsened the impact of a cyber-attack whereby approximately 385GB of confidential data was exfiltrated and some of it later published on the dark web. Clients were notified that their personal information may have been compromised, including identity documents, bank account details and tax file numbers.
ASIC alleged, and the company later admitted, that basic cyber hygiene measures were either absent or poorly implemented over an extended period.
Deficiencies in access controls, monitoring, training and incident response preparedness all contributed to the failure. The Court ordered the company to pay $2.5 million in penalties, contribute $500,000 to ASIC’s costs, and undertake a compliance program overseen by an independent expert to uplift its cyber security and cyber resilience posture.
ASIC Deputy Chair Sarah Court stated the consequences of the failures “far exceeded what it would have cost them to implement adequate controls in the first place.”
What went wrong?
Although every breach is context‑specific, ASIC’s findings highlight a pattern of issues:
- Inadequate access controls, including the absence of multi‑factor authentication for remote access users and weak management of privileged accounts
- Poor monitoring and detection, with insufficiently qualified personnel and tooling to identify and respond to threat alerts in a timely manner
- Patch and vulnerability management gaps, including the lack of a structured approach to system updates and regular penetration testing
- Underinvestment in people and training, with no mandatory cyber security awareness training for staff despite the firm’s data risk profile
- An untested or inadequate incident response plan, limiting the firm’s ability to contain the breach once the attacker was present in the environment.
The company has acknowledged that had it followed its own documented policies and procedures, earlier detection and prevention may have been enabled. This point will resonate strongly with boards and auditors alike.
A recent Australian case study in preventable cyber failure
In April 2025, a massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members' accounts. This is a recent example of a cyber incident that leveraged similar control weaknesses.
The super fund confirmed that 600 accounts had login credentials stolen, and four members lost approximately $500,000 in total. The attackers didn't need sophisticated tools, they exploited the lack of multi-factor authentication (MFA) and simple password reuse, using credentials stolen in previous breaches. The super fund used MFA to verify some transactions but not for login, and the Australian Prudential Regulation Authority (APRA) had previously warned that gaps in MFA coverage could constitute a "material security control weakness" under their information security law, CPS 234. This example clearly demonstrates how attackers exploit the gap between the sensitivity of assets under management and the maturity of access controls protecting them.
Avoiding similar failures - what does “reasonable” now look like?
This action by ASIC provides a clearer benchmark for what regulators may consider “reasonable” cyber security management, particularly for AFS licensees handling sensitive personal and financial data. While there is no one‑size‑fits‑all control set, organisations should be able to demonstrate the following principles:
- Risk‑aligned investment
Cyber security controls should scale with data sensitivity, threat exposure and business complexity, and be revisited regularly as the threat landscape evolves - Baseline cyber hygiene that works
Measures such as MFA, strong credential management, timely patching, and continuous monitoring are mandatory. They must be implemented effectively, not just documented - Clear accountability and oversight
Boards and executives should receive meaningful, decision‑grade reporting on cyber risk, not just technical metrics. Ownership for cyber resilience must be clear and explicit - Preparedness over paperwork
Incident response plans must be practical, rehearsed and regularly tested. Regulators are increasingly sceptical of “shelfware” plans that fail under pressure - People as a control layer
Ongoing cyber awareness training is critical, particularly in environments where phishing, credential theft and social engineering remain common attack vectors.
Putting principles into practice
Baseline controls
Organisations should start with the Australian Cyber Security Centre Essential Eight (E8) framework. E8 directly operationalises Principle 1 (risk-aligned investment) and Principle 2 (baseline cyber hygiene that works) by focusing on the controls most effective against common attack vectors, including patching, MFA, application control, and restricting admin privileges.
For organisations handling sensitive financial data, E8’s Maturity Level 2 should be considered the minimum baseline. Anything less risks a misalignment between the value and sensitivity of the assets being protected and the maturity of the controls in place.
Governance, preparedness and the human factor
APRA’s CPS 234 reinforces Principles 3 and 4 - clear accountability and operational preparedness. It requires defined ownership of information security, active board oversight, and incident response capabilities that are genuinely tested rather than assumed. The superannuation sector credential stuffing attacks were a practical case study in what happens when these obligations exist on paper but not in practice.
Where CPS 234 and the E8 are less prescriptive is in broader governance, supply chain risk, and the human element of cyber resilience. Frameworks like NIST CSF 2.0 or ISO 27001 can help close those gaps by strengthening board-level risk communication, third-party oversight, and security awareness programs. However, the real differentiator is how effectively organisations apply these frameworks. People remain the most consistently exploited attack surface. Annual, compliance-driven training isn't keeping pace. What matters is continuous, scenario-based programs built around the threats staff actually face, including credential harvesting, business email compromise, and deepfake impersonation.
Regulatory expectation
ASIC has been clear that this case is intended to set a precedent. In an environment where cyber-attacks are “escalating in both scale and sophistication”, the regulator expects financial services licensees to be proactive, well‑resourced and vigilant.
How BDO can help
BDO’s cyber security team helps financial services organisations test whether their controls, governance and response capabilities meet today’s standard before regulators or attackers do. If you’d like support with your cyber resilience,
