ASIC’s Cyber Letter to Financial Services — What Wealth Firms Need to Do This Quarter

ASIC has written to every Australian financial services licensee and market participant, and the tone has moved decisively past “consider your cyber posture”. Commissioner Simone Constant’s open letter (media release 26-092MR) makes the regulator’s position explicit: cyber resilience is a core licensing obligation, not an IT-department problem, and frontier AI is shrinking the window to act. Boards and executives are expected to table the letter and demonstrate they are addressing it.

The timing is not subtle. ASIC’s letter follows its court win against FIIG Securities — $2.5 million in penalties for cyber security failures — and arrives while the youX breach is still rolling through the broking industry. The MFAA has told members that MFA and cyber insurance are now baseline professional requirements. Wealth managers, advisers and asset finance specialists hold exactly the kind of data — IDs, financials, account access — that gets monetised within hours of leaking, and Privacy Act reforms will soon give individuals a statutory right to sue for serious breaches.

What to do this quarter, drawn from ASIC’s list: reassess and actually test your incident response plan; tighten patch cadence to match AI-accelerated vulnerability discovery; audit third-party exposure (the youX breach reached 444,000 people through brokers using a normal platform); reduce dormant user privileges and watch for insider warning signs; and document board-level oversight of cyber risk. ASIC wants evidence that this is governed at the top, not delegated.

If you would like an independent view on where your firm sits against the new bar, the All IT Services financial services team can help.