The Wealth Management Firm’s Guide to APRA, AFS Licensing, and IT Security
Practical guidance for advisers and practice managers who want to sleep at night
Published by All IT Services | March 2026
Your clients trust you with their life savings. Does your IT deserve the same trust?
Wealth management sits in a unique position when it comes to technology risk. You’re handling some of the most sensitive data imaginable — client portfolios, superannuation details, tax file numbers, bank account information, personal identification documents — in an environment that’s more regulated than almost any other sector in Australia.
The regulatory landscape you’re operating in
APRA Prudential Standard CPS 234
CPS 234 (Information Security) requires regulated entities to maintain an information security capability commensurate with threats, implement controls to protect information assets, and notify APRA of material incidents. For firms using external IT providers, CPS 234 explicitly requires managing the security of information assets managed by third parties.
ASIC and AFS licensing conditions
ASIC’s Report 429 (Cyber Resilience: Health Check) emphasises that AFS licensees must have adequate risk management systems including cybersecurity controls. Expectations align with the ACSC Essential Eight framework and include risk identification, governance, protection of client data, incident detection and response, and regular testing.
Privacy Act 1988 and the NDB scheme
Every wealth management firm collects personal information triggering obligations under the Australian Privacy Principles (APPs). The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals. Given the sensitivity of financial data, almost any breach would meet the serious harm threshold.
AML/CTF obligations
While primarily about transaction monitoring and customer identification, AUSTRAC obligations also require secure systems for storing identification documents and transaction records.
The gaps we see most often
No MFA on critical platforms
We still encounter firms where advisers access client portfolio platforms, email, and cloud storage without multi-factor authentication. MFA should be enforced on every platform that touches client data.
Inadequate access controls
Former staff with active accounts, junior staff with senior-level access, no formal review process. The principle of least privilege is a cornerstone of both CPS 234 and the Essential Eight.
No documented incident response plan
If client data is compromised at 4pm on a Friday, who does what? Who calls APRA? Who notifies the OAIC? Most firms don’t have documented answers.
Shared credentials and generic accounts
“Everyone uses the same login for the portfolio system” eliminates accountability and dramatically increases breach blast radius.
Weak email security
Business Email Compromise is the number one cyber threat to Australian businesses (ACSC). In wealth management, a compromised email can redirect client funds, access sensitive documents, or impersonate an adviser. Email environments need advanced threat protection, DMARC/DKIM/SPF, and ideally a dedicated email security gateway.
What good looks like
Identity and access management: Unique accounts with MFA enforced, conditional access policies, separate admin accounts, formal joiner/mover/leaver processes.
Endpoint security: EDR on every device, encryption with BitLocker or FileVault, mobile device management (MDM).
Email security: Advanced threat protection, safe links and attachments, anti-impersonation policies, DMARC/DKIM/SPF, external email banners.
Data protection: Data classification, encryption, access controls, data loss prevention (DLP) policies blocking external sharing of TFNs and financial data.
Backup and DR: Daily backups, offline/immutable copies, regular testing, defined RTOs and RPOs.
Network security: Segmented network, next-gen firewall, VPN or ZTNA with MFA.
Monitoring and logging: Security event monitoring with alerting for suspicious activity.
Governance: Documented policies, incident response plan tested through tabletop exercises, risk register.
The Essential Eight connection
For wealth management firms, we recommend targeting Maturity Level 2 across most controls, with Maturity Level 3 for MFA and backup controls given data sensitivity. The Essential Eight is increasingly referenced by APRA, ASIC, and cyber insurers as the benchmark for Australian organisations.
Working with your IT provider
Under CPS 234, your IT provider is a critical third party whose security posture directly affects your compliance. Expect: regular security reviews, proactive monitoring, compliance-supporting documentation, understanding of your regulatory requirements, and willingness to engage with compliance teams.
If your current provider can’t articulate how their services support your CPS 234 and ASIC obligations, it’s worth having a conversation about fit.
The bottom line
Wealth management firms face a unique combination of high-value data, complex regulation, and sophisticated threats. Treat IT security as a core business function — integrated with compliance, governed at the leadership level, and supported by a technology partner who understands the sector.
Talk to us
All IT Services works with wealth management and financial services firms across Sydney.
Reach out to Tom Buckley to arrange a confidential discussion about your firm’s IT security and compliance posture. Call (02) 8073 4848 or send Tom an email.
Sources and references:
– APRA — CPS 234 Information Security (apra.gov.au)
– ASIC — Report 429: Cyber Resilience (asic.gov.au)
– Australian Cyber Security Centre — Essential Eight (cyber.gov.au)
– OAIC — Australian Privacy Principles (oaic.gov.au)
– OAIC — Notifiable Data Breaches Scheme (oaic.gov.au)
– AUSTRAC — AML/CTF compliance (austrac.gov.au)
– Privacy Act 1988 (legislation.gov.au)