AFS Licensees: Are you meeting your cybersecurity obligations?

Australian Financial Services (AFS) licensees are attractive targets for an array of threat actors, from insider threats to cyber criminals, because they hold the promise of incredibly sensitive data and great monetary gain.

As such, AFS licensees should operate under the assumption that cyber attacks are inevitable events that could impact the business at any time. If you are a small organisation, you might question whether they are really inevitable. Too often, the belief is that large organisations become targets of cyber attacks due to their size. The more information a company holds, the better target it is, right?

In reality, small organisations are just as much a target, and they often do not have the resourcing to implement the cyber security strategy affordable by a larger organisation. Whether you are a FinTech startup or an established bank, any weakness in security measures is an entry point for cyber criminals.

For this reason, we pose the question: As an AFS licensee, are you meeting your obligations?

What are the top sources of data breaches in financial services?

Understanding the causes of data breaches is the first place you should start when developing your cyber security strategy. The latest Notifiable Data Breaches report found that for financial services organisations, malicious or criminal activity caused 46% of breaches, and 20% were caused by human error.

Malicious or criminal attacks include social engineering, ransomware and stolen credentials. AFS licensees that do not revisit their security measures and audit their systems could leave vulnerabilities that make these attacks easier.

Human error is another factor that can cause a data breach. Even if your company invests in excellent cyber security defences, one person can leak data simply by sending information to the wrong people.

For example, in March this year, the financial services organisation, Latitude, which operates across Australia and New Zealand experienced a data breach that exposed the driver’s license numbers of 7.9 million current and past customers (among other details). The attack resulted from threat actors acquiring login credentials, which they then used to steal personal information from Latitude and their service providers.

What regulations do you need to meet?

As an AFS licensee, you must use the resources available to adhere to regulations as much as possible. Some of the key cyber security models and regulations to comply with include:

The Essential Eight Maturity Model, recommended by the Australian Cyber Security Centre (ACSC), this model outlines eight strategies your organisation can implement to mitigate the risk of a breach. The ACSC recommends this model as the bare minimum standard for organisations.

The Notifiable Data Breaches (NDB) scheme mandates that organisations report any instances of data breaches where an individual could experience harm as a result. For example, an organisation that has financial details leaked should inform those impacted so they can implement the necessary safeguards to protect themselves.

Regulations created by APRA may also apply to AFS licensees. For example, APRA CPS 234 ensures that APRA-regulated entities take appropriate measures to be resilient against data breaches, including cyber attacks.

While your organisation may not need to meet all of these models and regulations, it is essential to look into those relevant to your organisation and use your resources to meet them. Simply demonstrating a commitment to compliance isn’t enough. AFS licensees must provide tangible evidence of ongoing efforts to meet regulatory standards. If you experience a breach, the legal system will consider that evidence if you are investigated.

What are the consequences of failing to meet your obligations?

Your actions today are evidence for a future judge. If you do not attempt to comply with the models and regulations necessary for your business, you could incur penalties such as fines and regulatory sanctions. Your business may also see reputational damage if you have not done your best to secure your business.

The cost of recovering from a data breach can greatly impact your organisation. You will need to cover the costs of identifying and repairing the breach and the longer-term costs related to customer compensation, enhanced security measures, and potential legal fees.

Failing to meet your obligations can also destroy trust in your organisation. Current customers might move to companies that have proven their efforts in securing data. Any vendors or partners you work with may also decide to take their business elsewhere to prevent risks to their company.

Meeting your obligations and doing everything within your power to prevent cyber attacks will heighten your cyber security posture and prevent the impacts of these consequences.

Remember, your actions today are the evidence for a judge tomorrow.


Meeting cyber security obligations is a regulatory necessity for AFS licensees and critical to maintaining customer trust and confidence. As such, you need to use the resources you have to protect customer data and maintain the integrity of your organisation.

The consequences of failing to maintain compliance include financial penalties and reputational damage. As an AFS licensee, you must understand the risks to your organisation, revisit your security measures and do what you can to enhance your cyber security posture.

Mercury can guide you on meeting your cyber security obligations

As a CREST-certified organisation, we can provide guidance to help you meet your cyber security obligations. Our team will work closely with you to understand the challenges and vulnerabilities unique to your business and develop a customised strategy to enhance your cyber security posture. Please visit our services page for more on what we do.

We’re here to help

Let Mercury safeguard your business while you focus on growing it.

Reach out to us for a tailored cyber security consultation that aligns with your unique business needs.