Regulators are making it clear that cyber security is no longer just an IT function for financial services firms. With AI-enabled threats accelerating and ASIC increasing pressure on licensees to prove their controls are working, AFSLs are being pushed to treat cyber resilience as a core governance and operational responsibility.


Following ASIC’s recent open letter to Australian Financial Services Licence (AFSL) holders, cyber security has moved well beyond a technology issue. For financial services firms, cyber resilience is now firmly a boardroom responsibility.


The regulator’s message was direct: firms must be able to demonstrate that their cyber controls, governance processes and risk management frameworks are not only documented, but actively working.


At the same time, the rise of AI-enabled cyber threats is accelerating the speed and sophistication of attacks, placing additional pressure on AFSLs, advisers and practices already navigating an increasingly complex compliance environment.


Dr Aastha Gupta, Founder and CEO of ViCyber, said the regulator’s position signals a major shift in expectations for financial services firms.


“ASIC is not asking AFSLs to reinvent cyber security,” Dr Gupta said. “It is asking them to prove that the fundamentals are working, proportionate, governed and supported by evidence.”


The warning comes as financial services continues to rank among the sectors most targeted by cyber criminals, with government agencies and industry bodies increasing their alerts around phishing, ransomware, credential theft and supply chain attacks.


For many AFSLs, the challenge is no longer awareness. It is operational readiness.


From governance and patch management through to third-party risk, incident response and executive reporting, ASIC’s guidance makes clear that cyber resilience must now be embedded across the organisation, not isolated within technology teams.


Dr Gupta said many firms are still relying on outdated policies, fragmented systems and informal reporting processes that may struggle to satisfy growing regulatory scrutiny.


Importantly, ASIC’s expectations extend beyond technical controls. Boards and executives are expected to understand cyber risk exposure, oversee governance frameworks, identify critical business systems and ensure there are clear escalation and decision-making processes in place.


The regulator has also emphasised the importance of validating whether cyber controls are functioning effectively in practice, rather than simply existing on paper.


For smaller practices and adviser networks, this can create a difficult balancing act. Many businesses face increasing pressure to uplift cyber maturity while operating with limited internal resources and growing compliance obligations.


Dr Gupta argues that the answer is not necessarily more complexity, but greater visibility and automation.


“At ViCyber, we anticipated this moment” she said. “Over the past few years, we have been deliberately building our capabilities to help AFSLs address exactly what ASIC is now asking for: practical cyber risk management, evidence-based control validation, executive visibility, board reporting, and structured uplift.”


The company has developed an integrated cyber assessment and monitoring platform designed specifically to help AFSLs assess their cyber maturity, identify weaknesses and demonstrate governance oversight aligned to ASIC expectations.


Its framework maps directly against the regulator’s 12 key focus areas, including governance, vulnerability management, user access controls, third-party risk management, incident response and AI-enabled cyber defence.

While the technology and threat landscape continues to evolve, the broader message from ASIC is unlikely to change: cyber resilience is now a core governance obligation.
 
For AFSLs, the key question is no longer whether cyber risk exists. It is whether boards, executives and practices can clearly evidence that they are actively managing it.
 
As cyber threats become faster, more automated and increasingly AI-driven, firms that can demonstrate strong governance, operational resilience and clear visibility over their cyber posture are likely to be better positioned, not only from a compliance perspective, but also in maintaining trust with clients, partners and regulators.