TL;DR

  • Finance is Australia's second-most breached sector: The finance sector accounts for 14% of all Notifiable Data Breach (NDB) reports (OAIC, January–June 2025) — behind only healthcare.
  • APRA CPS 234 is mandatory for regulated entities: Banks, insurers, superannuation funds, and their service providers must comply with APRA's CPS 234 information security standard, with active enforcement and penalty exposure.
  • 527 data breaches were reported in the first half of 2024 alone — a 3.5-year high — with financial services consistently in the top three sectors (OAIC/Amidata, 2024).
  • Double compliance burden: Financial services firms must navigate both APRA CPS 234 and the Cyber Security Act 2024 — two overlapping frameworks with different enforcement bodies, different reporting obligations, and different timelines.

Why Financial Services Businesses Are Cybersecurity Targets

Financial services organisations hold the ultimate prize for cybercriminals: direct access to money. Whether it is a mortgage broking firm, a superannuation administrator, a financial planning practice, or a payments fintech, the data held — account numbers, tax file numbers, income details, investment portfolios, and identity documents — provides immediate monetisation pathways through fraud, identity theft, and account takeover. OAIC data for January–June 2025 confirms that the finance sector reported 14% of all NDB scheme notifications, trailing only healthcare. With 527 data breaches reported across all sectors in the first half of 2024 alone (a 3.5-year high), the financial services sector cont

ributed disproportionately. For APRA-regulated entities (banks, insurers, superannuation funds), cybersecurity is not just a risk management issue — it is a legal obligation under CPS 234. APRA's own cyber security stocktake found material gaps in approximately 24% of assessed entities and has intensified supervisory oversight where gaps are identified. For non-APRA-regulated financial services businesses — mortgage brokers, financial planners, credit unions, and fintechs — the Privacy Act, Cyber Security Act 2024, and AFSL (Australian Financial Services Licence) conditions create overlapping obligations. The average Australian data breach costs AUD $4.26 million (IBM, 2024), a 27% increase since 2020 — and financial data is among the most valuable on the dark web.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

The Top 3 Cybersecurity Threats for Financial Services

1. Business Email Compromise (BEC) and Payment Fraud

Business Email Compromise is the defining threat for Australian financial services SMBs. Attackers compromise or impersonate email accounts — of the firm, its clients, or counterparties — to redirect payments, change payee bank account details, or initiate unauthorised transfers. For mortgage brokers and property settlement firms, BEC attacks at settlement can redirect hundreds of thousands of dollars. For financial planners, BEC targets superannuation rollovers and cash withdrawals. Australian businesses lose hundreds of millions of dollars annually to BEC, with financial services firms among the highest-value targets. The ASD confirmed in its 2024–2025 Annual Cyber Threat Report that cybercriminals increasingly combine credential theft with BEC techniques — first compromising an email account through phishing, then monitoring it for weeks to learn communication patterns before executing a high-value fraud.

2. Ransomware Targeting Client and Compliance Data

Ransomware attacks on financial services firms are particularly damaging because of the dual threat: operational disruption (inability to access client records, execute trades, or process payments) and regulatory exposure (breach of APRA CPS 234 notification obligations, NDB scheme requirements). Financial services firms hold highly structured, valuable data — client portfolios, transaction histories, KYC documentation — that is rapidly monetised on dark web marketplaces if published. For APRA-regulated entities, a ransomware event triggers mandatory notification to APRA within 72 hours of becoming aware of a "material information security incident." Failure to notify is itself a CPS 234 breach, adding a regulatory violation to the operational crisis.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

3. Credential Theft and Account Takeover

Phishing attacks targeting financial services staff — particularly those with access to client accounts, payment systems, or compliance portals — are a constant threat. IBM's 2024 Cost of a Data Breach Report identified stolen credentials and phishing as Australia's top two attack vectors. In financial services, a single compromised staff credential with access to a client management system can expose hundreds or thousands of client accounts. For fintechs and wealth management platforms, credential stuffing attacks against customer-facing applications (using breached credential databases) can trigger cascading account takeovers. ASIC's 2024 guidance on financial services cybersecurity emphasised that multi-factor authentication is now a baseline expectation — and its absence is a factor in assessing whether an entity took "reasonable steps" under the Privacy Act.

Compliance Requirements for Financial Services

Australian financial services businesses face a layered compliance framework. The applicable layer depends on whether you are APRA-regulated, AFSL-licensed, or an unregulated financial services provider:

APRA CPS 234 — Information Security (APRA-Regulated Entities) CPS 234 applies to all APRA-regulated entities: authorised deposit-taking institutions (ADIs), general and life insurers, and superannuation funds. It requires: (1) maintaining an information security capability commensurate with threats; (2) classifying and assessing information assets by criticality; (3) implementing controls proportionate to risk; (4) notifying APRA within 72 hours of a material information security incident or when controls have been materially compromised. Third-party service providers to APRA entities are also required to meet CPS 234 standards — if your SaaS product or managed service handles APRA-entity data, you are indirectly subject to CPS 234 assessments.

Privacy Act 1988 (Cth) and Australian Privacy Principles All financial services businesses that handle personal information — including mortgage brokers, financial planners, credit providers, and fintechs — must comply with the APPs. Financial information is treated as sensitive information in many contexts. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) increased civil penalties for serious breaches to AUD $50 million and gave the OAIC new enforcement powers.

Notifiable Data Breaches (NDB) Scheme Eligible data breaches (unauthorised access to financial information likely to cause serious harm) must be notified to the OAIC and affected individuals. Serious harm from financial data breaches is broadly construed — exposure of bank account numbers, TFNs, or credit card details almost always meets the threshold.

Cyber Security Act 2024 (Cth) Mandatory ransomware payment reporting (effective 30 May 2025) for entities with annual turnover above AUD $3 million. Financial services firms at the critical infrastructure level have additional obligations under the Security of Critical Infrastructure Act 2018.

AFSL Conditions and RG 259 (ASIC) ASIC's Regulatory Guide 259 (RG 259) on cyber resilience establishes ASIC's expectations for AFSL holders. While not prescriptive, ASIC uses RG 259 in assessments of whether licensees have adequate risk management systems — a condition of holding an AFSL. ASIC has brought enforcement action against licensees for inadequate cyber risk management.

The lilMONSTER Security Checklist for Financial Services

  1. MFA on all client-facing and staff systems — Mandatory for all staff email, client management systems, payment portals, and compliance platforms. For financial planners and brokers, also enforce MFA on financial planning software (Xplan, Midwinter), CRM systems, and practice management platforms. SMS MFA is acceptable as a minimum; authenticator app is preferred.

  2. Payment verification callback protocol — non-negotiable — Require telephone verification (on a separately verified number) for any change to client payment details or any payment above a defined threshold. This single control prevents the majority of BEC payment fraud. Brief all staff that this protocol cannot be overridden by email urgency, client pressure, or management direction.

  3. APRA CPS 234 gap assessment (if APRA-regulated) — Commission an independent CPS 234 gap assessment to identify where your information security capability falls short of regulatory expectations. APRA has intensified enforcement and approximately 24% of assessed entities had material gaps. The cost of a gap assessment (AUD $5,000–20,000) is trivial compared to APRA enforcement action.

  4. Privileged access management (PAM) for financial systems — Strictly limit who has administrator access to payment systems, client databases, and compliance systems. Use a PAM solution to require approval workflows for privileged actions, maintain audit logs, and enforce time-limited access. Monitor for unusual access patterns — particularly after-hours access to payment systems.

  5. Cyber liability insurance with coverage for BEC and financial fraud — Standard cyber insurance policies may exclude BEC-related financial losses. Ensure your policy explicitly covers business email compromise-initiated fraud and social engineering losses. Review coverage limits against your maximum single-transaction exposure. AUD $1–5M coverage is a starting point for most financial SMBs.

  6. Encrypted, tested backups — including compliance records — Financial services businesses have record-keeping obligations (AFSL licence conditions, CPS 234, tax records). Back up compliance records, client data, and transaction histories daily. Maintain offline or immutable backups. Test restoration quarterly. Include backup integrity in your annual audit process.

  7. Incident response plan with APRA/ASIC/OAIC notification procedures — For regulated entities, an incident response plan must include APRA 72-hour notification procedures. For AFSL holders, ASIC notification protocols. For all: OAIC NDB scheme notification procedures. Have draft notification templates ready — the first 72 hours of a breach are chaotic, and pre-approved templates save critical time.

How Much Does Cybersecurity Cost for a Financial Services Business?

Spend What it covers
AUD $5,000–10,000/year Essentials: MFA, EDR, BEC payment controls, encrypted backup, staff training
AUD $10,000–35,000/year Managed Security: 24/7 monitoring, patch management, phishing simulation, dark web credential monitoring
AUD $35,000–120,000/year Compliance programme: CPS 234 gap remediation, ISO 27001 or SOC 2, annual penetration test, SOC monitoring

Cost of a breach:

  • Average Australian data breach: AUD $4.26 million (IBM, 2024)
  • APRA CPS 234 enforcement: licence conditions, increased supervisory scrutiny, potential licence suspension
  • ASIC enforcement for AFSL holders: civil penalties up to AUD $1.1 million per breach of licence conditions
  • OAIC civil penalties: up to AUD $50 million for serious or repeated Privacy Act breaches
  • BEC financial fraud loss: often unrecoverable, with limited insurance coverage if security controls were absent

ROI: AUD $20,000/year in proactive cybersecurity prevents expected losses of $122,000–$4.26M plus regulatory enforcement costs.

FAQ

A foundational cybersecurity programme for an Australian financial services SMB (mortgage broker, financial planner, credit union, fintech) costs AUD $5,000–10,000/year for MFA, endpoint protection, BEC payment controls, encrypted backups, and staff training. Managed security services add AUD $10,000–35,000/year. APRA CPS 234-regulated entities should budget AUD $35,000–120,000/year including gap assessments, remediation, compliance programme management, and annual penetration testing. An annual penetration test costs AUD $5,000–15,000 for a typical financial SMB environment.

The biggest risk for Australian financial services SMBs is Business Email Compromise (BEC) — attackers impersonating the firm or its clients to redirect payments. For APRA-regulated entities, ransomware combined with CPS 234 notification failure creates a "double jeopardy" of operational crisis and regulatory breach. The finance sector is Australia's second-most breached sector (OAIC, 2025), with 527 total data breaches reported across all sectors in the first half of 2024 alone — a 3.5-year high.

ISO 27001 is not legally mandated for most Australian financial services SMBs, but it is increasingly required by enterprise clients, government agencies, and as evidence of "reasonable steps" under the Privacy Act. For APRA-regulated entities, ISO 27001 provides a structured framework that maps well to CPS 234 requirements. For fintechs pursuing enterprise or government contracts, ISO 27001 is effectively a sales prerequisite. lilMONSTER can help you assess whether ISO 27001 or a CPS 234-specific programme best fits your regulatory context.

Annual penetration testing is the minimum for financial services businesses — required by most cyber insurers and consistent with APRA's expectation that CPS 234-regulated entities regularly test their security controls. Penetration tests should be conducted after major system changes, new platform launches, or merger and acquisition activity. For entities handling high-value transactions (settlement agents, superannuation administrators), bi-annual testing is advisable.

A breach triggers: (1) APRA notification within 72 hours if you are an APRA-regulated entity or if a material security incident has occurred. (2) OAIC NDB notification if it is an eligible data breach (likely yes for financial data). (3) ASIC notification if you hold an AFSL and the breach affects your ability to comply with licence conditions or is material to your risk management. (4) Cyber insurer notification immediately. (5) ASD ransomware payment report within 72 hours (for entities with >$3M turnover, from 30 May 2025). Multiple simultaneous regulatory responses — APRA, ASIC, OAIC — are the norm for significant financial sector breaches.

References

[1] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Statistics: January to June 2025," Australian Government, Nov. 2025. [Online]. Available: https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025

[2] Amidata, "From Essential Eight to APRA CPS 234: Navigating Cyber Security Compliance in Australia," Amidata, Jul. 2025. [Online]. Available: https://amidata.tech/cyber-security-compliance-australia-essential-eight-apra-cps-234/

[3] APRA, "Cyber security stocktake exposes gaps," Australian Prudential Regulation Authority. [Online]. Available: https://www.apra.gov.au/news-and-publications/cyber-security-stocktake-exposes-gaps

[4] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, Jul. 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] SecurityBrief Australia, "Average cost of an Australian data breach hits AUD $4.26 million," SecurityBrief, Aug. 2024. [Online]. Available: https://securitybrief.com.au/story/average-cost-of-an-australian-data-breach-hits-aud-4-26-million

[6] Superior IT Perth, "CPS 234 vs Cyber Security Act 2024: What Australian Finance Firms Need to Know," Superior IT, 2025. [Online]. Available: https://www.superiorit.com.au/blog-posts/cps-234-vs-cyber-security-act-2024-what-australian-finance-firms-need-to-know

[7] Atlant Security, "Steps to Implement CPS 234 Cybersecurity Requirements for Australian Financial Firms," Atlant Security, Oct. 2025. [Online]. Available: https://atlantsecurity.com/learn/steps-to-implement-cps-234-cybersecurity-requirements-for-australian-financial-firms/

[8] Australian Signals Directorate (ASD), "Annual Cyber Threat Report 2024–2025," Australian Government, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[9] MinterEllison, "Privacy and Other Legislation Amendment Act 2024 now in effect," MinterEllison Insights, Dec. 2024. [Online]. Available: https://www.minterellison.com/articles/privacy-and-other-legislation-amendment-act-2024-now-in-effect

[10] Pinsent Masons, "Cybersecurity law package 2024 passed by the Australian parliament," Out-Law, May 2025. [Online]. Available: https://www.pinsentmasons.com/out-law/news/cybersecurity-law-package-2024-passed-australian-parliament

Need help securing your Financial Services business? Book a free consultation with lilMONSTER — Australia's no-BS cybersecurity team for SMBs.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation