Financial planning firms sit on a pile of sensitive client data — tax file numbers, super balances, estate details, bank accounts — under an AFSL, the Privacy Act and ASIC’s watch. Good financial planning IT support keeps Xplan and your platforms running, locks down email against payment fraud, and gives you a defensible security position when a licensee audit or a breach lands.
The risk profile is specific. Advisers move money on client instruction, hold years of sensitive records they are legally required to retain, and increasingly run their whole practice through cloud financial-planning software and CRM. That combination — money, sensitive data and email — is exactly what attackers target. Getting the IT right is not a nice-to-have for a planning firm; it is part of meeting your obligations as a licensee.
What sits behind an AFSL
If you provide personal financial advice you operate under an Australian Financial Services Licence, either your own or as an authorised representative of a dealer group. ASIC’s licensing obligations under the Corporations Act require you to have adequate resources and risk-management systems, and ASIC has been explicit that this includes cyber resilience. The RI Advice case made the point clearly — a licensee was found to have breached its obligations by failing to have adequate cyber-security risk management across its authorised representatives. Cyber is not treated as separate from your licence conditions; it is part of them.
For most planning firms that means you need to be able to show, not just assert, that you have controls in place: access management, multi-factor authentication, patching, backups, an incident response plan and oversight of the third parties handling client data. The Australian Cyber Security Centre (ACSC) Essential Eight is the sensible framework to anchor that against, and it maps cleanly onto what ASIC expects a well-run licensee to do. We cover the practical rollout in our guide to Essential Eight compliance in 90 days.
The Privacy Act and sensitive financial data
Planning firms hold some of the most sensitive personal information there is. The Privacy Act 1988 and the Australian Privacy Principles apply to most advice businesses, and the data you hold — tax file numbers, financial position, health information gathered for insurance advice — attracts a high level of protection. TFNs carry their own handling rules on top of the APPs.
Under the Notifiable Data Breaches scheme, a breach involving client financial records that is likely to cause serious harm must be assessed and, where required, reported to the Office of the Australian Information Commissioner (OAIC) and to affected clients. A compromised adviser mailbox full of statements of advice and identity documents is precisely the scenario that scheme exists for. The practical defence is unglamorous: encrypt devices, control access, keep a record of who can see what, and back everything up. We walk through breach obligations in more detail in our overview of our cybersecurity services.
The software stack: Xplan, CRM and platform integrations
Most Melbourne planning practices run on a financial-planning platform plus a CRM plus a stack of integrations into investment platforms. The common tools are Xplan (Iress), AdviserLogic and Midwinter for advice generation, modelling and statements of advice, sitting alongside CRM and document management. Those connect outward to platforms such as HUB24, Netwealth, BT Panorama and the major fund administrators, and inward to your Microsoft 365 environment.
Because the core tools are SaaS, the vendor secures the application. Your obligations do not disappear. You still own the accounts, the devices, the network, the data feeds and the backup of anything outside the platform. The recurring weak spots we find in advice firms:
- Shared or generic logins to Xplan or the CRM, instead of an individual account per adviser and support staff member.
- No multi-factor authentication on the practice-management platform or on Microsoft 365, so a single phished password gives an attacker the lot.
- Platform data feeds and document integrations configured once and never reviewed, with credentials that outlast the staff who set them up.
- Statements of advice, fact-finds and scanned ID documents sitting in a Downloads folder or a personal OneDrive rather than the managed system.
The IT job is making each of those integrations authenticated, monitored and owned, and making sure access is tied to individuals so it can be revoked the day someone leaves.
Email security and business email compromise
This is the single biggest financial risk a planning firm carries, and it deserves its own section. Business email compromise is where an attacker gets into — or convincingly impersonates — a mailbox and uses it to redirect money. For an advice firm the danger is payment and rollover instructions: a client emails asking to redeem an investment or change their nominated bank account, the adviser actions it, and the instruction was never really from the client. Or the attacker is inside the adviser’s mailbox, watching, and inserts fraudulent account details at the moment a genuine payment is due.
The controls that actually reduce this risk are layered:
- MFA on every mailbox, enforced through conditional access, so a stolen password alone is not enough. Our piece on conditional access policies in Microsoft 365 covers how to do this without making sign-in painful.
- Mailbox monitoring and alerting on the inbox rules attackers create to hide their tracks — auto-forwarding and “move to RSS feeds” rules are classic tells.
- A hard process rule: any change to client bank details or any payment instruction received by email is verified by a phone call to a known number, never to the number in the email.
- SPF, DKIM and DMARC configured so attackers cannot easily spoof your domain to your clients.
The technology stops most of it. The verbal-verification process catches what gets through. We go deeper on this in our article on business email security, phishing and BEC.
MFA, conditional access and identity
Identity is the perimeter for a cloud-based advice firm. Multi-factor authentication on every account that touches client data is the non-negotiable baseline — Microsoft 365, the planning platform, the CRM and the investment platforms. Conditional access then lets you go further: block sign-ins from outside Australia, require a managed and compliant device, and step up verification for risky logins. For a firm where a single mailbox compromise can move client money, this is the control that earns its keep. It also aligns with the zero-trust thinking we explain in our zero-trust security model overview.
Data retention and client portals
Advice firms have to keep records, and keep them a long time. Under the Corporations Act and ASIC’s rules, advice documents — including statements of advice and records of the advice given — must generally be retained for at least seven years, and fee disclosure and ongoing-service records carry their own retention requirements. That is a long time to keep sensitive data safe, searchable and recoverable.
The IT implications are straightforward but easy to neglect. Retained records need to live in managed, backed-up systems, not on a departed adviser’s laptop. Microsoft 365 retention is not a backup — it protects against some accidental deletion but will not save you from a compromised account wiping data or a malicious deletion. A dedicated backup of email, OneDrive and SharePoint is essential, and our data backup and recovery service is built around exactly this. Knowing your recovery targets — how long you could operate without systems (RTO) and how much data you could lose (RPO) — turns “we have backups” into something you can actually rely on.
Client portals are increasingly how firms share statements of advice, fact-finds and annual reviews securely instead of by email attachment. A properly configured portal — whether built into your platform or layered on Microsoft 365 — reduces the BEC risk and gives clients a defined place to upload identity documents. The catch is that a portal is only as secure as the identity controls behind it, which brings us back to MFA.
Where APRA CPS 234 flows down to you
Most standalone advice firms are not APRA-regulated. But the moment you serve, or sit inside the supply chain of, an APRA-regulated entity — a super fund, an insurer, an RSE licensee — their obligations under APRA CPS 234 start to flow down to you. CPS 234 requires regulated entities to manage the information-security capability of third parties that handle their data, which means they will push contractual security requirements onto their advice partners and service providers. In practice that shows up as security questionnaires, evidence requests and clauses requiring you to maintain defined controls and notify them of incidents. If you receive feeds from or share data with a regulated platform, expect this. We unpack the standard in our explainer on information security and CPS 234, and being Essential Eight aligned puts you in a strong position to answer those questionnaires honestly.
A Melbourne example
A boutique financial planning firm in Hawthorn we work with — four advisers and a handful of support staff running Xplan and Microsoft 365 — came to us after a close call. A client emailed asking to redirect a six-figure redemption to a new bank account. The email was genuine-looking and came from the client’s real address, but the client’s own mailbox had been compromised, and the account details were the attacker’s. The adviser nearly actioned it; a junior staff member happened to phone the client about something unrelated and the fraud unravelled by luck.
We rebuilt the foundations: MFA enforced through conditional access on every account, geographic sign-in restrictions, mailbox-rule alerting, SPF, DKIM and DMARC on their domain, and a documented process that every bank-detail change or payment instruction is verbally verified on a known number. We added a real Microsoft 365 backup covering their seven-year retention obligations and moved client documents out of personal OneDrives into a managed, access-controlled portal. The firm now relies on process and controls rather than luck.
Frequently asked questions
Does ASIC require financial planning firms to have cyber security?
Effectively, yes. ASIC’s licensing obligations require an AFSL holder to have adequate risk-management systems and resources, and ASIC has made clear — including through the RI Advice case — that this covers cyber-security risk management. A planning firm that cannot demonstrate basic controls across its advisers is exposed on its licence obligations, not just its data.
How long do we have to keep client advice records?
Advice documents such as statements of advice generally must be kept for at least seven years under the Corporations Act and ASIC’s rules, and fee disclosure and ongoing-service records carry their own retention requirements. Those records need to live in managed, backed-up systems for the full period, not on individual devices.
What is the biggest IT risk for an advice practice?
Business email compromise on payment and rollover instructions. Because advisers move money on client instruction, a compromised or spoofed mailbox can redirect funds before anyone notices. MFA, mailbox monitoring and a strict verbal-verification rule for any bank-detail change are the controls that matter most.
Does APRA CPS 234 apply to us if we are not APRA-regulated?
Not directly, but it flows down. If you handle data for, or sit in the supply chain of, an APRA-regulated entity such as a super fund or insurer, CPS 234 requires them to manage your information security. Expect security questionnaires and contractual control requirements as a condition of working with them.
Getting it right without overspending
A planning firm does not need an enterprise security budget — it needs the right controls done properly and kept that way: MFA and conditional access everywhere, hardened email with a verbal-verification process for payments, individual logins across Xplan and your CRM, a real backup that meets your retention obligations, and the discipline to be able to answer a licensee or CPS 234 questionnaire honestly. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma — no offshore helpdesk. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with sub-15-minute response on critical issues and same-business-day on-site when you need hands on the ground. If your practice is running on saved passwords and goodwill, get in touch and we will tell you plainly what to fix first.