IT and Cyber for Financial Planning Firms

Financial planning firms sit on a pile of sensitive client data — tax file numbers, super balances, estate details, bank accounts — under an AFSL, the Privacy Act and ASIC’s watch. Good financial planning IT support keeps Xplan and your platforms running, locks down email against payment fraud, and gives you a defensible security position when a licensee audit or a breach lands.

The risk profile is specific. Advisers move money on client instruction, hold years of sensitive records they are legally required to retain, and increasingly run their whole practice through cloud financial-planning software and CRM. That combination — money, sensitive data and email — is exactly what attackers target. Getting the IT right is not a nice-to-have for a planning firm; it is part of meeting your obligations as a licensee.

What sits behind an AFSL

If you provide personal financial advice you operate under an Australian Financial Services Licence, either your own or as an authorised representative of a dealer group. ASIC’s licensing obligations under the Corporations Act require you to have adequate resources and risk-management systems, and ASIC has been explicit that this includes cyber resilience. The RI Advice case made the point clearly — a licensee was found to have breached its obligations by failing to have adequate cyber-security risk management across its authorised representatives. Cyber is not treated as separate from your licence conditions; it is part of them.

For most planning firms that means you need to be able to show, not just assert, that you have controls in place: access management, multi-factor authentication, patching, backups, an incident response plan and oversight of the third parties handling client data. The Australian Cyber Security Centre (ACSC) Essential Eight is the sensible framework to anchor that against, and it maps cleanly onto what ASIC expects a well-run licensee to do. We cover the practical rollout in our guide to Essential Eight compliance in 90 days.

The Privacy Act and sensitive financial data

Planning firms hold some of the most sensitive personal information there is. The Privacy Act 1988 and the Australian Privacy Principles apply to most advice businesses, and the data you hold — tax file numbers, financial position, health information gathered for insurance advice — attracts a high level of protection. TFNs carry their own handling rules on top of the APPs.

Under the Notifiable Data Breaches scheme, a breach involving client financial records that is likely to cause serious harm must be assessed and, where required, reported to the Office of the Australian Information Commissioner (OAIC) and to affected clients. A compromised adviser mailbox full of statements of advice and identity documents is precisely the scenario that scheme exists for. The practical defence is unglamorous: encrypt devices, control access, keep a record of who can see what, and back everything up. We walk through breach obligations in more detail in our overview of our cybersecurity services.

The software stack: Xplan, CRM and platform integrations

Most Melbourne planning practices run on a financial-planning platform plus a CRM plus a stack of integrations into investment platforms. The common tools are Xplan (Iress), AdviserLogic and Midwinter for advice generation, modelling and statements of advice, sitting alongside CRM and document management. Those connect outward to platforms such as HUB24, Netwealth, BT Panorama and the major fund administrators, and inward to your Microsoft 365 environment.

Because the core tools are SaaS, the vendor secures the application. Your obligations do not disappear. You still own the accounts, the devices, the network, the data feeds and the backup of anything outside the platform. The recurring weak spots we find in advice firms:

  • Shared or generic logins to Xplan or the CRM, instead of an individual account per adviser and support staff member.
  • No multi-factor authentication on the practice-management platform or on Microsoft 365, so a single phished password gives an attacker the lot.
  • Platform data feeds and document integrations configured once and never reviewed, with credentials that outlast the staff who set them up.
  • Statements of advice, fact-finds and scanned ID documents sitting in a Downloads folder or a personal OneDrive rather than the managed system.

The IT job is making each of those integrations authenticated, monitored and owned, and making sure access is tied to individuals so it can be revoked the day someone leaves.

Email security and business email compromise

This is the single biggest financial risk a planning firm carries, and it deserves its own section. Business email compromise is where an attacker gets into — or convincingly impersonates — a mailbox and uses it to redirect money. For an advice firm the danger is payment and rollover instructions: a client emails asking to redeem an investment or change their nominated bank account, the adviser actions it, and the instruction was never really from the client. Or the attacker is inside the adviser’s mailbox, watching, and inserts fraudulent account details at the moment a genuine payment is due.

The controls that actually reduce this risk are layered:

  • MFA on every mailbox, enforced through conditional access, so a stolen password alone is not enough. Our piece on conditional access policies in Microsoft 365 covers how to do this without making sign-in painful.
  • Mailbox monitoring and alerting on the inbox rules attackers create to hide their tracks — auto-forwarding and “move to RSS feeds” rules are classic tells.
  • A hard process rule: any change to client bank details or any payment instruction received by email is verified by a phone call to a known number, never to the number in the email.
  • SPF, DKIM and DMARC configured so attackers cannot easily spoof your domain to your clients.

The technology stops most of it. The verbal-verification process catches what gets through. We go deeper on this in our article on business email security, phishing and BEC.

MFA, conditional access and identity

Identity is the perimeter for a cloud-based advice firm. Multi-factor authentication on every account that touches client data is the non-negotiable baseline — Microsoft 365, the planning platform, the CRM and the investment platforms. Conditional access then lets you go further: block sign-ins from outside Australia, require a managed and compliant device, and step up verification for risky logins. For a firm where a single mailbox compromise can move client money, this is the control that earns its keep. It also aligns with the zero-trust thinking we explain in our zero-trust security model overview.

Data retention and client portals

Advice firms have to keep records, and keep them a long time. Under the Corporations Act and ASIC’s rules, advice documents — including statements of advice and records of the advice given — must generally be retained for at least seven years, and fee disclosure and ongoing-service records carry their own retention requirements. That is a long time to keep sensitive data safe, searchable and recoverable.

The IT implications are straightforward but easy to neglect. Retained records need to live in managed, backed-up systems, not on a departed adviser’s laptop. Microsoft 365 retention is not a backup — it protects against some accidental deletion but will not save you from a compromised account wiping data or a malicious deletion. A dedicated backup of email, OneDrive and SharePoint is essential, and our data backup and recovery service is built around exactly this. Knowing your recovery targets — how long you could operate without systems (RTO) and how much data you could lose (RPO) — turns “we have backups” into something you can actually rely on.

Client portals are increasingly how firms share statements of advice, fact-finds and annual reviews securely instead of by email attachment. A properly configured portal — whether built into your platform or layered on Microsoft 365 — reduces the BEC risk and gives clients a defined place to upload identity documents. The catch is that a portal is only as secure as the identity controls behind it, which brings us back to MFA.

Where APRA CPS 234 flows down to you

Most standalone advice firms are not APRA-regulated. But the moment you serve, or sit inside the supply chain of, an APRA-regulated entity — a super fund, an insurer, an RSE licensee — their obligations under APRA CPS 234 start to flow down to you. CPS 234 requires regulated entities to manage the information-security capability of third parties that handle their data, which means they will push contractual security requirements onto their advice partners and service providers. In practice that shows up as security questionnaires, evidence requests and clauses requiring you to maintain defined controls and notify them of incidents. If you receive feeds from or share data with a regulated platform, expect this. We unpack the standard in our explainer on information security and CPS 234, and being Essential Eight aligned puts you in a strong position to answer those questionnaires honestly.

A Melbourne example

A boutique financial planning firm in Hawthorn we work with — four advisers and a handful of support staff running Xplan and Microsoft 365 — came to us after a close call. A client emailed asking to redirect a six-figure redemption to a new bank account. The email was genuine-looking and came from the client’s real address, but the client’s own mailbox had been compromised, and the account details were the attacker’s. The adviser nearly actioned it; a junior staff member happened to phone the client about something unrelated and the fraud unravelled by luck.

We rebuilt the foundations: MFA enforced through conditional access on every account, geographic sign-in restrictions, mailbox-rule alerting, SPF, DKIM and DMARC on their domain, and a documented process that every bank-detail change or payment instruction is verbally verified on a known number. We added a real Microsoft 365 backup covering their seven-year retention obligations and moved client documents out of personal OneDrives into a managed, access-controlled portal. The firm now relies on process and controls rather than luck.

Frequently asked questions

Does ASIC require financial planning firms to have cyber security?

Effectively, yes. ASIC’s licensing obligations require an AFSL holder to have adequate risk-management systems and resources, and ASIC has made clear — including through the RI Advice case — that this covers cyber-security risk management. A planning firm that cannot demonstrate basic controls across its advisers is exposed on its licence obligations, not just its data.

How long do we have to keep client advice records?

Advice documents such as statements of advice generally must be kept for at least seven years under the Corporations Act and ASIC’s rules, and fee disclosure and ongoing-service records carry their own retention requirements. Those records need to live in managed, backed-up systems for the full period, not on individual devices.

What is the biggest IT risk for an advice practice?

Business email compromise on payment and rollover instructions. Because advisers move money on client instruction, a compromised or spoofed mailbox can redirect funds before anyone notices. MFA, mailbox monitoring and a strict verbal-verification rule for any bank-detail change are the controls that matter most.

Does APRA CPS 234 apply to us if we are not APRA-regulated?

Not directly, but it flows down. If you handle data for, or sit in the supply chain of, an APRA-regulated entity such as a super fund or insurer, CPS 234 requires them to manage your information security. Expect security questionnaires and contractual control requirements as a condition of working with them.

Getting it right without overspending

A planning firm does not need an enterprise security budget — it needs the right controls done properly and kept that way: MFA and conditional access everywhere, hardened email with a verbal-verification process for payments, individual logins across Xplan and your CRM, a real backup that meets your retention obligations, and the discipline to be able to answer a licensee or CPS 234 questionnaire honestly. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma — no offshore helpdesk. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with sub-15-minute response on critical issues and same-business-day on-site when you need hands on the ground. If your practice is running on saved passwords and goodwill, get in touch and we will tell you plainly what to fix first.

CPS 234 is APRA’s prudential standard on information security. It binds banks, insurers and superannuation funds, and through them their third-party providers. Core duties: maintain real security capability, define who owns what, implement and test controls, and notify APRA within 72 hours of a material incident. If you supply a regulated entity, you are in scope by flow-down.

Who CPS 234 actually applies to

The Australian Prudential Regulation Authority (APRA) regulates the entities that hold the country’s deposits, insurance pools and retirement savings. CPS 234 has applied to all of them since 1 July 2019. The list of APRA-regulated entities covers authorised deposit-taking institutions (banks, building societies, credit unions), general and life insurers, private health insurers, and registrable superannuation entity licensees.

If you run one of those, none of this is news. The part that catches Melbourne SMEs out is the flow-down. CPS 234 explicitly requires a regulated entity to manage the information security of the third parties it relies on. The standard says the board of the regulated entity is ultimately responsible for information security, and that responsibility does not evaporate when data or systems are handed to a vendor. So the obligation lands on the regulated entity, and the regulated entity pushes it down the supply chain in the form of contract clauses, security questionnaires and audit rights.

That is how a 25-person fintech in Cremorne, a claims-processing bureau in Box Hill, or a SaaS company that sells loan-origination software to a credit union ends up answering a 200-line security assessment. You are not directly regulated by APRA. But your customer is, and they cannot meet their own CPS 234 obligations unless you can demonstrate you handle their information security to a comparable standard.

The four obligations that matter

Strip away the prudential language and CPS 234 asks regulated entities (and, by extension, the providers they lean on) to do four things.

1. Maintain information security capability commensurate with the threats

This is not a checkbox. APRA wants the size and maturity of your security capability to match the sensitivity of the information you hold and the threat environment you operate in. A provider holding superannuation member data and bank account details is expected to have stronger controls than one handling a low-risk marketing list. Capability here means people, processes and technology — not a firewall and a hope.

2. Clearly define information security roles and responsibilities

Someone has to own this. The standard requires roles and responsibilities for information security to be clearly defined across the board, senior management, governance bodies and individuals. In practice that means a named accountable person, documented responsibilities, and no “we assumed IT was handling it”. For an SME supplier, this is often the single biggest gap — security is everyone’s job, which means it is nobody’s job, until a regulated customer asks who owns it.

3. Implement controls and test them regularly

You must implement information security controls to protect assets, and — this is the part people skip — systematically test the effectiveness of those controls. Testing has to be proportionate to the rate of change in vulnerabilities and threats, the criticality of the assets, and the consequences of a breach. Controls that have never been tested are assumptions, and APRA does not accept assumptions. This is where penetration testing, control reviews and internal audit come in.

4. Notify APRA within 72 hours of a material incident

A regulated entity must notify APRA no later than 72 hours after becoming aware of an information security incident that materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders or members. There is also a 10-business-day window to notify APRA of a material information security control weakness the entity cannot remediate in time. For a third-party provider, the practical effect is that your incident at 2am becomes your customer’s regulatory clock. If you sit on a breach for a week, you have blown their 72-hour notification before they even knew.

CPS 234 and CPS 230: how they fit together

CPS 234 does not exist on its own anymore. APRA’s newer operational risk standard, CPS 230, came into force on 1 July 2025, and it widens the lens considerably. Where CPS 234 is squarely about information security, CPS 230 is about operational resilience across the board — operational risk management, business continuity, and the management of material service providers.

The overlap that matters for suppliers is the service-provider piece. CPS 230 requires regulated entities to maintain a register of material service providers, conduct due diligence, manage the risks those providers introduce, and have contracts that meet a defined set of requirements. If you were already feeling the squeeze from CPS 234 flow-down, CPS 230 tightens it: your regulated customers now have a formal, examinable obligation to assess and monitor you as a material service provider.

 CPS 234CPS 230
In force1 July 20191 July 2025
FocusInformation securityOperational risk and resilience
Key supplier impactSecurity control flow-down, incident notificationMaterial service provider register, due diligence, contract requirements
Incident clock72 hours to APRA for material security incidents72 hours for operational risk incidents
What it means for youProve your security controlsProve you are a managed, resilient dependency

Read together, the two standards say the same thing to a supplier: a regulated customer is now contractually and prudentially obliged to know how you protect their data and how you keep running when something goes wrong. Vague answers cost you the contract.

Why a Melbourne professional-services or fintech SME gets pulled in

We see this pattern across our professional-services and fintech clients. The business has no direct line to APRA, has never read a prudential standard, and assumes compliance is the bank’s problem. Then a deal with an APRA-regulated entity reaches procurement, and the security questionnaire arrives. Suddenly the SME is asked to evidence things it has never documented.

A fintech in Richmond we work with builds reporting tools for a superannuation fund. They had solid engineering and genuinely good security instincts, but nothing written down. The fund’s vendor risk team, working to CPS 234 and now CPS 230, wanted documented roles, evidence of control testing, a tested incident response plan with a 72-hour notification commitment baked into the contract, and proof that access to member data followed least privilege. The technology was fine. The governance evidence did not exist, and that nearly killed the deal.

The flow-down is rarely negotiable. The regulated entity cannot waive its own obligation, so it cannot accept “trust us” from a supplier. If you cannot demonstrate the controls, you do not get added to the approved-vendor register, and the contract goes to a competitor who can.

What to do about it

The good news: meeting the substance of a CPS 234 flow-down is the same work that meets the Essential Eight and most cyber-insurance requirements. You are not building a separate program; you are documenting and testing one. A practical order of operations:

  1. Assign ownership. Name an accountable person for information security in writing, even if it is the director. This single step answers the most common question on every vendor assessment.
  2. Document your controls. Map what you actually do — multi-factor authentication, patching cadence, access management, logging, backups — against a recognised framework. The Australian Cyber Security Centre (ACSC) Essential Eight is the most defensible baseline for an Australian SME, and it maps cleanly onto CPS 234’s control expectations.
  3. Test the controls. Run a penetration test and a control review so you can show evidence, not assertions. CPS 234’s testing obligation is the one suppliers most often fail to evidence.
  4. Write and rehearse an incident response plan. Include a contractual notification commitment that lets your regulated customer hit their 72-hour APRA deadline. Practise it — a plan nobody has run is the same as no plan.
  5. Get the contract language right. Expect audit rights, sub-contractor disclosure, data-handling terms and breach-notification timelines. Have these reviewed before you sign.

For most SMEs in this position, the bottleneck is not the technology — it is having the security capability, the documentation and the testing evidence to put in front of a sharp vendor-risk reviewer. That is the work an MSP does day to day. We run this for clients through our cybersecurity services and, where the governance side needs ownership, our virtual CIO function, both backed by 13 Australian-employed engineers and a 24/7 NOC out of Tecoma. Essential Eight alignment and ISO 27001-capable processes mean the evidence is there when the questionnaire lands, not scrambled together the week it is due.

Frequently asked questions

Does CPS 234 apply directly to my business?

Only if you are an APRA-regulated entity — a bank, insurer, private health insurer or superannuation licensee. If you supply one of those, CPS 234 does not bind you directly, but it reaches you through contract flow-down because your customer must manage your information security to meet its own obligation. The practical effect is the same: you have to evidence your controls.

What counts as a material information security incident?

One that materially affected, or had the potential to materially affect, the regulated entity or the interests of its depositors, policyholders or members — for example a breach exposing customer financial data or a ransomware event taking down a critical system. The regulated entity makes that call, but as their supplier your job is to report any incident to them fast enough that they can meet the 72-hour APRA window.

How is CPS 230 different from CPS 234?

CPS 234 is about information security specifically. CPS 230, in force since 1 July 2025, is broader — operational risk, business continuity and the management of material service providers. For suppliers, CPS 230 adds formal due diligence, a material service provider register and stricter contract requirements on top of the CPS 234 security expectations.

How long does it take to get ready for a vendor security assessment?

If your controls are genuinely sound and only the documentation is missing, a focused program of assigning ownership, documenting controls, running a penetration test and writing an incident response plan typically takes weeks, not months. If the underlying controls have real gaps, plan for longer. Either way, start before the deal reaches procurement, not after.

The short version

CPS 234 makes APRA-regulated entities responsible for their own information security and for the security of everyone they hand data to. That responsibility flows down to suppliers as contract terms, questionnaires and audit rights, and CPS 230 has only tightened the grip. If you are a Melbourne professional-services or fintech SME selling into financial services, the requirements will find you whether or not you have read the standard. The fix is to treat security as documented, tested and owned — not assumed. If you want help getting evidence-ready before the next questionnaire arrives, get in touch and we will map where you stand.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.