Australia's cyber risk landscape

Cyber risk has become a central issue in governance and operational resilience. Across Australia and internationally, companies are experiencing a sharp rise in sophisticated cyberattacks, particularly targeting critical infrastructure and financial services. These incidents often compromise sensitive customer data and expose businesses to significant financial, legal and reputational harm.

For insurance policyholders, the implication of the increasing margin for risk is that operational cost and time spent addressing these issues is a drain on corporate resources.

For the insurance industry, this means that small medium and large corporate clients need greater safeguards both in terms of frontline education and sophistication as well as affordable yet comprehensive insurance programmes.

Cyber incidents increasingly give rise to complex insurance considerations, particularly into the specific insurance policies intended to protect against those risks, such as cyber, directors and officers, statutory liability and commercial crime policies. They also attract heightened regulatory scrutiny, with the Australian Securities and Investments Commission (ASIC) emphasising the importance of cyber resilience in Report 776 and reinforcing this focus in its 2025 Enforcement Priorities.

In this article, we examine ASIC’s recent cyber enforcement activity, including its proceedings against Fortnum Private Wealth Ltd, and explore the insurance implications for Australian Financial Service Licence (AFSL) holders and other regulated entities. We also outline practical steps businesses can take to strengthen their cyber risk frameworks and ensure their insurance programmes are fit for purpose.

ASIC cybersecurity enforcement developments

One of ASIC’s twelve Enforcement Priorities for 2025 is licensee compliance with adequate cybersecurity protections. Recent actions against AFSL holders underscore the regulator’s expectations for robust cyber practices and digital resilience across the financial services sector. In particular, these expectations are enlivened through the protections of Chapter 7 in the Corporations Act 2001 (Cth) (Corporations Act), such as:

• Section 912A — General Obligations of AFSL Holders

912A(1)(a): Financial services licensees must do all things necessary to ensure their services are provided efficiently, honestly and fairly.

912A(1)(d): Licensees must have available adequate resources (including financial, technological, and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements.

912A(1)(f): Licensees must ensure that their representatives are adequately trained, and are competent, to provide financial services.

912A(1)(h): Licensees must have adequate risk management systems in place.

• Sections 917B and 917C — Liability for Authorised Representatives

 These provisions make AFSL holders liable for the conduct of their authorised representatives (ARs). In cybersecurity enforcement, ASIC can use these sections to hold licensees accountable for breaches that occurred within AR networks.

ASIC has brought proceedings against various financial advice firms, most recently Fortnum Private Wealth Ltd (Fortnum), alleging breaches under sections 912A(1)(a), (d), (f) and (h), and (5A) of the Corporations Act for failing to adequately manage and mitigate cybersecurity risks. This marks ASIC’s third cyber-related enforcement action, following proceedings against FIIG Securities in March 2025 and RI Advice Group Pty Ltd in 2022. Together, these actions reflect a growing regulatory focus on cybersecurity as a core governance obligation.

Overview: ASIC v Fortnum Private Wealth Ltd

ASIC's pleadings in relation to the breaches in Fortnum's case closely mirror those of the preceding cases noted above. Particularly, like many businesses operating with an online presence or who rely on computer systems, Fortnum’s ARs routinely handled sensitive personal information and documents. In the case of retail financial services providers, much of this information related to individuals, small businesses and other retail clients.

In the period prior to 11 May 2023, several of Fortnum’s ARs experienced cybersecurity incidents. These included a phishing attack that led to over 1,200 malicious emails being sent from an employee’s account, a spoofing attack and a major data breach that exposed over 200 gigabytes of client data. ASIC alleges that most of these incidents occurred after Fortnum introduced its April 2021 cybersecurity policy.

ASIC claims that Fortnum breached its obligations as an AFSL holder due to deficiencies in its cybersecurity framework. According to ASIC, Fortnum’s systems and controls were allegedly inadequate in several areas:

1. Fortnum’s April 2021 cybersecurity policy did not adequately address the risks faced by the business and its ARs.
2. ARs were not required to complete a prescribed minimum level of cybersecurity education or training.
3. Fortnum lacked systems to supervise ARs’ cybersecurity practices or monitor compliance with its cybersecurity policy, including oversight of any consultants engaged by ARs.
4. Fortnum had no employees with cybersecurity expertise and failed to engage qualified consultants when developing its cybersecurity policy.
5. Fortnum did not implement a risk management system that addressed cybersecurity threats.

The relevance of these shortcomings is highlighted in ASIC v RI Advice Group [2022] FCA 496. The uncertainties and developing tapestry of risk exposure were explored in that case in general, and were summarised neatly by her Honour Justice Rofe who opined at [58] that:

'Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.'

That level must not only be acceptable to ASIC but, in practice, we are seeing that this level must also be acceptable to the individuals whose data is being protected as well as the various stakeholders in the company who share the common goal of privacy and data protection.

Practical steps to address cyber risk

As ASIC intensifies its scrutiny of cyber governance, businesses must take proactive steps to ensure their cyber risk frameworks and insurance programmes are fit for purpose.

A robust response begins with regular reviews of cyber and operational risk frameworks, ensuring they reflect current threat landscapes and regulatory expectations. Boards must treat cyber risk as a core governance priority, embedding it into oversight structures and decision-making processes. This should be supported by ongoing training and awareness initiatives to ensure that cyber risk is understood and managed across all levels of the organisation.

Insurance programs should be aligned with actual risk exposure. This includes reviewing policy wording, exclusions and incident response protocols to ensure they integrate with internal procedures. Particular attention should be paid to how insurers define key terms, interpret exclusions and assess claims involving multiple policies or events.

As part of a coordinated approach to cyber risk management, businesses should consult with legal advisers, internal risk teams and brokers ahead of renewal to ensure their insurance programmes are legally sound and commercially appropriate. Legal professionals can assist by reviewing policy terms, clarifying the scope of coverage and exclusions, and assessing alignment with regulatory obligations and operational realities. This collaborative process supports informed decision-making and helps build insurance arrangements that are resilient to evolving cyber threats.

Insurance implications

ASIC's recent enforcement actions, including against Fortnum, have sharpened the focus on how cyber risk translates into insurance exposure. For both insurers and insureds, the implications are multifaceted and increasingly complex.

While many businesses maintain a broad suite of insurance policies, several of these are ill-suited to cyber risks. For instance, public and products liability and business interruption insurance typically require physical damage to tangible property and often exclude losses involving electronic data or IT systems. Similarly, professional indemnity insurance may only respond where a cyber incident arises directly from a failure in the delivery of professional services. These limitations underscore the need for dedicated cyber cover that can respond to exposures such as regulatory investigations, extortion threats and third-party liability.

1. Cyber insurance

Cyber insurance policies are rapidly evolving to keep pace with the growing complexity of cyber threats. Coverage is typically categorised as either 'first-party' or 'third-party'. First-party coverage protects the insured business itself and may include costs related to data recovery, forensic investigations, legal advice, cyber extortion (such as ransomware) and business interruption. Whereas third-party coverage generally applies when external parties (such as customers or regulators) make claims against the business. Depending on the policy wording, this may extend to compensation for failure to protect personal data, as well as regulatory fines and penalties.

Policy wording varies significantly between insurers, which can have important implications for coverage. For instance, the way key terms such as “computer system” are defined may determine whether incidents involving remote work, cloud platforms or third-party vendors are covered. Some cyber insurance policies expressly include third-party networks (such as cloud service providers) within the definition of the insured’s computer system, allowing coverage to apply regardless of where the breach occurs. However, this is not consistent across the market, and coverage gaps may arise where policies do not clearly extend to outsourced or off-premises infrastructure.

Businesses should undertake a thorough legal review of their cyber insurance programmes to ensure they adequately address legal and regulatory exposures, especially those arising from alleged failures in cyber governance.

In the face of rising cyber risk, insurers must also protect their bottom line and will tighten their policy exclusions in line with the market and increased regulatory scrutiny. Careful front-line review and incident management may assist in lessening the risk of being left without insurance cover if a company's security measures fall short of minimum compliance standards. This includes aligning governance with the expectations of the regulator and insurers (for instance multi-factor authentication and security patching possible vulnerabilities). As underwriting becomes more risk-sensitive, insurers are placing greater emphasis on the insured’s ability to prevent, detect and respond to cyber incidents when assessing coverage.

2. Directors & officers' liability insurance

ASIC’s recent enforcement actions have highlighted the growing risk of personal liability for directors and officers who fail to oversee cyber governance effectively. While a contravention of the Corporations Act by a company does not automatically result in a breach of directors’ duties, it may form the basis for establishing a breach of the duty of care under section 180(1).

ASIC has warned that boards which do not prioritise cyber resilience may face enforcement action. As regulatory expectations continue to evolve, directors’ exposure to liability in this area is becoming increasingly tangible.

Directors and officers' liability (D&O) insurance may respond to claims arising from alleged failures in cyber oversight, including regulatory investigations and shareholder actions, and defence or investigation costs may typically be covered unless and until a final adjudication confirms excluded conduct.

Boards should review their D&O policies to ensure coverage extends to regulatory investigations and cyber-related governance failures, and to confirm that cyber risks are not excluded or deferred to standalone cyber policies.

3. Statutory liability insurance

Statutory liability insurance provides coverage for unintentional breaches of legislation. This includes legal defence costs, investigation expenses and civil fines or penalties, where permitted by law. These policies do not cover criminal penalties, which are generally uninsurable at law.

This type of insurance may be relevant when a policyholder breaches regulatory obligations, such as those under the Privacy Act 1988 (Cth) (Privacy Act), due to a system failure or data loss caused by a security incident.

While statutory liability insurance may cover civil penalties and legal defence costs for breaches of the Privacy Act, the evolving nature of civil and criminal fines means insurance will only be available for the insurable risks, not for certain intentional, fraudulent or criminal penalties. Under the Notifiable Data Breaches scheme, organisations and agencies regulated by the Privacy Act must notify affected individuals and the Office of the Australian Information Commissioner when a breach involving personal information is likely to result in serious harm. This process can involve significant costs, including notification, regulatory reporting, investigation and remediation.

Although many companies have specific cyber liability insurance to respond to these types of incidents, companies should pay careful attention to whether they also hold sufficient insurances and have governance in place to manage the operational, reputational and regulatory impacts of a data breach.

4. Commercial crime insurance

Commercial crime policies may offer limited value in responding to cyber incidents. While they typically cover direct financial losses from 'criminal acts' (which is typically defined to include computer fraud), they often exclude consequential losses like business interruption, data restoration, legal costs and reputational harm. As a result, many cyber-related losses fall outside the scope of standard crime cover.

However, these policies can be useful in cases of cyber extortion, where a threat is made to damage or disable systems unless a ransom is paid. Coverage for extortion is generally broad enough to respond to such threats but is usually offered as an optional extension rather than standard cover. Businesses should consider acquiring this extension to ensure protection against ransomware and similar threats, particularly as these attacks continue to rise in frequency and sophistication.