Industries / Financial Services
Cybersecurity for Australian
financial services.
AFS licensees and market participants are now operating under ASIC's 26-092MR open letter, the FIIG Securities standard of demonstrably effective and proportionate cyber risk management, and (where dual-regulated) APRA's CPS 234 and CPS 230. Cliffside is the independent practice that turns those obligations into evidence.
On 8 May 2026 ASIC Commissioner Simone Constant issued open letter 26-092MR to AFS licensees, market participants and their directors. The letter sets out twelve specific actions and four board governance expectations, anchored in the FIIG Securities judgment, and asks for the letter to be tabled at the next ultimate board and risk governance committee.
For dual-regulated entities, this sits on top of APRA CPS 234, CPS 230, the Cyber Security Act 2024, FAR, and the SOCI Act. Cliffside builds the cyber programme that satisfies all of them with a single, evidence-led operating model.
The regulatory environment
One cyber programme. The whole regulatory stack.
Australian financial services has become the most regulated cyber environment in the country. Each regulator brings its own lens, but the underlying expectation has converged: cyber risk management that is independently testable, proportionate to the business, and evidenced at the board table.
The mistake we see most often is treating each obligation as a separate programme. The result is duplicated effort, conflicting evidence, and a board that cannot defend a single coherent position. Cliffside designs cyber programmes that satisfy the whole stack from one operating model.
Why financial services is different
Four pressures, one cyber posture.
Financial services entities are not generic businesses with extra compliance. The combination of data sensitivity, direct money movement, deep vendor ecosystems, and personal regulatory accountability creates a cyber risk profile that demands a tailored approach.
The challenges
What makes financial services cyber risk distinctive.
ASIC's May 2026 letter is the most recent expression of a pressure that has been building for several years. These are the four conditions Australian AFS licensees and market participants now operate under.
AFS licensees and market participants now answer to ASIC (under 26-092MR and FIIG), APRA where dual-regulated (CPS 234, CPS 230), and AUSTRAC for AML/CTF data. A single cyber programme has to satisfy all three, with one coherent evidence pack the board can defend.
ASIC has formally named frontier AI as a step-change in the cyber threat environment. Phishing fluency, vulnerability discovery cadence, and lateral-movement automation all shift in attackers’ favour. Existing controls are tested more often, at higher pressure.
Financial services entities hold the kind of data and direct the kind of money flows that make a breach existential, not just expensive. Trust, once lost, does not return at the speed of a remediation programme.
Under the Financial Accountability Regime and ASIC’s own governance expectations, named individuals are on the hook. "We have policies" is not a defence; "we can evidence proportionate and effective controls" is the bar set by the FIIG Securities judgment.
The bar ASIC has set
Evidence, not assurances.
"Governance should not rely only on assurances. It should be supported by evidence: test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing." That is the new standard, quoted verbatim from 26-092MR. It applies to every AFS licensee and market participant from May 2026 onwards.
For practitioners, the implication is clear. Board reports built on activity metrics (tickets closed, scans run, training completed) no longer evidence the control effectiveness ASIC expects. The reporting that survives scrutiny is grounded in independent testing, control-coverage and effectiveness scoring, audit findings, and lessons captured from real incidents (including near-misses).
The fastest move you can make this month. Table the ASIC letter at the next board meeting and commission an independent readiness assessment against the 12 actions. The output is a transferable evidence pack the board can rely on at the following meeting and the supervisory team can rely on at the next interaction. Read our practical response to 26-092MR →
What we deliver
The full programme, in one place.
Cliffside is ISO 27001 certified, a Microsoft Partner, and our practitioners hold SABSA, CISSP, CREST and OSCP. We work with AFS licensees, market participants, APRA-regulated banks, insurers and super funds. Engagement is assessment-first, vendor-neutral, and transferable.
An independent assessment against ASIC’s 12 actions and four governance expectations, calibrated to the size, nature and complexity of your business. Produces a transferable evidence pack the board can table at the next risk governance committee.
For dual-regulated entities: end-to-end CPS 234 maturity assessment across all 36 paragraphs, mapped to APRA’s six tripartite gaps and the post-Medibank enforcement environment. Aligned with the new CPS 230 requirements.
Network, identity, cloud, endpoint and detection architecture, assessed against assume-breach principles. Direct fit for ASIC’s expectation of layered defence-in-depth architectures that restrict lateral movement.
CREST and OSCP-certified independent testers. Network, application, cloud, and AI-system testing. Produces the demonstrably effective control evidence ASIC and APRA now require.
Vendor security assurance programme design and execution, including fourth-party mapping. Built for the CPS 230 material service provider regime and ASIC’s explicit call-out of concentration and systemic exposure.
Senior security leadership on a fractional basis: board reporting that evidences control effectiveness, risk frameworks that surface combinatorial risk, and policy suites that survive supervisory scrutiny.
Scenario-based incident response exercising, with realistic frontier-AI threat injects. Tests both the technical response and the 72-hour notification process under pressure.
Risk-based AI adoption frameworks aligned to ISO 42001, shadow AI control, and AI-system penetration testing. Covers both defensive AI use (action 12 in 26-092MR) and protection against AI-enabled supply-chain risk.
How we engage
Assessment-first. Evidence-led. No lock-in.
Every engagement starts with a free consultation. We scope the work to your actual position, deliver transferable outputs you can use with our team or take to a competing provider, and we will tell you honestly when you do not need us. Our advice is not shaped by margin.
For ongoing engagements, we work on a fractional Virtual CISO basis, project-embedded for the duration of a specific transformation, or as on-demand specialist advisory. The right model depends on your programme of work, not our preferred billing pattern.
Tabled at the board.
Evidenced at the next.
Book a free consultation. We will assess your position against ASIC's 12 actions and four governance expectations, identify the highest-leverage moves, and tell you honestly where you already meet the bar and where you do not. Transferable report. No lock-in.