Last week's coordinated cyberattack on major Australian superannuation funds has sent ripples through the financial services industry, triggering a reminder for advice practices that it is essential to think about and approach their technology investments correctly. Early analysis from the 2025 Adviser Ratings Financial Adviser Landscape Report reveals a telling trend: financial advice practices are planning to reduce spending on new IT systems by 12% over 2025, while simultaneously increasing investment in material compliance enhancements—including cybersecurity—by a substantial 31%.
This pivot, a testament to the industry's commitment to learning and adapting, has been happening over time. As the broader industry absorbs the implications of the credential stuffing attack that compromised thousands of accounts at AustralianSuper, Australian Retirement Trust, REST, Hostplus, and Insignia Financial's MLC Expand platform, resulting in money being stolen from members' superannuation accounts, cybersecurity is once again a critical focus for the profession.
From System Expansion to Security Enhancement
The shift in spending priorities represents a maturing understanding of digital risk in the advice profession. Rather than focusing on new capabilities and system expansion, practices are increasingly prioritising the security and compliance of their existing technology stack, a clear response to the growing cyber threats.
Mark Lewin of Back Office Hero notes this positive development: "Advisers are starting to understand the importance of the 'Essential Eight' in their practices, which has led to improvements in protecting clients' data, being more confident in the security of their systems, and knowing they aren't taking any short cuts with privacy and cyber security."
The 'Essential Eight', a set of baseline mitigation strategies from the Australian Cyber Security Centre, is a crucial guide for practices looking to strengthen their cybersecurity posture. This framework provides a practical roadmap, enabling practices to enhance their security without necessarily investing in entirely new systems.
The Financial Impact of Cyber Risk
The super fund breaches have brought renewed attention to the financial consequences of cyber incidents in the financial services sector. According to data from Numerisk's analysis of cyber insurance claims, the average cost of a cyber insurance claim for financial services organisations is $225,000, with business email compromise (BEC) accounting for 47% of claims, followed by funds transfer fraud (12%) and ransomware (11%).
IBM Security estimates the average total cost of a data breach for financial services organisations at a staggering $7.56 million. This figure underscores the critical importance of cybersecurity investment, putting the potential financial consequences of a breach into stark perspective.
These financial realities are influencing advice practices' decisions to redistribute technology spending toward security and compliance rather than new systems. With phishing attacks accounting for 79% of the financial services industry's cyber claims, practices recognise that even basic security measures and staff training can yield significant risk reduction compared to investments in new capabilities.
The Regulatory Context
While not actively driving the shift in spending priorities, regulatory expectations provide essential context for practices' decisions. ASIC Commissioners have been clear that cybersecurity falls within licensees' core obligations, noting in recent years that "informal policies and informal procedures are probably not going to be enough."
Following the landmark Federal Court decision in ASIC v RI Advice, ASIC expects licensees to be "cyber vigilant," regularly assess threats, prepare appropriate defenses, and test response capabilities. While the regulator acknowledges that reducing cyber risk to zero is impossible, it expects businesses to mitigate risks as much as possible and respond quickly when incidents occur.
This regulatory stance aligns with the 2025 Landscape Report data trend, suggesting that practices are making prudent decisions that serve both compliance requirements and business resilience objectives.
A Practice View
There is a reality that financial advice practices excel at guiding clients through complex financial decisions, but cybersecurity represents a specialised discipline that often falls outside their core expertise. Many practices find themselves overwhelmed by rapidly evolving threats, technical terminology, conflicting security recommendations, not to mention the cost (and whether it is reasonable or not).
Rather than attempting to navigate this complex landscape alone, forward-thinking practices are increasingly partnering with dedicated cybersecurity experts. These specialists can provide tailored risk assessments, implement appropriate security measures proportionate to the practice's size and client base, and offer ongoing monitoring and support.
Such partnerships allow advisers to focus on their area of expertise—financial advice—while ensuring their digital infrastructure receives proper protection from specialists who understand both the technical aspects of cybersecurity and the unique regulatory requirements facing financial services firms. As one practice owner noted, "Trying to become cybersecurity experts ourselves would be like asking our IT provider to create financial plans—some things are best left to specialists."
A New Approach to Technology Investment
The rebalancing of technology investments revealed in the early Landscape Report data points to a more sophisticated approach to digital risk management. Rather than viewing cybersecurity as a separate technology category, practices increasingly integrate it into their core technology strategy.
Key priorities emerging from this shift include:
- Strengthening existing systems rather than implementing new ones
- Mandatory staff awareness and training to combat phishing and social engineering attacks
- Developing and testing incident response plans to ensure rapid recovery if breaches occur
- Implementing cyber insurance as part of a comprehensive risk management strategy
For financial advice practices, the message from the marketplace and regulators is clear: cybersecurity is not a separate technology consideration but a fundamental business risk requiring dedicated attention and investment.
Insurance Considerations
As practices reconsider their technology investments, many are also reviewing their insurance coverage. Numerisk’s data shows that most small and medium-sized businesses in the financial services industry purchase $1-2M in limits, while many mid-market organisations opt for $5-10M in coverage.
The most common cyber events affecting financial services businesses include:
- Business interruption and reputation damage when essential systems are impacted
- Cybercrime through means such as funds transfer fraud and invoice manipulation
- Recovery and restoration costs after attacks
- Direct response costs, including forensic investigation and legal counsel
- Third-party liability issues arising from data breaches
With the Landscape Report data showing a 31% increase in planned spending on compliance enhancements, including cybersecurity, practices are taking a comprehensive approach that combines technology hardening, staff training, and appropriate insurance coverage.
Rebuilding Trust After the Breach
Returning to this week's superannuation cyber breaches, the recent attacks create challenges and opportunities in relationship management for advisers who recommended affected platforms to their clients. Fraser Jack from the Cyber Collective sees these incidents as pivotal moments for client-adviser relationships.
"Incidents of this nature present an opportunity to strengthen the trust between clients and their advisers, especially when the adviser, who is seen as a trusted source, has endorsed the platform in question. This situation highlights the importance of developing improved communication practices," Jack explains.
He emphasises that while there are reputational risks, the current situation "serves as a reminder of the immense value of building and sustaining trust with advisers. This trust is a key factor in encouraging future inflows to the platform."
The attack has also highlighted the importance of transparent communication during cyber incidents. "Fostering effective communication between the platform and advisers is essential for providing reassurance. When communication is transparent, it not only enhances trust but also creates a strong sense of security for advisers, instilling confidence in the platform's operations," adds Jack.
Looking Ahead
The shift in spending priorities revealed in the 2025 Landscape Report data suggests that financial advice practices are entering a more mature phase of technology management that balances innovation with security and compliance. The super fund breaches serve as a timely reminder of the stakes involved and the importance of a proactive approach to cyber risk.
As Fraser Jack notes, "The question for advice practices is no longer if a cyber attack will occur, but when—and whether the practice is prepared to prevent, detect, and respond effectively."
For advice practices navigating this landscape, the message is clear: cybersecurity is no longer just an IT expense—it's an essential investment in business continuity, client trust, and long-term resilience.
Article by:
Comments0