April 8, 2026

Geopolitical instability is adding a new layer of risk for financial services firms and it’s not just market volatility.

Cyber security experts warn that global conflicts are increasingly accompanied by a surge in cyber attacks. The Australian SignalsDirectorate’s Australian Cyber Security Centre (ACSC) recently cautioned thatIranian-linked actors have been targeting local entities.

“When it comes to cyber security, we need to be strong no matter how large or small the business is,” recently added the Federal Minister for Cyber Security Tony Burke.

While cyber security has traditionally sat within IT teams, regulators are making it clear that responsibility now sits firmly at the executive and board level - particularly when it comes to incident response.

Under ASIC’s guidance, including Report 429, financial services licensees are required to have adequate risk management systems in place to detect and respond to cyber incidents. That obligation extends beyond technical containment to include how firms communicate during a crisis.

This is where many firms are still falling short.

In a recent high-profile case, RI Advice Group was penalised after ASIC found it had failed to implement adequate cyber risk management systems across its authorised representatives. The Federal Court found deficiencies including poor controls and inadequate responses to known cyber risks - ultimately resulting in significant remediation costs and enforceable undertakings. While the case focused on cyber governance, it underscored a broader issue: firms that are not prepared operationally are unlikely to be prepared communicatively.

‍

The missing piece: communication under pressure

Despite rising regulatory scrutiny, many financial services firms still lack a structured approach to communicating during a cyber incident.

ASIC expects firms to be able to manage stakeholder communications during incidents and that’s very difficult without a clear, pre-defined playbook.

Under APRA’s CPS 230 (Operational Risk), this expectation is becoming more formalised. The standard requires firms to demonstrate they can manage operational disruptions effectively, including maintaining clear and timely communication with stakeholders.

Overlay the Privacy Act’s Notifiable Data Breaches scheme, which mandates notification when personal data is compromised, and the pressure to get communication right - and fast - becomes even more acute.

‍

What regulators are looking for

Regulators are increasingly focused on evidence of preparedness, not just intent. In reviews and enforcement actions, several themes consistently emerge. Firms are expected to have:

-             Documented incident response plans

-             Clearly defined communication protocols

-             Pre-approved messaging frameworks

-             Regular scenario testing, including cyber breach simulations.

Where firms fail, the consequences are rarely just technical. More often, breakdowns occur in:

-             Delayed or inconsistent client communication

-             Poor internal coordination

-             Unclear accountability for decision-making.

These gaps can quickly escalate a cyber incident into a broader reputational and regulatory event.

‍

Playbooks becoming standard practice

Firms are expected to demonstrate the capability to respond  and communicate  in a structured, timely and effective way.In practice, a playbook is fast becoming the simplest way to evidence that capability. A well-constructed framework can help firms:

-             Meet ASIC’s risk management expectations

-             Align with APRA’s operational resiliencestandards

-             Comply with Privacy Act notification obligations

-             More importantly, it provides clarity in the moments that matter most.

‍

A question of preparedness

For the financial services sector, cyber risk is now a permanent feature of the operating environment.

The combination of rising geopolitical tension, increasingly sophisticated threat actors and tightening regulatory expectations means firms are being tested on multiple fronts.

The question is no longer whether an incident will occur -but whether firms are ready to respond when it does.