The Qantas hack is not just a wake-up call for airlines. It is a warning for any company that thinks outsourcing technology or customer data will keep them safe. Australia’s top financial regulator now wants the nation’s finance sector to tighten up before another major breach happens.

ASIC’s message is clear. Offshoring will not protect you from data breaches.

After a malicious actor broke into Qantas systems and leaked customer information onto the dark web, the Australian Securities and Investments Commission has put finance companies on notice. ASIC’s latest review found big holes in the way banks, wealth managers, and advisers use offshore service providers. The regulator says poor oversight and weak risk management are putting consumers and investors in harm’s way.

“Advice licensees and responsible entities can outsource services but they cannot outsource their fundamental obligations,” ASIC Commissioner Alan Kirkland said. “When licensees neglect their responsibilities, consumers, investors and financial services businesses can be exposed to harm, such as exposure of personal information through cyber incidents.”

Critical functions, critical risks

ASIC’s review found many finance businesses are sending sensitive tasks and data offshore. Too many are not monitoring these third parties. Some do not even have a risk framework in place. The regulator says ticking a box is not enough.

“The more critical the outsourced function, the greater the risks to consumers and investors,” Kirkland said. The risk gets worse when overseas providers are not being supervised. Foreign laws can also create conflicting obligations, and key business functions can leave Australian control.

The message is simple. Storing, managing, or processing customer data overseas does not make you safe from attack or from liability.

Enforcement is coming

ASIC is not just issuing warnings. Now, regulator has already taken enforcement action against firms like FIIG Securities and Fortnum Private Wealth for failing to manage cybersecurity risk. In 2022, the Federal Court ruled against RI Advice for breaching its obligations by failing to manage cyber risks. That case is now a warning for other companies.

“Financial services firms cannot drop their guard. Cyber-attacks are more prevalent and growing in sophistication,” Kirkland said. “All licensees must proactively review governance frameworks and address issues that threaten to undermine public confidence in their business and in turn, the financial system.”

ASIC will keep monitoring how finance firms manage risk around offshore providers. The regulator promises to hold companies to account when they fall short.