Regulatory pressure makes crisis communications a necessity

Crisis preparedness and cyber resilience are moving rapidly up the wealth management business agenda as ASIC and APRA sharpen expectations.

Regulators have made it clear that responsibility for crisis such as cyber incidents now sits firmly at the executive and board level. ASIC’s guidance, including Report 429 for example, requires financial services licensees to maintain adequate risk management systems to detect and respond to cyber incidents.

That obligation extends beyond technical containment to include how firms communicate during a crisis.

For financial advice firms, trust is everything. But in a crisis, such as a cyber incident or fraud, that trust can be tested in minutes. From ransomware attacks and data breaches to system outages and third-party failures, advice practices are increasingly vulnerable to operational disruption.

With geopolitical instability driving a rise in malicious cyber activity globally, the risk environment is becoming more complex.

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has warned that international tensions are often accompanied by increased cyber-attacks targeting Australian organisations, including financial services firms.

Federal Cyber Security Minister, Tony Burke, recently reinforced the message: “When it comes to cyber security, we need to be strong no matter how large or small the business is.”

For advice firms, that means cyber preparedness can no longer sit solely with outsourced IT providers or compliance teams. Regulators are making it clear that responsibility rests with firm leadership.

Regulatory expectations rising

ASIC has long required Australian Financial Services Licensees to maintain adequate risk management systems to identify, manage and respond to cyber threats. Guidance in ASIC Report 429 and subsequent enforcement actions makes clear that cyber resilience includes more than technical controls.

It also includes how firms communicate with clients, staff, regulators and key stakeholders when something goes wrong.

Recent regulatory action against financial services businesses has highlighted common failings: inadequate cyber governance, weak oversight of authorised representatives, poor controls around sensitive client information and insufficient incident response capability.

For advice firms, the consequences can extend well beyond remediation costs or compliance breaches. Delayed communication, inconsistent messaging or uncertainty about next steps can quickly damage client confidence and adviser reputation.

The gap

Many firms have invested in stronger cyber protections, but cyber resilience requires more than technical defences, far fewer have prepared for the communication challenges that follow an incident.

Key points to consider:

• How quickly can you notify affected clients?
• Who approves external messaging?
• What will advisers say if clients call in panic after hearing about a breach?
• How will your team coordinate if systems are down?

These are not theoretical questions. They are exactly the issues that can determine whether an operational incident remains manageable or escalates into a reputational crisis.

APRA’s CPS 230 Operational Risk standard, while directed at regulated entities, is also influencing broader industry expectations around resilience.

The emphasis is clear: firms must be able to maintain critical operations and communicate clearly during disruptions.

At the same time, the Privacy Act’s Notifiable Data Breaches scheme imposes strict obligations when personal information is compromised, often requiring rapid and carefully managed disclosure.

What good preparedness looks like

Regulators are increasingly focused on evidence of readiness, not simply intention. Advice firms should be able to demonstrate:

• A documented incident response plan covering operational and cyber events, as the foundation of cyber resilience,
• Clear internal decision-making responsibilities during a crisis,
• Defined communication protocols for clients, staff, regulators and media,
• Pre-approved messaging templates to accelerate response times, and
• Scenario testing, including cyber breach simulations.

As a result, crisis communication toolkits are becoming essential in providing advice firms with a practical framework to respond quickly and confidently when an incident occurs. They need to set out:

• escalation pathways,
• stakeholder communication priorities,
• message templates,
• approval processes,
• media response protocols, and
• adviser guidance for client conversations.

Importantly, a communications toolkit and playbook help firms demonstrate preparedness to regulators while protecting their most valuable asset: client trust.

At Capital Outcomes, we work with financial services businesses to develop practical crisis communication playbooks and response strategies. To discuss your firm’s preparedness, reach out to our team at Guy@capitaloutcomes.co or Simrita@capitaloutcomes.co.