Fortura•Industries

Financial Services in Australia & New Zealand

In financial services, trust is the product. Cyber risk is simply how fast you can lose it.

Banks, insurers, super funds, wealth platforms, fintechs and regulated entities across ANZ

Banks, super funds, insurers, wealth managers and fintechs are all racing to digitise. Always-on mobile apps, instant payments, AI-powered credit decisions and open banking APIs have become table stakes.

At the same time, attackers are industrialising too.

USD 4.44M

Global average breach

USD 6.08M

Average breach cost (finance)

#1

Top reporter of mandatory breaches

22%

Second only to healthcare

In Australia, finance (including superannuation) is now consistently one of the top two sectors by number of notifiable data breaches, accounting for about 14% of all reports to OAIC between January and June 2025, second only to health. (OAIC)

That’s before you factor in the new wave of AI-driven fraud and deepfake-enabled scams, which are rapidly changing both the threat profile and customer expectations.

Fortura exists to make sure your balance sheet, your customers and your licence aren’t the next case study.

Industries We Serve

Our Focus

Who We Work With

Fortura works with financial institutions and regulated entities across ANZ, including:

Banks and mutuals
Credit unions and building societies
Superannuation funds and administrators
Investment managers and wealth platforms

General and life insurers
Fintechs, payments companies and BNPL providers
Brokers, advice groups and other AFSL/ACL holders

“If you’re regulated by APRA, ASIC or the RBNZ, or you operate in the wider financial ecosystem that supports them, this page is for you.”

Rising Expectation

The New Risk Equation in Financial Services

The last few years have shifted the cyber equation for financial institutions:

01

Everything is real-time

Instant payments, NPP, open banking and 24×7 digital channels mean there’s no such thing as “after hours” anymore.

02

Data lives everywhere

Core banking on-prem, cloud data lakes, SaaS risk systems, regtech tools, customer apps, and third-party analytics platforms.

03

Regulatory tolerance is shrinking

APRA, ASIC and overseas regulators now treat cyber resilience as a first-order prudential and conduct issue, not a technical footnote.

According to IBM’s 2025 analysis, data breaches linked to shadow AI—unsanctioned AI tools adopted by staff—now account for around 20% of all breaches and add roughly USD 670,000 to the average breach cost, largely due to slower detection and more sensitive data being exposed. (IBM)

For financial services, that’s a problem. Your teams are experimenting with AI to move faster; attackers are doing the same.

“The winners in this wave won’t be the firms that adopt AI fastest. It’ll be the firms that adopt AI safest.”

Rising Expectation

Who This Page Is Really For

We design our financial services work around four groups:

Boards and directors

Responsible for CPS 234/CPS 230 and overall operational resilience. Need plain-English answers to “Are we within our risk appetite?” and “Where are we most exposed?”

Executive teams

CEOs, CFOs, CROs, COOs balancing growth, digital transformation and cost discipline, while regulators, investors and customers ask harder questions about cyber resilience.

CIOs, CISOs, Chief Data & AI Officers, CROs / Heads of Operational Risk & Compliance

Living where the rubber meets the road: frameworks, controls, projects, incidents, budgets.

Security, technology and risk teams

Engineers, analysts and risk managers who need clarity on priorities, not another 200-page framework mapping.

This page should make sense to all four. It’s written so you can share it directly with your board pack, risk committee or architecture forum.

Inside The Attack

How Attacks Really Play Out in Financial Services

Modern attacks on financial institutions are rarely “single vector” events. They’re campaigns.

01

Reconnaissance and credential harvesting

Attackers gather data from LinkedIn, paste sites and info-stealer logs, then combine it with AI-written phishing emails and deepfake voice calls. Banks globally are reporting scams where AI-cloned voices impersonate relationship managers or even family members. (Australian Banking Association)

02

Compromise of identity or third parties

Entry often comes via compromised staff credentials, an exposed admin interface, or a third-party vendor with inadequate controls.

03

Pivot into high-value systems

Once inside, attackers look for payments platforms, trading systems, customer data stores, authentication systems and backup infrastructure—anything that can be monetised quickly or used for extortion.

04

Monetisation and manipulation

Ransomware against core platforms or shared services
Data theft for extortion, insider trading, or fraud
Manipulation of payment instructions, loan applications or KYC/identity flows
“Silent” compromises aimed at long-term data exfiltration

Layered over this are AI-driven fraud patterns: deepfake audio on phone calls, synthetic IDs generated to bypass KYC, AI-written investment scams, and “pig-butchering” style schemes funnelling funds through your channels.

Deepfake-related fraud losses alone exceeded USD 410 million in the first half of 2025, and industry surveys now report that around 90% of fraud teams see criminals actively using generative AI in their operations. (Fourthline)

The risk is no longer hypothetical; it’s operational.

Emerging Risk

The AI Shift: New Attack Surface, New Defences

AI is changing the risk landscape for financial services on both sides of the ledger.

On the attacker side

AI-assisted phishing and social engineering – convincing, localised messages at scale.
Deepfake voices and video – used to spoof executives, relationship managers and even regulators.
Synthetic identity generation – high-quality fake IDs and supporting documents that pass legacy KYC checks. (Thomson Reuters)
Automated fraud rings – AI agents that can handle multiple scam conversations simultaneously across chat, email and messaging apps.

On the defender side

AI-driven fraud and anomaly detection — Banks in Australia now screen tens of millions of events per day using AI, from payments to credential resets, to spot abnormal patterns in near real-time. (CommBank)
Behavioural biometrics and device intelligence — Distinguishing humans from bots and deepfakes.
Automated SOAR and response — Faster containment when something does slip through.

“If AI is changing your business faster than it’s changing your controls, you’re building on sand.”

A big theme in 2025’s breach data is the AI oversight gap: AI systems and tools being deployed faster than governance, threat modelling and control design can keep up. That’s where Fortura leans in.

Compliance

Regulatory & Framework Landscape: More Teeth, Less Patience

For financial institutions in ANZ, cyber risk is no longer just “good hygiene”—it’s core to prudential and conduct obligations.

Pivot into high-value systems

APRA CPS 234 – Information Security: requires APRA-regulated entities to maintain an information security capability commensurate with vulnerabilities and threats, including board oversight, testing and third-party arrangements. (APRA)

APRA CPS 230 – Operational Risk Management

In force from 1 July 2025, CPS 230 mandates resilience of critical operations, robust operational risk management and clear accountability for disruptions—including those originating from service providers and cyber incidents. (APRA)

ASIC expectations & AFSL/ACL obligations

ASIC has made it clear that inadequate cyber resilience can be a breach of general licensee obligations. Recent enforcement actions and court penalties for cyber failings are a warning shot to the sector.

Privacy and data protection

Australian Privacy Act and NDB scheme, AUSTRAC reporting, NZ Privacy Act, and—where relevant—GDPR, DORA, and other cross-border obligations for global operations.

Frameworks

NIST CSF, ISO 27001, PCI DSS, and the ACSC Essential Eight all sit beneath the regulatory layer, giving you the language to describe and structure your control environment.

Fortura doesn’t treat these as a paperwork exercise. We treat them as the minimum operating standard for being allowed to hold other people’s money.

Costs of Compromise

The Cost Side: Breaches, Fines and the “AI Penalty”

The financial cost of getting this wrong is rising on three fronts:

01

Direct breach costs

Average global breach cost: USD 4.44 million in 2025
Average breach cost for financial services: around USD 6.08 million—second only to healthcare and around 22% higher than the global average. (Baker Donelson)

02

Regulatory and legal consequences

Civil penalties and enforceable undertakings from ASIC for inadequate cyber controls
APRA expectations around CPS 234 and CPS 230, including potential capital implications or licence conditions
Overseas fines where you process data subject to regimes like GDPR or DORA

03

The “AI penalty”

IBM’s 2025 data shows that shadow AI incidents add roughly USD 670,000 to the average breach due to longer detection times and more sensitive data being exposed; 97% of AI-related breaches lacked basic access controls. (Baker Donelson)
For boards and CFOs, the ROI case is stark:
One material incident can wipe out years of incremental cost-saving gains and trigger regulatory interventions.
A targeted uplift across identity, data protection, AI governance, vendor risk and incident readiness typically costs a fraction of a single major incident, and pays back in reduced loss frequency and severity.

“The real question for financial services in 2026 isn’t “What will cyber cost us?” It’s “What are we willing to invest to stay in business when—not if—something breaks?””

Hidden Costs of Compromise

Where Fortura Fits In for Financial Services

Rather than list every service, it’s easier to think about where Fortura slots into your existing structure.

For Boards, Risk & Audit Committees

We help you turn cyber from a vague concern into a concrete conversation:

Independent risk & control assessments aligned to NIST CSF, ISO 27001, ACSC Essential Eight and CPS 234 expectations
Clear heatmaps of where CPS 230 operational resilience is most at risk from cyber incidents
AI & emerging tech risk reviews so you can ask sharper questions about AI adoption, shadow AI and model governance

For CROs, CIOs, CISOs and Heads of Security

We work as an extension of your leadership team:

Attack surface, cloud and application exposure assessments that reflect how attackers see your institution
Zero Trust and security architecture patterns mapped to your core financial systems, data platforms and third-party ecosystem
Threat-informed validation (purple teaming), penetration testing and ransomware readiness grounded in financial-sector TTPs
Incident response planning and exercises that combine cyber, fraud, operations, customer, legal and media stakeholders

For Security, Technology & Operational Risk Teams

We give your teams the signal and support they need:

Managed vulnerability management and third-party risk assessments so your teams can focus on the highest-impact issues
Ongoing cloud security posture monitoring to catch misconfigurations before attackers do
Practical, prioritized remediation guidance—not just findings and dashboards

The common thread is pragmatism: we care less about how many controls you’ve documented, and more about how your institution would perform if tomorrow’s incident was on the front page.

Horizon

The Next 3–5 Years of Financial Services Cyber

Over the next few years, we expect:

Tighter expectations on third-party and cloud risk

Regulators will expect CPS 230-level rigour applied to vendors, critical service providers and cloud environments.

Operational resilience as a competitive differentiator

Keeping critical services running through disruption will become a selling point to customers, investors and regulators.

Explosive growth in AI-driven fraud and scams

Deloitte estimates gen-AI-enabled fraud could reach USD 40 billion in annual losses in the US alone by 2027, up from USD 12.3 billion in 2023. Financial institutions everywhere will feel similar pressure. (Deloitte)

AI regulation and model risk

Boards will be accountable for understanding how AI models make decisions that affect customers, markets and risk.

2027

Explosive growth in AI-driven fraud and scams

Deloitte estimates gen-AI-enabled fraud could reach USD 40 billion in annual losses in the US alone by 2027, up from USD 12.3 billion in 2023. Financial institutions everywhere will feel similar pressure. (Deloitte)

2028

Tighter expectations on third-party and cloud risk

Regulators will expect CPS 230-level rigour applied to vendors, critical service providers and cloud environments.

2029

AI regulation and model risk

Boards will be accountable for understanding how AI models make decisions that affect customers, markets and risk.

2030

Operational resilience as a competitive differentiator

Keeping critical services running through disruption will become a selling point to customers, investors and regulators.

Fortura’s role as a challenger is to keep you:

Honest about your real risk position
Clear on the trade-offs you’re making
Equipped with a roadmap that your board, regulators and teams can get behind

We’re not here to tell you to buy another tool. We’re here to help you prove to yourself and your regulators that you can take a hit and keep serving customers.

FAQ

Financial Services in Australia & New Zealand

Fortura is a cybersecurity company delivering intelligence-led services today and building security platforms for the future.

Because you sit at the centre of money flows and sensitive data. You’re heavily regulated, highly digitised and tightly interconnected with vendors and infrastructure providers. That makes you both lucrative to attack and complex to defend.

We align risk and control assessments to CPS 234 expectations, map cyber scenarios into your CPS 230 critical operations, and help you build testing, incident response and vendor risk practices that satisfy both prudential standards and real-world resilience needs.

Most clients start with a focused risk & controls assessment plus an attack surface and AI/shadow AI risk review. From there, we build a concise roadmap and, where needed, support execution through architecture design, testing, exercises and managed services.

AI is amplifying both fraud and defence. Attackers use generative AI for highly convincing phishing, deepfake voices and synthetic IDs, while defenders use AI to detect anomalies in payments and identity flows in near real-time. The risk comes when AI is adopted faster than governance—particularly shadow AI.

Yes. Global frameworks give you structure; local regulators give you rules. Fortura bridges the two—translating NIST/ISO/PCI maturity into language and expectations APRA, ASIC and RBNZ recognise.

Work with us

Fortura will be Supporting You Across Every Phase of your Security Lifecycle

No Sales Scripts. We'll Talk Through Your Situation.

If you're shaping strategy, assessing risk, or preparing for what's next, we'll help you get clear on priorities and act with confidence. Tell us what you're working through - we'll respond quickly.

Emailcontact@fortura.io

Response TimeWithin 24 hours

Office LocationSydney City/Parramatta/Remote

First name *

Last name

Organization name *

Phone *

Work email *

Job Level *

Country / region *

How can we help you? *

By submitting this form, I understand my personal data will be processed in accordance with Fortura's Privacy Statement and Terms of Use.

Get Insights & Alerts

Get the latest news, research notes, practical guidance, and threat updates written for people making security decisions.

Who we are

What we do

Research

Company

© 2026 Fortura. Operated by Fortura Labs Pty Ltd.
All rights reserved.