Menu

Hacked Email? An Adviser’s Guide to What’s Next

An unlocked secure lock on a laptop illustrating a hacked email account and AFSL compliance obligations.

Key Takeaways (TL;DR)

  • Notify Your Licensee Immediately: This is your most important and urgent first step. Your AFS Licence holder is ultimately responsible and must activate their incident response plan.
  • Secure Your Account: Straight away, change your password and enable multi-factor authentication (MFA) to prevent further unauthorised access.
  • Follow the Communication Plan: Do not contact clients without direction. Your licensee will have a specific plan for how and when to communicate the breach to affected parties.
  • It May Be a Reportable Situation: A data breach like this can be a “Reportable Situation” that your licensee must report to the Australian Securities and Investments Commission (ASIC) within 30 days.
  • Document Everything: Keep detailed records of when you discovered the hack, what happened, who was affected, and every step you’ve taken in response.

If your email is hacked and you’re an Authorised Representative (AR) of an AFSL, you must immediately notify your licensee. This is your primary obligation. Then, secure your account by changing passwords and enabling multi-factor authentication, and prepare to follow your licensee’s incident response and client communication plan.

It’s a horrible feeling. A client or contact gets in touch to say they’ve received a strange “business proposal” email from you that you never sent. Your stomach drops as you realise your professional email account has been compromised. For an AR, this isn’t just a personal IT problem; it’s a serious compliance event that triggers a cascade of professional and legal responsibilities. Failing to act correctly can have significant consequences for you, your clients, and your licensee.

This guide outlines the essential steps you must take to manage the situation effectively and meet your obligations.

What is the very first thing I must do?

Your first action, before anything else, is to report the incident to your AFS Licence holder (AFSL). This is not just a suggestion; it’s a fundamental part of your duty as an Authorised Representative. Your licensee needs to know instantly so they can take control of the situation and begin their formal response process.

Why is telling my AFSL so important?

Informing your licensee is critical for several reasons:

  • Ultimate Responsibility: The AFSL is ultimately responsible for the financial services provided under its licence, which includes your conduct and the security of the systems you use.
  • Incident Response Plan: Your licensee will have a documented incident response plan that must be followed. Delaying your report prevents this plan from being activated promptly.
  • ASIC Reporting Obligations: The AFSL, not the AR, has a legal duty to report certain breaches to ASIC. They cannot assess their obligation to report if they are unaware of the breach.

What information should I record?

From the moment you suspect a breach, you must document everything. This record is vital for the investigation and for demonstrating that you acted responsibly. Your log should include:

  • The exact date and time you discovered the breach.
  • A description of the incident (e.g., fake “business proposal” emails sent to contacts).
  • A list of all immediate steps you took to secure the account (e.g., “changed password at 10:15 am,” “enabled MFA at 10:20 am”).
  • Any communication you’ve had with clients or contacts about the incident.

How should I handle communication with my clients?

Managing client communication is one of the most sensitive parts of a data breach. Your actions here can either build trust or destroy it. The key is to follow a coordinated and approved plan.

Should I contact clients myself?

No. You must follow the AFSL’s communication plan. Your licensee will determine the appropriate message, timing, and method for informing clients. Acting on your own could contradict the official strategy, create confusion, and potentially worsen the situation. The communication needs to be transparent and swift, but controlled.

What if a client has lost money?

If the breach leads to a client suffering financial loss or other harm, the obligation to assess and remediate that harm falls on the licensee. An investigation will need to determine the full extent of the breach. If a client has a valid claim for loss, the AFSL is responsible for providing a remedy, which could include compensation. This is a key reason why Professional Indemnity insurance is so important. For more on licensee duties, you can read our guide on understanding AFSL general obligations.

What are my legal and regulatory duties?

As an AR, your personal duties are tied directly to your licensee’s broader regulatory obligations. A hacked email account can easily escalate into a formal reportable breach.

When does a hacked email become a ‘Reportable Situation’ for ASIC?

Under the law, AFSLs must report certain “significant” breaches to ASIC. Your licensee’s compliance team will assess whether your hacked email meets the criteria. According to ASIC’s guidance (such as RG 78), a breach is generally considered “significant” if it:

  • Results in, or is likely to result in, financial loss or damage to a client.
  • Materially affects the AFSL’s ability to provide its authorised financial services.
  • Indicates that the licensee’s compliance and risk management frameworks are inadequate.

How quickly does this need to be reported?

If the incident is deemed a Reportable Situation, the AFSL must notify ASIC within 30 calendar days of becoming aware of the breach. This tight deadline is precisely why your immediate, internal report to your licensee is non-negotiable.

What happens after the immediate crisis is over?

Once the account is secure and the initial reporting is done, the focus shifts to investigation and prevention. This incident must be treated as a learning opportunity to strengthen your security posture for the future.

What is my role in the investigation?

You must cooperate fully with any investigation conducted by your licensee. The goal is to find the “root cause” of the breach. Was it a weak password? Were you the victim of a phishing attack? Did you click on a malicious link? Answering these questions is essential to prevent it from happening again.

What security improvements will I likely need to make?

Following an investigation, you will almost certainly be required to implement enhanced security controls. These are no longer “nice-to-haves” but essential business practices. Expect to:

  • Enforce Multi-Factor Authentication (MFA): This should be active on all business-related accounts.
  • Strengthen Password Policies: Use a password manager to create and store long, unique, and complex passwords for every service.
  • Update Software: Ensure your devices have up-to-date antivirus and anti-malware software installed.
  • Participate in Training: Your licensee will likely require you to complete mandatory cybersecurity training to help you spot phishing attempts and other common threats. The Australian Cyber Security Centre (ACSC) provides excellent resources for businesses.

Taking these steps is not just about ticking boxes. It’s about fulfilling your professional duty to protect your clients, your business, and the integrity of the financial services industry. A hacked email is a serious wake-up call, and how you respond defines your commitment to compliance and best practice. For more practical advice, see our article on cyber resilience tips for advisers.

Related Posts