ASIC exposes holes in managed funds' offshoring cyber controls

BY KARREN VERGARA  |  MONDAY, 13 OCT 2025   12:33PM

Responsible entities (REs) of managed funds lack robust risk management practices when it comes to the cyber and security risks relating to services they offshore, according to ASIC.

A review of 30 REs found that more than half or 17 rely on offshore service providers (OSP). REs typically outsource the management and oversight of investment process and administration of a fund's portfolio, custody, fund administration and transaction processing.

ASIC found that 10 REs recognised cyber risks arising from the use of offshore providers and have arrangements in place to manage these risks.

"However, the degree of sophistication and rigour of risk management practices of REs to ensure OSPs have adequate cyber security risk management arrangements varied significantly," ASIC said.

Only four REs that are APRA-regulated or elected to comply with APRA's standards have more sophisticated cyber and security management arrangements when engaging with OSPs.

Eight REs' reviews of OSPs' data-handling protection arrangements are not triggered by changes in threats and vulnerabilities, cyber incidents, changes to standards or changes to the nature and scope of data handled by OSPs.

Five REs did not assess the offshore regulatory environment for data security and data protection or consider additional precautionary measures, such as enhanced encryption, or if client data is permitted to be transmitted to or accessed from offshore.

ASIC warned REs they should regularly assess OSP controls to manage sensitive and confidential information and response procedures to report any breaches of personal and confidential information as part of initial and ongoing due diligence.

The regulator also reviewed offshoring practices of AFSLs and found that many fail to adequately assess, monitor and audit their arrangements thus putting their processes and business at risk.

Additionally, after assessing two large fund managers, ASIC found a huge volume of enquires were made to them by OSPs relating to Australian client superannuation and managed fund account information.

"The data indicated that enquiries originating from offshore were occurring regularly, with one fund manager reporting 900 enquiries in a 30-day period and another 16,500 enquiries originating from 24 countries in a 12-month period," ASIC said.

In May, Lifestyle Solutions Financial Planning's Daniel Boce told Financial Standard that his personal assistant located in the Philippines was denied information relating to a third-party authority sent to the Vision Super.

Allegedly, a Vision Super representative declined to deal with the employee after asking where she was physically located.

Addressing REs, ASIC warned that "failing to adequately supervise outsourced functions could result in the RE failing to meet its legal obligations and cause harm to consumers."

"Boards of REs need effective and robust risk oversight processes for identifying, prioritising, managing and monitoring critical risks. REs also must have systems in place to ensure that their risk oversight processes are improved continuously as the business environment changes," ASIC said.

Read more: ASICVision SuperAPRADaniel BoceFinancial StandardLifestyle Solutions Financial Planning
