Will Insignia’s cyber attack deter PE acquirers?

Insignia Financial, which is currently midway through due diligence with two private equity firms, has suffered a cyber attack on its Expand platform.

It was announced on 4 April that the firm had experienced a cyber attack on its Expand platform, affecting its superannuation members. It is understood this was a coordinated cyber attack which affected Insignia, as well as superannuation funds AustralianSuper, Australian Retirement Trust, Hostplus and Rest.

Shares in the firm fell 6 per cent following the news, having risen 12 per cent since the start of 2025.

In a statement, Insignia confirmed the incident affected around 100 Expand accounts and said there had been no financial impact to its members. It described the incident as conducted by a "malicious third-party” which involved “credential stuffing” where an unusual number of login attempts targeted the platform. 

Liz McCarthy, chief executive of MLC Expand, said: “We detected suspicious activity on around 100 Expand Wrap Platform customers’ accounts and at this stage there has been no financial impact to customers.”

VIEW ALL

View all

“Our cyber security team is actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution, we have taken steps to restrict some activities on the Expand platform.

“We are communicating with impacted customers and their advisers, and will continue to keep them updated. At this stage there has been no financial impact to members.”

However, the incident is bad timing for the firm as it is currently midway through a six-week period of extended due diligence with private equity firms Bain Capital and CC Capital that are both considering acquiring the firm. 

Commenting on the incident, financial services M&A expert, Tony Beaven, said: “This could potentially have a major impact for any purchaser, both from a financial and reputational risk point of view. As a minimum, any potential purchaser would want to understand the extent of the attack and if any parties were impacted financially.”

He referenced the fallout from the incident could necessitate a report to the regulator, contacting customers, and a possible fine depending on its severity. There is also the need for Insignia to potentially update and enhance its IT and cyber security measures, which can bring about unforeseen additional costs which will be taken into consideration in any bids.

“Any potential cyber attack, depending on the severity, would need to be reported to the regulator who would want full disclosure on events and the processes and procedures that have been put in place to rectify this, which could include writing out to impacted customers, hence the potential reputational and financial risk depending on the severity of any attack. 

“The purchaser would be acutely conscious of the fines regarding cyber security breaches.

“As a minimum they would be looking at enhanced IT security due diligence and would embed any findings as an immediate fix in any contract with an indemnity clause for any issues or compensation as a result of any attack if they went ahead.”

Fraser Jack, founder of The Cyber Collective, said: "The reputational damage extends further than the potential purchaser of the platform. Incidents like these can erode the trust between clients and their advisers if the adviser has recommended the platform. Reputational damage, may also have an ongoing effect on future inflows to the platform.

"The way any platform communicates with advisers to reassure them is important and should be transparent and swift."

In a paper on AFSL cyber security, this was echoed by law firm Hall & Wilcox that said ASIC has identified cyber security failures by licensees as a major enforcement priority this year.

It said: “ASIC considers that cyber security risk management practices reduce potential harm to end consumers and expects licensees to implement and evolve their risk management systems to counter cyber security threats.

“Active management of cyber risks and regular improvement to existing risk management systems should be a routine operation at licensees to minimise exposure to attacks. The more sensitive the information held by the licensee, the more robust the risk management framework must be.

“It is clear even at this early stage in the proceeding that ASIC will be taking cyber security failings seriously in 2025. Enforcement action from ASIC could come as a direct consequence of a cyber breach if the licensee is considered to have failed to take steps to protect its systems from infiltration.”

Last November, Insignia unveiled a five-year plan during its Investor Day to cut costs and maximise scale which covered advice, asset management, wrap and Master Trust. This seeks to achieve around $200 million per annum net cost savings by FY30. 

On Expand specifically, which is the third-largest platform in the market, it said it is looking to “use technology, including artificial intelligence and robotics, to innovate and differentiate in the market to drive superior customer outcomes”.