Powered by MOMENTUM MEDIA
the adviser logo
Compliance

ASIC to update ACL process following security breach

by Annie Kane12 minute read
ASIC to update ACL process following security breach

The financial services regulator is working on “alternative arrangements” for submitting credit licence applications, after identifying a cyber “incident” on one of its servers.

The Australian Securities and Investments Commission (ASIC) has revealed that it is working on new methods of submitting Australian Credit Licence (ACL) applications after becoming aware of a “cyber security incident” involving “unauthorised access” on one of its servers.

On 15 January, the regulator was reportedly made aware of an incident relating to the Accellion software it uses to transfer files and attachments, including those on ACL applications. 

While an investigation into the matter is ongoing, ASIC has said that the recent incident involved “unauthorised access” to a server which contained documents associated with recent ACL applications.

==
==

ASIC has warned that there is “some risk that some limited information may have been viewed by the threat actor”. However, it added that it has not yet seen any evidence that any ACL application forms or any attachments had been opened or downloaded.

As a precaution, and to protect information and systems, ASIC has now disabled access to the affected server. 

The regulator said that it is “working on alternative arrangements for submitting credit application attachments”, which will be implemented “shortly”. 

These alternative arrangements have not yet been disclosed. The Adviser has reached out to ASIC to ask for further details, once confirmed.

“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident,” the regulator has said.

“ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely.”

The regulator added that it has written to directly impacted parties.

No other ASIC technology infrastructure is believed to have been impacted or breached.

Cyber security in focus

The breach is the latest in a string of cyber incidents impacting the financial services industry, after the Reserve Bank NZ and law firm Allens both suffered similar incidents in early January.

Indeed, in November last year, APRA executive board member Geoff Summerhayes warned that a major cyber breach in finance was inevitable.

Speaking last year, Mr Summerhayes outlined that while no APRA-regulated bank, insurer or superannuation fund had suffered a substantial cyber attack to date, he added that a lack of awareness among the higher ranks of companies will only make it a matter of time.

The surge in online activity through the COVID period had also presented a “business opportunity” for scammers and the like, he added.

Indeed, during the course of 16 days through March 2020, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber crime and cyber security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams.

Last month, the Council of Financial Regulators (CFR) released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.
The CFR – which includes the Reserve Bank of Australia (RBA), the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, and the Treasury – has developed the framework to assist the financial institutions with the preparation and execution of industry-wide cyber resilience exercises.

CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate.

The exercises will mimic the tactics, techniques and procedures (TTP) of real-life adversaries through the creation and utilisation of tools and using techniques that may not have been anticipated and planned for.

According to the CFR, these exercises aim to measure an organisation’s ability to identify, respond and recover from the operations of a real-life adversary based on such TTPs.

The program will include threat intelligence-led exercises to assess the overall maturity of a financial institution’s cyber defence and response capability.

[Related: Home owners scammed by ‘ruthless criminals’]

asic ta

AUTHOR

Annie Kane is the managing editor of Momentum's mortgage broking title, The Adviser.

As well as leading the editorial strategy, Annie writes news and features about the Australian broking industry, the mortgage market, financial regulation, fintechs and the wider lending landscape.

She is also the host of the Elite Broker, New Broker, Mortgage & Finance Leader, Women in Finance and In Focus podcasts and The Adviser Live webcasts. 

Annie regularly emcees industry events and awards, such as the Better Business Summit, the Women in Finance Summit as well as other industry events.

Prior to joining The Adviser in 2016, Annie wrote for The Guardian Australia and had a speciality in sustainability.

She has also had her work published in several leading consumer titles, including Elle (Australia) magazine, BBC Music, BBC History and Homes & Antiques magazines.  

JOIN THE DISCUSSION

You need to be a member to post comments. Become a member for free today!