Powered by MOMENTUM MEDIA
the adviser logo
Compliance

New ACL application process following ASIC incident

by Annie Kane12 minute read
New ACL application process following ASIC incident

The financial services regulator has outlined its stop-gap measure for new Australian Credit Licence applications, as it investigates “unauthorised access” of one of its servers.

On 15 January, the regulator was reportedly made aware of a cyber incident relating to the Accellion software it uses to transfer files and attachments, including those on ACL applications. 

The incident may have impacted ACL applications that were lodged with attachments between 1 July 2020 and 28 December 2020.

While ASIC has said that it immediately applied the recommended patch and sought a review of the server access logs from Accellion following the incident, it is currently conducting an investigation into the matter alongside “independent cybersecurity experts” to determine the extent of the breach and temporarily changing the way in which attachments are lodged on new ACL applications.

==
==

With the relevant server having now been disabled, ASIC has said that those seeking to lodge ACL applications, such as brokers, should follow the below steps:

  1. Complete and submit an application (ASIC forms CL01 and CL03) via https://www.edge.asic.gov.au/011/acrportal/get/ServicesLogin; 
  2. Once forms have been submitted, email This email address is being protected from spambots. You need JavaScript enabled to view it. to notify ASIC that a credit licence application has been submitted;
  3. Once the email has been sent, ASIC will contact each application to then provide them with specific details on how to lodge attachments.

What was impacted in the cyber incident

The incident involved an “unidentified threat actor” accessing an ASIC server which contained attachments to Australian Credit Licence applications.

The incident may have impacted attachments to applications submitted between 1 July 2020 and 28 December 2020.

It is believed that the issue occurred due to a “vulnerability in a file transfer appliance” provided by California-based Accellion and used by ASIC.

According to ASIC’s preliminary investigations, the credit licence application forms held within the server were not accessed and there is no evidence that attachments were opened or downloaded. 

However, the filenames of attachments for credit licence applications that were submitted to ASIC between 1 July 2020 and 28 December 2020 “may have been viewed by the threat actor”, the regulator has revealed.

This could include the names of the ACL applicants or names of an individual responsible manager, if these were used in the filename of the attachment (for example, on CV attachments).

ASIC has said that it has written to all identified credit licence applicants (via the contact email address nominated by the applicant) to inform them of the incident. It is warning them to be vigilant of any approaches from parties purporting to have their confidential information. ASIC has also provided affected parties with a range of steps outlining what to do if they are approached.

Further, ASIC is also recommending that any ACL applicants who believe they may have been impacted should not respond to any email, telephone or social media communications that they consider suspicious, and if unsure, to verify their legitimacy before providing any confidential information. 

However, the regulator has said that, to date, it had not received reports of any attacks (attempted or actual) against any Australian Credit Licence applicants as a result of the incident. 

ASIC is advising any affected ACL applicants (those who submitted an application between 1 July 2020 and 28 December 2020) to contact ASIC and the Australian Cyber Security Centre should they encounter any suspicious inquiries relating to their ACL application, or threats regarding the disclosure of any confidential information by a third party.

[Related: ASIC to update ACL process following security breach]

form signature

AUTHOR

Annie Kane is the managing editor of Momentum's mortgage broking title, The Adviser.

As well as leading the editorial strategy, Annie writes news and features about the Australian broking industry, the mortgage market, financial regulation, fintechs and the wider lending landscape.

She is also the host of the Elite Broker, New Broker, Mortgage & Finance Leader, Women in Finance and In Focus podcasts and The Adviser Live webcasts. 

Annie regularly emcees industry events and awards, such as the Better Business Summit, the Women in Finance Summit as well as other industry events.

Prior to joining The Adviser in 2016, Annie wrote for The Guardian Australia and had a speciality in sustainability.

She has also had her work published in several leading consumer titles, including Elle (Australia) magazine, BBC Music, BBC History and Homes & Antiques magazines.  

JOIN THE DISCUSSION

You need to be a member to post comments. Become a member for free today!