Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

ASIC to update ACL process following security breach

asic ta asic ta
Annie Kane 7 minute read

The financial services regulator is working on “alternative arrangements” for submitting credit licence applications, after identifying a cyber “incident” on one of its servers.

The Australian Securities and Investments Commission (ASIC) has revealed that it is working on new methods of submitting Australian Credit Licence (ACL) applications after becoming aware of a “cyber security incident” involving “unauthorised access” on one of its servers.

On 15 January, the regulator was reportedly made aware of an incident relating to the Accellion software it uses to transfer files and attachments, including those on ACL applications. 

While an investigation into the matter is ongoing, ASIC has said that the recent incident involved “unauthorised access” to a server which contained documents associated with recent ACL applications.


ASIC has warned that there is “some risk that some limited information may have been viewed by the threat actor”. However, it added that it has not yet seen any evidence that any ACL application forms or any attachments had been opened or downloaded.

As a precaution, and to protect information and systems, ASIC has now disabled access to the affected server. 

The regulator said that it is “working on alternative arrangements for submitting credit application attachments”, which will be implemented “shortly”. 

These alternative arrangements have not yet been disclosed. The Adviser has reached out to ASIC to ask for further details, once confirmed.

“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident,” the regulator has said.


“ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely.”

The regulator added that it has written to directly impacted parties.

No other ASIC technology infrastructure is believed to have been impacted or breached.

Cyber security in focus

The breach is the latest in a string of cyber incidents impacting the financial services industry, after the Reserve Bank NZ and law firm Allens both suffered similar incidents in early January.

Indeed, in November last year, APRA executive board member Geoff Summerhayes warned that a major cyber breach in finance was inevitable.

Speaking last year, Mr Summerhayes outlined that while no APRA-regulated bank, insurer or superannuation fund had suffered a substantial cyber attack to date, he added that a lack of awareness among the higher ranks of companies will only make it a matter of time.

The surge in online activity through the COVID period had also presented a “business opportunity” for scammers and the like, he added.

Indeed, during the course of 16 days through March 2020, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber crime and cyber security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams.

Last month, the Council of Financial Regulators (CFR) released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.
The CFR – which includes the Reserve Bank of Australia (RBA), the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, and the Treasury – has developed the framework to assist the financial institutions with the preparation and execution of industry-wide cyber resilience exercises.

CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate.

The exercises will mimic the tactics, techniques and procedures (TTP) of real-life adversaries through the creation and utilisation of tools and using techniques that may not have been anticipated and planned for.

According to the CFR, these exercises aim to measure an organisation’s ability to identify, respond and recover from the operations of a real-life adversary based on such TTPs.

The program will include threat intelligence-led exercises to assess the overall maturity of a financial institution’s cyber defence and response capability.

[Related: Home owners scammed by ‘ruthless criminals’]

ASIC to update ACL process following security breach
asic ta
TheAdviser logo

If you have ever considered how you could better service your SME clients but lack the knowledge or confidence to do this beyond referring them on, this is a must-attend event for you. Don't miss SME Broker Bootcamp, a jam-packed, free-to-attend, practical workshop. Register today and secure your place at this interactive, flexible, must-attend event.

asic ta
Annie Kane

Annie Kane

Annie Kane is the editor of The Adviser and Mortgage Business.

As well as writing about the Australian broking industry, the mortgage market, financial regulation, fintechs and the wider lending landscape – Annie is also the host of the Elite Broker and In Focus podcasts and The Adviser Live webcasts. 

Email Annie at: This email address is being protected from spambots. You need JavaScript enabled to view it.



more from the adviser
finance education

Breaking News

Asset finance accreditation the next ‘battleground’: CAFBA

CAFBA has underscored the importance of education for brokers div...


Breaking News

Brokers drive origination growth for Prospa

The non-bank’s latest quarterly figures mark a year-on-year gro...


Breaking News

Victoria extends commercial rent relief 

The Victorian government has extended its Commercial Tenancy Reli...