The financial services regulator is working on “alternative arrangements” for submitting credit licence applications, after identifying a cyber “incident” on one of its servers.
The Australian Securities and Investments Commission (ASIC) has revealed that it is working on new methods of submitting Australian Credit Licence (ACL) applications after becoming aware of a “cyber security incident” involving “unauthorised access” on one of its servers.
On 15 January, the regulator was reportedly made aware of an incident relating to the Accellion software it uses to transfer files and attachments, including those on ACL applications.
While an investigation into the matter is ongoing, ASIC has said that the recent incident involved “unauthorised access” to a server which contained documents associated with recent ACL applications.
ASIC has warned that there is “some risk that some limited information may have been viewed by the threat actor”. However, it added that it has not yet seen any evidence that any ACL application forms or any attachments had been opened or downloaded.
As a precaution, and to protect information and systems, ASIC has now disabled access to the affected server.
The regulator said that it is “working on alternative arrangements for submitting credit application attachments”, which will be implemented “shortly”.
These alternative arrangements have not yet been disclosed. The Adviser has reached out to ASIC to ask for further details, once confirmed.
“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident,” the regulator has said.
“ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely.”
The regulator added that it has written to directly impacted parties.
No other ASIC technology infrastructure is believed to have been impacted or breached.
Cyber security in focus
The breach is the latest in a string of cyber incidents impacting the financial services industry, after the Reserve Bank NZ and law firm Allens both suffered similar incidents in early January.
Speaking last year, Mr Summerhayes outlined that while no APRA-regulated bank, insurer or superannuation fund had suffered a substantial cyber attack to date, he added that a lack of awareness among the higher ranks of companies will only make it a matter of time.
The surge in online activity through the COVID period had also presented a “business opportunity” for scammers and the like, he added.
Indeed, during the course of 16 days through March 2020, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber crime and cyber security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams.
CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate.
The exercises will mimic the tactics, techniques and procedures (TTP) of real-life adversaries through the creation and utilisation of tools and using techniques that may not have been anticipated and planned for.
According to the CFR, these exercises aim to measure an organisation’s ability to identify, respond and recover from the operations of a real-life adversary based on such TTPs.
The program will include threat intelligence-led exercises to assess the overall maturity of a financial institution’s cyber defence and response capability.
[Related: Home owners scammed by ‘ruthless criminals’]