the adviser logo

ASIC to update ACL process following security breach

by Annie Kane6 minute read
ASIC to update ACL process following security breach

The financial services regulator is working on “alternative arrangements” for submitting credit licence applications, after identifying a cyber “incident” on one of its servers.

The Australian Securities and Investments Commission (ASIC) has revealed that it is working on new methods of submitting Australian Credit Licence (ACL) applications after becoming aware of a “cyber security incident” involving “unauthorised access” on one of its servers.

To continue reading the rest of this article, create a free account
Already have an account? Sign in

On 15 January, the regulator was reportedly made aware of an incident relating to the Accellion software it uses to transfer files and attachments, including those on ACL applications. 

While an investigation into the matter is ongoing, ASIC has said that the recent incident involved “unauthorised access” to a server which contained documents associated with recent ACL applications.


ASIC has warned that there is “some risk that some limited information may have been viewed by the threat actor”. However, it added that it has not yet seen any evidence that any ACL application forms or any attachments had been opened or downloaded.

As a precaution, and to protect information and systems, ASIC has now disabled access to the affected server. 

The regulator said that it is “working on alternative arrangements for submitting credit application attachments”, which will be implemented “shortly”. 

These alternative arrangements have not yet been disclosed. The Adviser has reached out to ASIC to ask for further details, once confirmed.

“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident,” the regulator has said.

“ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely.”

The regulator added that it has written to directly impacted parties.

No other ASIC technology infrastructure is believed to have been impacted or breached.

Cyber security in focus

The breach is the latest in a string of cyber incidents impacting the financial services industry, after the Reserve Bank NZ and law firm Allens both suffered similar incidents in early January.

Indeed, in November last year, APRA executive board member Geoff Summerhayes warned that a major cyber breach in finance was inevitable.

Speaking last year, Mr Summerhayes outlined that while no APRA-regulated bank, insurer or superannuation fund had suffered a substantial cyber attack to date, he added that a lack of awareness among the higher ranks of companies will only make it a matter of time.

The surge in online activity through the COVID period had also presented a “business opportunity” for scammers and the like, he added.

Indeed, during the course of 16 days through March 2020, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber crime and cyber security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams.

Last month, the Council of Financial Regulators (CFR) released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.
The CFR – which includes the Reserve Bank of Australia (RBA), the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, and the Treasury – has developed the framework to assist the financial institutions with the preparation and execution of industry-wide cyber resilience exercises.

CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate.

The exercises will mimic the tactics, techniques and procedures (TTP) of real-life adversaries through the creation and utilisation of tools and using techniques that may not have been anticipated and planned for.

According to the CFR, these exercises aim to measure an organisation’s ability to identify, respond and recover from the operations of a real-life adversary based on such TTPs.

The program will include threat intelligence-led exercises to assess the overall maturity of a financial institution’s cyber defence and response capability.

[Related: Home owners scammed by ‘ruthless criminals’]

ASIC to update ACL process following security breach
asic ta
TheAdviser logo
asic ta

Annie Kane

Annie Kane


Annie Kane is the editor of The Adviser and Mortgage Business.


You need to be a member to post comments. Register for free today


mark pesce futurist ajxjkn

Automation is changing, not replacing, the role of finance brokers

On Thursday (4 August), the Australian Financial Review (AFR) ran a story with the headline: “Finance brokers top...

des hang carbar zaheer jappie carclarity ta qtvnqr

CarClarity confirms partnership with car subscription platform

Established in March 2020, CarClairty is a finance platform that connects car buyers with more than 30 different...

anthony albanese profile ta vtpifc

Further grants confirmed for flood survivors, $47m pledged

According to a statement released by the federal government, the Back Home grant will be made available to impacted...

Read the latest issue of The Adviser magazine!
The Adviser is the number one magazine for Australia's finance and mortgage brokers. The publications delivers news, analysis, business intelligence, sales and marketing strategies, research and key target reports to an audience of professional mortgage and finance brokers
Read more