IronSights

Industries · Financial Services · Mortgage Aggregators

Cyber security for mortgage aggregators.

Mortgage aggregators manage large broker networks with wide variation in security posture. IronSights helps aggregators establish minimum cyber standards across their networks, protect centralised data assets and meet ASIC's supervision obligations.

ISO 27001 certified, Microsoft certified security engineers, Sydney-based. Practical security for aggregators managing broker network risk at scale.

Book a cyber security reviewCall 1300 004 766

The risk picture

Why aggregators carry a broader risk surface.

  • The risk surface extends to every broker in the network. Several hundred brokers means several hundred potential entry points — most unassessed and beyond the aggregator's direct control.
  • The central platform is a high-value target. A successful attack does not compromise one broker's records — it can compromise all of them. That concentration of data demands matching controls.
  • ASIC's Fortnum proceedings allege a licensee failed to set minimum cyber standards for its AR network and failed to supervise compliance. The supervision obligations for aggregators are structurally similar.
  • A platform breach has sector-wide consequences. NDB obligations, regulatory attention and reputational damage all scale with the number of individuals affected — and in the aggregator model, that number can be very large.

Common risks

What we find when we work with mortgage aggregators.

Broker network security variation

An aggregator with 500 brokers has 500 different security postures to manage. Some run well-configured Microsoft 365 environments with MFA enforced. Others use personal email accounts and shared spreadsheets. Each broker is a potential entry point to the aggregator's platform. The aggregator cannot control those environments directly, but it can establish minimum standards and make platform access conditional on meeting them.

Central platform as a high-value target

The aggregator's CRM, broker management platform and loan origination system hold a consolidated dataset covering client applications, income and identity documents across the entire broker network. A successful attack targeting the aggregator's own systems can expose data from tens of thousands of client relationships in a single event. Controls over who can access that platform, from what devices and with what authentication, need to reflect that concentration of risk.

Licence and supervision exposure

ASIC's proceedings against Fortnum Private Wealth allege that the licensee failed to mandate minimum cyber standards for its authorised representatives and failed to supervise their compliance. While aggregators operate under a different regulatory model to dealer groups in some respects, the supervision and oversight obligations are structurally similar. An aggregator that cannot demonstrate it has established minimum cyber requirements for its broker network and a process for monitoring compliance is carrying regulatory exposure.

Third-party and API integrations

Aggregator platforms integrate with lender APIs, credit reporting systems, document verification services and broker-facing tools. Each integration is an additional attack surface. API credential management, access scoping and monitoring of third-party connections are security disciplines that require active management at scale. Connections that are no longer actively used but retain live credentials represent ongoing risk with no corresponding benefit.

Privacy Act obligations at scale

An aggregator that holds or processes personal information on behalf of broker clients faces Privacy Act obligations that scale with the volume and sensitivity of the data. A breach that affects broker client data across the network will involve NDB notification obligations affecting a large number of individuals. The Privacy and Other Legislation Amendment Act 2024 has increased penalties for serious or repeated breaches and the OAIC has indicated a willingness to pursue large-scale cases.

How we help

Services built for aggregator environments.

From platform penetration testing to broker network frameworks and managed monitoring. Controls and assurance that address the aggregator's own environment and the network risk it carries.

Audit and assurance

for the aggregator's own environment, plus a broker network assessment framework that establishes minimum security standards your brokers can be assessed against. Board-ready report and compliance evidence pack for ASIC and PI insurance purposes.

Penetration testing

External network and web application tests targeting your broker platform and associated infrastructure. Identifies exploitable paths to the central data store before an attacker finds them. Risk-rated report with remediation guidance and a thirty-day free retest included.

Fortify — managed security

Around-the-clock monitoring of the aggregator's own environment. Rapid containment when a threat is detected. A platform that brokers and their clients depend on cannot afford prolonged downtime or a data loss event. Fortify provides the continuous coverage the risk profile requires.

Microsoft 365 security

Hardening the environment that the aggregator's own team operates from: , , DMARC and email authentication, for data classification, and Defender for Business across endpoints. The aggregator's internal environment is the most direct path to the central platform.

Compliance

Regulatory obligations for Australian aggregators.

ASIC's supervision obligations and the Privacy Act both impose requirements that extend beyond the aggregator's own internal environment to the broker network it manages.

ASIC

Supervision and AR network obligations

ASIC's proceedings against Fortnum Private Wealth allege that a licensee failed to establish minimum cyber standards for its AR network and failed to supervise compliance with those standards. The regulatory principle is that the licensee is responsible for the cyber risk profile of the network it authorises, not only its own environment. Aggregators without minimum cyber standards for their broker networks, and without documented oversight processes, are carrying the same exposure the Fortnum matter has now put in writing.

Privacy Act

Data breach obligations at network scale

An aggregator holding client application data across a broker network faces NDB obligations that scale with the network. A platform-level breach affecting broker client data will require notification to the OAIC and to the affected individuals across the network. The Privacy and Other Legislation Amendment Act 2024 has increased penalties for serious or repeated privacy breaches. The OAIC has indicated that large-scale breaches will attract regulatory attention regardless of how the breach occurred.

Common questions

Questions from mortgage aggregators.

Not in this list? Call us on 1300 004 766 or book a confidential consultation. No obligation.

  1. What are a mortgage aggregator's responsibilities for broker network cyber security?

    The regulatory principle from ASIC's Fortnum proceedings is that licensees are responsible for the cyber posture of the networks they authorise, not only their own internal environments. For aggregators, that means establishing minimum cyber standards that brokers in the network must meet, with a documented oversight process for monitoring compliance. The content of those minimum standards — MFA on all accounts, secure credential management for platform access, a tested incident response process — can be drawn from ASIC's enforcement findings and the ASD Essential Eight.

  2. How should an aggregator manage security across a large broker network?

    The practical approach is to establish a minimum security standard, communicate it to brokers, build it into accreditation or onboarding requirements, and create a process for periodic verification. Platform access controls can reinforce this: conditional access policies that require compliant device status or MFA before a broker can connect to the aggregator's platform create a technical checkpoint that supports the policy layer. Brokers who do not meet the minimum standard cannot access the platform until they do.

  3. What does a platform-level breach at an aggregator mean for NDB obligations?

    A breach affecting client application data across a broker network involves personal information of a large number of individuals. The NDB notification obligation sits with the entity that holds the data, which in the aggregator model may be the aggregator, the broker, or both depending on the data flows. The aggregator should have a clear picture of who holds what data, who carries the NDB obligation for each category, and what the notification process looks like before an incident occurs, not during one.

  4. How does IronSights help aggregators establish minimum standards for their broker networks?

    We start by assessing the aggregator's own environment, identifying gaps in the central platform's security posture and the M365 configuration used internally. From there, we develop a minimum security standard for the broker network that is proportionate, testable and can be built into onboarding and accreditation processes. It typically draws on the ASD Essential Eight at the appropriate maturity level and ASIC's published enforcement guidance.

  5. What is the first thing a mortgage aggregator should do to improve its security posture?

    Start with a penetration test of the broker-facing platform and a security review of the internal environment. These two assessments give a clear picture of the exploitable paths to the central data store and the gaps in the aggregator's own controls. From there, the most common immediate priorities are enforcing MFA for broker platform access, conducting an application and API access audit to close unused connections, and reviewing whether the incident response plan covers a platform-level breach affecting broker client data across the network.

Further reading

Related insights.

Compliance

ASIC cyber security obligations for AFSL holders

What s912A requires, what controls are expected across a licensee network, and how ASIC has enforced supervision failures.

Read more →Compliance

FIIG Securities cyber penalty: lessons for AFSL holders

The case that named seven absent controls and confirmed that sustained control failures are a licence breach with civil penalty consequences.

Read more →Technical

The Essential Eight for Australian financial services

The minimum technical baseline ASIC expects. Useful as the basis for a broker network minimum security standard.

Read more →Threat intelligence

Business email compromise in Australian financial services

BEC targets broker clients at settlement and payment instruction stages. What aggregators should require brokers to have in place.

Read more →

Also in financial services

IronSights works across the financial services sector.

Mortgage BrokersAggregator portal credential management, M365 hardening, BEC prevention.Financial AdvisersAFSL cyber obligations, client data protection, ASIC-aligned controls.Family OfficesBespoke security for high-net-worth client environments and sensitive portfolios.SMSF TrusteesProtecting member data, fund portals and trustee credentials from fraud.Wealth ManagementEnterprise-grade security for wealth platforms and managed account services.

Start with a review

Security that covers your platform and your broker network.

We assess your environment against the specific risks that aggregators face: central platform security, broker network standards, API and integration controls, and ASIC supervision obligations. The output is a practical, prioritised report your board and compliance team can act on.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review Call 1300 004 766