What is the biggest cyber security risk for a mortgage broking practice?

Aggregator portal credential management is the most common gap we find. Most practices manage access to five to eight portals through a shared spreadsheet or via messages. Credentials rarely have individual ownership — and rarely get revoked when someone leaves. A business password manager with individual accounts per broker, enrolled against each portal, solves this problem. The second most common issue is no MFA on Microsoft 365 or the email domain not having DMARC configured, which makes the practice trivially easy to spoof in settlement-related BEC attacks.

Does the Privacy Act apply to a small mortgage broking business?

The general rule is that businesses with annual turnover below $3 million are exempt from the Privacy Act. Mortgage brokers who collect personal information for AML/CTF purposes are not exempt, regardless of turnover. In practice, most brokers are collecting personal information in a way that brings them within the Privacy Act, either because they are AML/CTF reporting entities or because their aggregator group's privacy framework extends obligations to them.

How should a mortgage broker handle client documents securely?

The minimum is that client financial documents (payslips, tax returns, bank statements and identity records) should not be sitting in shared inboxes or unsecured SharePoint folders accessible to everyone in the practice. Microsoft Purview sensitivity labels can automatically detect and classify these documents and apply controls that restrict external forwarding and unapproved sharing. Document retention policies should also be in place so that client data from completed applications is not sitting in the system indefinitely.

What happens if a broker's email account is compromised during a settlement?

An attacker with access to a broker's inbox can monitor settlement correspondence and substitute bank account details in an instruction that appears to come from the broker. The client or conveyancer completes the transfer to the attacker's account. Recovery depends on how quickly the fraud is identified and whether the bank can freeze the receiving account. MFA on the email account is the most direct prevention. DMARC configuration prevents spoofing of the broker's domain without needing access to the real account.

Does IronSights work with sole trader brokers or only larger practices?

We work with practices of all sizes. For a sole trader or small practice, a security review is usually the right starting point. It gives you a clear picture of where your exposure is and a prioritised list of what to address, without committing to ongoing spend. We also deploy Microsoft 365 security configurations that a small practice can run largely on autopilot once they are set up.

Industries · Financial Services · Mortgage Brokers

Cyber security for Australian mortgage brokers.

Mortgage brokers collect some of the most concentrated personal financial data in any profession. Payslips, tax returns, bank statements, credit reports and identity records pass through a typical broker's workflow before, during and after each deal. IronSights helps broking practices protect that data and the platforms it moves through.

ISO 27001 certified, Microsoft certified security engineers, Sydney-based. We work with sole traders, small practices and multi-office broking businesses across Australia.

Book a cyber security review→Speak with an expert

Threat context

Why mortgage broking practices are targeted.

Every mortgage deal generates income records, bank statements, identity documents and credit history — concentrated personal data that has direct financial value to attackers.
Business email compromise targeting settlement instructions is the most common attack type. A compromised or spoofed inbox lets an attacker substitute fraudulent payment details at exactly the right moment.
Aggregator portal credentials are the most consistent gap. Most practices manage five to eight portals through shared spreadsheets. When a broker leaves without offboarding, those credentials stay active.
Privacy Act obligations apply to most brokers regardless of turnover due to AML/CTF reporting requirements. A breach involving client application data will almost always trigger mandatory NDB notification.

Common risks

What we find when we work with broking practices.

Aggregator portal credential exposure

Most broking practices manage access to multiple aggregator portals (AFG, Connective, Finsure, PLAN, Loan Market and others) through shared credentials stored in a spreadsheet or passed by message. When a broker leaves, those credentials often stay active. When one device is compromised, an attacker has access to active loan pipelines and submitted client applications containing payslips, tax returns and identity documents.

Business email compromise targeting settlement

The settlement instruction email is one of the highest-value targets in any BEC campaign. A broker managing multiple concurrent settlements is handling payment instructions from clients, conveyancers and lenders. An attacker who has compromised a broker's email account, or successfully spoofed it, can substitute fraudulent account details. The transaction is often completed before anyone recognises what happened.

Client document data volume

A single mortgage application moves payslips, tax returns, bank statements, credit reports, photo ID and assets and liabilities statements through the broker's systems. Multiply that across an active pipeline and the data held at any time is substantial. Microsoft 365 environments where these documents are stored in shared inboxes or unsecured SharePoint folders without sensitivity controls are difficult to contain once a breach occurs.

Weak offboarding processes

Brokers change aggregators. Assistants and parabrokers come and go. Shared credentials and access to platforms are rarely revoked systematically. Former staff with no current relationship to the practice can retain access to systems containing live client data for months or years after leaving.

ACL and Privacy Act exposure

Australian credit licence holders collect personal information for AML/CTF purposes, bringing Privacy Act obligations even for small businesses below the $3 million turnover threshold that would otherwise exempt them. A breach involving client application data will almost always meet the serious harm threshold for NDB notification. Privacy and Other Legislation Amendment Act 2024 increases the penalties available for serious or repeated breaches.

How we help

Services for Australian mortgage broking practices.

From credential management and Microsoft 365 hardening to ongoing monitoring and penetration testing, the controls that address broking-specific risks are straightforward to implement. We help you get them right and keep them working.

Microsoft 365 security

, enforcement, DMARC and DKIM configuration, and for client financial documents. Client payslips, tax returns and identity records are automatically detected and labelled Highly Confidential, with controls that restrict external sharing and forwarding without requiring manual decisions on each file.

Fortify — managed security

24x7 monitoring, threat detection and rapid containment for broking practices that cannot justify a full-time security function. Monthly reporting gives you the evidence base for PI insurance renewals and any ASIC or ACCC correspondence.

Security reviews

Most broking practices start here. We assess your aggregator portal credential management, configuration, client document handling and incident response capability. You get a plain-language report with prioritised recommendations and a realistic remediation timeline.

Penetration testing

External network and simulation tests that identify the specific paths an attacker would use to reach your client data and payment systems. Risk-rated report with an executive summary and technical remediation guidance. Thirty-day free retest included.

Compliance

Regulatory obligations for mortgage brokers.

Multiple frameworks apply to most broking practices. Getting clarity on which ones apply to you is the starting point for understanding your actual obligations.

ACL

Australian credit licence obligations

Mortgage brokers operating under an Australian credit licence or as credit representatives must comply with the National Consumer Credit Protection Act. Cyber security obligations flow primarily from the responsible lending obligations and the need to maintain adequate systems and processes. The Privacy Act applies to all ACL holders collecting personal information for credit purposes, regardless of business size.

Privacy Act

Notifiable data breaches in a broking context

A mortgage broker collects more concentrated personal financial information per client than most other service providers: income, assets, liabilities, identity, credit history and bank account details. A breach involving this data almost always meets the serious harm threshold for NDB notification. The Privacy and Other Legislation Amendment Act 2024 has increased the penalties for serious or repeated breaches and from December 2026 will require disclosure of automated decision-making tools in privacy policies.

AML/CTF

AML obligations for brokers

Mortgage brokers who provide designated services under the AML/CTF Act carry compliance obligations regardless of annual turnover. This brings Privacy Act obligations when handling personal information for AML/CTF purposes, even for small practices below the $3 million threshold that would otherwise create an exemption. The AML/CTF Amendment Act 2024 extends Tranche 2 reforms from 1 July 2026, potentially bringing additional service types into scope.

Common questions

Asked by brokers like you.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

What is the biggest cyber security risk for a mortgage broking practice?
Aggregator portal credential management is the most common gap we find. Most practices manage access to five to eight portals through a shared spreadsheet or via messages. Credentials rarely have individual ownership — and rarely get revoked when someone leaves. A business password manager with individual accounts per broker, enrolled against each portal, solves this problem. The second most common issue is no MFA on Microsoft 365 or the email domain not having DMARC configured, which makes the practice trivially easy to spoof in settlement-related BEC attacks.
Does the Privacy Act apply to a small mortgage broking business?
The general rule is that businesses with annual turnover below $3 million are exempt from the Privacy Act. Mortgage brokers who collect personal information for AML/CTF purposes are not exempt, regardless of turnover. In practice, most brokers are collecting personal information in a way that brings them within the Privacy Act, either because they are AML/CTF reporting entities or because their aggregator group's privacy framework extends obligations to them.
How should a mortgage broker handle client documents securely?
The minimum is that client financial documents (payslips, tax returns, bank statements and identity records) should not be sitting in shared inboxes or unsecured SharePoint folders accessible to everyone in the practice. Microsoft Purview sensitivity labels can automatically detect and classify these documents and apply controls that restrict external forwarding and unapproved sharing. Document retention policies should also be in place so that client data from completed applications is not sitting in the system indefinitely.
What happens if a broker's email account is compromised during a settlement?
An attacker with access to a broker's inbox can monitor settlement correspondence and substitute bank account details in an instruction that appears to come from the broker. The client or conveyancer completes the transfer to the attacker's account. Recovery depends on how quickly the fraud is identified and whether the bank can freeze the receiving account. MFA on the email account is the most direct prevention. DMARC configuration prevents spoofing of the broker's domain without needing access to the real account.
Does IronSights work with sole trader brokers or only larger practices?
We work with practices of all sizes. For a sole trader or small practice, a security review is usually the right starting point. It gives you a clear picture of where your exposure is and a prioritised list of what to address, without committing to ongoing spend. We also deploy Microsoft 365 security configurations that a small practice can run largely on autopilot once they are set up.

Related insights.

Threat intelligence

Business email compromise in Australian financial services

BEC targets settlement instructions and payment redirections. How the attacks work and what stops them.

ASIC cyber security obligations for AFSL holders

What s912A of the Corporations Act requires, what controls satisfy the standard, and what enforcement looks like in practice.

The Essential Eight for Australian financial services

What each Essential Eight control means for financial services firms, which maturity level applies to your business, and where assessments find the most common gaps.

Microsoft 365 security for a Sydney mortgage broking firm

Credential hygiene, access controls and data classification — how IronSights secured a multi-broker practice handling high volumes of sensitive client data.

Also in financial services

IronSights works across the financial services sector.

Mortgage Aggregators →Broker network security, platform access controls, compliance posture.Financial Advisers →AFSL cyber obligations, client data protection, ASIC-aligned controls.Family Offices →Bespoke security for high-net-worth client environments and sensitive portfolios.SMSF Trustees →Protecting member data, fund portals and trustee credentials from fraud.Wealth Management →Enterprise-grade security for wealth platforms and managed account services.

Start with a review

Understand your actual exposure before something goes wrong.

We assess your aggregator portal credential management, Microsoft 365 environment, client document handling and incident response capability. You get a plain-language report with prioritised recommendations and a realistic remediation timeline.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766