Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

E-conveyancing has brought a significant degree of convenience and benefit to the conveyancing process, but has also brought risks that all those working in the industry need to be alert to.

Conveyancing is moving to 100% e-conveyancing where the preparation, settlement and lodgement stages of the process are performed through an electronic lodgement network operator (ELNA) such as Property Exchange Australia (PEXA). This work includes transfers, mortgages, discharges and caveats.[1] Indeed it is possible that the entire conveyancing business will become digital in the near future. The use of artificial intelligence can be expected to accelerate these developments.

However, with these developments comes greater cybersecurity risk and the related need to implement a range of cyber protections.

There are a range of  controls in the e-conveyancing Model Participant Rules, which assist to address some of these cyber risks. For example, there are rules around the verification of the identity of the parties involved, there are obligations on conveyancing ‘subscribers’ to implement appropriate cyber protections and participants can adopt guidance from the Australian Signals Directorate (ASD) Essential 8 protections.

In this paper I set out two key issues that apply to all organisations, namely that each organisation needs to utilise appropriate risk management around cyber threats and develop an appropriate Business Continuity Plan (BCP).

Given the growing number and scope of cyber attacks, apart from dealing with technical issues such as implementing the ASD’s Essential 8, organisations need to develop their skills in relation to risk management and business continuity planning.

Key roles and accountabilities for an organisation rest with the board and senior management. In a partnership this would be the partnership board and senior management.

Risk identification is critical to developing appropriate risk management strategies.

Business continuity planning is less well known but reflects the need to focus on how your enterprise can recover, if impacted by an incident such as a cyber attack. If an enterprise wants to survive it needs to be able to recover its critical operations relatively quickly and then all of its other functions within a reasonable time.

While the Australian Prudential Regulation Authority (APRA) does not govern law firms, as it focuses on regulating banks, insurers and superannuation trustees, it has developed a range of standards that provide useful guidance for all enterprises. APRA recently issued Prudential Standard CPS 230, that will take effect on 1 July 2025, in relation to Operational Risk Management for APRA regulated entities (APRA Standard).

The APRA Standard provides some useful guidance in relation to risk management and Business Continuity Plans.

Roles and responsibilities

As a first step and to avoid paralysis if there is a cyber attack, your enterprise needs to specify the roles and responsibilities of a range of personnel well before an incident occurs.

The APRA Standard at rules 22 and 23 notes that:

22.        The Board must:

(a)      oversee operational risk management and the effectiveness of key internal controls in maintaining the entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the APRA regulated entity’s operational risk profile and ensure senior management takes action as required to address any areas of concern;

(b)      approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing and oversee the execution of any findings; and

(c)      approve the service provider management policy, and review risk and performance reporting on material service providers.

23.     Senior management of an APRA-regulated entity must provide clear and comprehensive information to the Board on the expected impacts on the entity’s critical operations when the Board is making decisions that could affect the resilience of critical operations. [emphasis added]

These concepts are universal. This means that for your enterprise, both management and the Board need to work together proactively to identify roles and responsibilities and then plan for a cyber attack before it happens.

Risk Management

Risk management is often not well done or is an afterthought in enterprises. However, in these times of increased cyber threat, risk management needs to be implemented as a core function of your enterprise. Boards and senior management must know what is digitally critical for the enterprise’s operations,  integrity, reputation and compliance and ensure that policies and plans are in place to protect the critical assets of the enterprise.[2]

The APRA Standard provides useful guidance about how an enterprise may implement the above concepts.

Under rule 27, an APRA-regulated entity must:

(a)      maintain a comprehensive assessment of its operational risk profile. As part of this, an APRA-regulated entity must: maintain appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management;

(b)      identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data and controls; and

(c)      undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test its operational resilience and identify the need for new or amended controls and other mitigation strategies. [emphasis added]

Further under rules 29, 30 and 31:

29.     An APRA-regulated entity must design, implement and embed internal controls to mitigate its operational risks in line with its risk appetite and meet its compliance obligations.

30.     An APRA-regulated entity must regularly monitor, review and test controls for design and operating effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled. The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner.

31.     An APRA-regulated entity must remediate material weaknesses in its operational risk management, including control gaps, weaknesses and failures. This remediation must be supported by clear accountabilities and assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated entity must include identified control gaps, weaknesses and failures in its operational risk profile until such matters are remediated.

Business Continuity Plan

Given that a cyber attack is likely, your enterprise needs to plan for recovery from an attack.

Under rule 40 an APRA regulated entity needs to establish and then maintain a Business Continuity Plan (BCP) that addresses:

(a)      the register of critical operations and associated tolerance levels;

(b)      triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation;

(c)      actions it would take to maintain its critical operations within tolerance levels through disruptions;

(d)      an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and

(e)      a communications strategy to support execution of the plan.

Establishing a BCP is not a set and forget exercise. Rather the BCP needs to be reviewed regularly, by the internal audit team (rule 46) and be adjusted as needed and tested for effectiveness. Under rule 45 the BCP needs to be updated annually.

With this fact in mind the APRA Standard provides at rules 43 and 44 that:

43.     An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical operations and includes an annual business continuity exercise. The program must test the effectiveness of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.

44.     The testing program must be tailored to the material risks of the APRA-regulated entity and include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an APRA-determined scenario in a business continuity exercise for an APRA regulated entity, or a class of APRA – regulated entities.

Conclusion

Implementing the governance guidance set out in the APRA Standard as well as implementing the technical controls reflected in the ASD Essential 8, together with training your staff should minimise your risk of experiencing a cyber attack, and will enhance your ability to manage and  respond to a cyber attack if one occurs.

 

[1]     Deloitte review - The future of the Australian Conveyancing Industry 2025 and 2030 June 2018.

[2]     See International Bar Association Presidential Task Force and the Legal Policy & Research Unit Global perspectives on protecting against cyber risks: best governance practices for senior executives and boards of directors, 2023, p 11

 

Return To Top