Your clients — SMEs, listed companies, AFSL holders — face Privacy Act obligations, APRA requirements, and Board-level cyber governance questions they cannot answer internally. You refer. We assess. You receive a referral fee and your client gets Board-ready evidence.
Drawn from a combined GRC and passive OSINT engagement, anonymised. Your practice leads the client and the advice — we supply the technical assessment that sits underneath it. No systems are ever accessed.
Two abbreviated extracts from real 2026 engagements, anonymised — a commercial lender and a mortgage broker. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. You keep the client and the advice; these are the findings your advice stands on. No systems are ever accessed.
A lender writing in the billions — where a single credential, left in an old build of the website, sat publicly retrievable alongside offshore borrower data and an unowned recovery plan.
A passive review of the organisation’s historical web footprint surfaced valid credentials belonging to a principal of the business, left behind in an archived build of the public website. They were publicly retrievable. No systems were accessed to find them.
Credentials belonging to a principal are the highest-value key in the building — they typically reach approvals, funds movement, and everything beneath. That they sat publicly retrievable, in code no one had looked at in years, means anyone could have found them the same way we did.
In the Latitude Financial breach (2023), a stolen employee login was the entry point — leading to roughly 14 million records taken, including 7.9 million driver licence numbers, and $76 million in pre-tax costs. A credential does not need to be phished if it is already sitting in public.
One to raise immediately with IT and whoever holds identity. The direction is to treat those credentials as compromised, and to stop relying on a password alone as the barrier to anything that moves money. Maps to Essential Eight (MFA) and APP 11.
The organisation’s public website ran on a WordPress installation months behind on core and plugin updates, with published CVEs against the versions in use. It was observable from the outside, without touching it.
A known CVE is a documented attack path with exploit code often freely available. Essential Eight asks for extreme-risk vulnerabilities to be patched within 48 hours. A marketing site is still a foothold on the same brand, and often the same infrastructure.
The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, an unpatched Microsoft Exchange server took attackers four days to reach full encryption. Essential Eight at Maturity Level One is assessed to cut compromise risk by up to 85% — most of that is patching.
Sits with IT, or whoever maintains the website. The direction is a patching rhythm someone owns, rather than updates applied when somebody remembers. Maps to Essential Eight (patch applications).
Sensitive borrower financial information — the material behind lending decisions — was held on platforms hosted or controlled offshore. For at least one, the hosting jurisdiction could not be confirmed, and no cross-border accountability arrangement was evident.
Under APP 8 the organisation remains accountable for what an overseas recipient does with the data. Offshore hosting can also place that data under foreign jurisdiction and government-access laws it does not control — a question a lender cannot answer with “we assumed it was fine.”
In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling, remedied by a mandated independent review. In Latitude, the stolen data sat with service providers, not the lender itself — and the lender still wore it.
Sits with procurement and the privacy function. The direction is to map where the data actually lives, confirm accountability for each recipient, and revisit anything whose location cannot be established. Maps to APP 8 and APP 11.
The lending stack was a chain of connected platforms. Trust between them was largely unmanaged: long-lived credentials, broadly scoped API connections, and no schedule for reviewing who could reach what.
Every integration is a doorway. When systems trust one another automatically and no one revisits that trust, a compromise of one platform moves quietly into the rest — and each new integration widens a surface nobody is watching.
ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest risks to detect, precisely because the access looks legitimate. An over-trusted integration is an open door no alarm treats as suspicious.
A conversation for IT and whoever manages the platform relationships. The direction is to know every integration that exists, keep each to only the access it needs, and review them rather than set-and-forget. Maps to Essential Eight (application hardening).
Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.
This was the finding both engagements shared — a commercial lender and a mortgage broker, different in size and structure, with the identical governance blind spot. Either would be recovering with no one accountable for how. That is a GRC failure, not a technical one.
After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.
The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.
The Lender risk profile
A public credential and an unpatched public system put exposure in the top-right. Indicative only: each point is a plausible path to compromise, not a prediction.
A small firm that grew quickly, and outpaced the software it was built on — with the borrower application portal, and everything in it, reachable from the public internet.
The client application portal — the intake path for borrower identity documents, payslips, bank statements and credit information — was reachable directly from the public internet. It sat outside any firewall restriction and did not enforce multi-factor authentication, on a business transacting significant sums.
This is the single richest target the firm holds: verified identity documents and financial records, in one place, behind a login. A portal handling that material should be restricted at the network edge and protected by MFA at minimum. Neither was true.
In Optus (2022), a public-facing endpoint that should never have been reachable exposed roughly 9.5 million customers. In Latitude (2023), the material taken was precisely this class of document — 7.9 million driver licence numbers. Identity documents are what attackers want, and an exposed portal is where they are.
One to raise immediately with IT. The direction is to restrict who can reach the portal at all, and to require more than a password of anyone who does. Maps to Essential Eight (MFA) and APP 11.
The firm ran on platforms chosen when it was much smaller, kept in service as volumes grew. Several were past the point where they were being actively maintained, and the security assumptions built into them no longer matched the value of what they now held.
Software chosen for a small firm rarely carries the controls a large one needs. As transaction volume rises, the same platform holds more, and matters more — but the protections around it usually do not move with it.
The ASD’s ACSC repeatedly warns that legacy and unsupported systems provide a direct pathway for compromise: once updates stop, vulnerabilities quickly become public knowledge and heavily targeted.
Sits with IT, but the call is the partners’. The direction is to plan for replacing or retiring what has been outgrown — and, until then, to make sure someone owns it as a known risk. Maps to Essential Eight (patching).
Connections to aggregator platforms, lender panels and the CRM had been established as the business grew and then left alone. Access was broad, credentials were long-lived, and no one had revisited what each connection could reach.
A broker sits at the centre of a web of other people’s systems. Each connection carries client data outward and trust inward. Where that trust is never reviewed, a compromise anywhere in the chain has a clear path in.
ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest attacks to detect — the access looks legitimate. In Latitude, the data was taken through service providers connected to the business, not the business itself.
A conversation for IT and whoever owns the aggregator and lender relationships. The direction is to know every connection, keep each to what it actually needs, and review them on a rhythm. Maps to Essential Eight (application hardening).
Security configuration had been assembled reactively — each control added when a specific need or incident prompted it, rather than designed as a whole. There was no documented baseline, so no way to tell what was deliberate and what was left over.
A configuration nobody designed is a configuration nobody can verify. Without a documented baseline there is no way to demonstrate what protections exist, which is exactly what a regulator, an insurer, or an acquirer will ask to see.
The OAIC assesses whether an organisation took reasonable steps to protect personal information, judged against its size, resources, and the sensitivity of what it holds. “We added things as we went” is not evidence of reasonable steps.
Sits with IT, with the partners setting the expectation. The direction is a documented baseline — a written statement of what good looks like here — so the firm can show what it does, not just say it. Maps to APP 11.
Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.
This was the finding both engagements shared — a commercial lender and a mortgage broker, different in size and structure, with the identical governance blind spot. Either would be recovering with no one accountable for how. That is a GRC failure, not a technical one.
After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.
The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.
The Broker risk profile
An exposed portal holding identity documents dominates the profile. Indicative only: each point is a plausible path to compromise, not a prediction.
Governance, risk and compliance is the scaffolding that forces an organisation to know what it owns, who owns each risk, and whether its controls can be demonstrated. A documented policy does not stop an intrusion — knowing what is externally exposed, before an attacker does, is what turns an assessment into a defence.
Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.
Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.
Your advisory practice covers strategy, compliance planning, and regulatory guidance — but not the technical assessment that proves posture. That's where we come in.
AFSL holders and super funds carry specific APRA CPS 234 and Privacy Act obligations. When your client asks about cyber governance, you have an answer. We handle the assessment.
Business advisory clients increasingly face cyber questions from insurers, procurement teams, and regulators. A GRC assessment gives them documented evidence without requiring technical expertise from your practice.
Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.
When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.
Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.
After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.
No technical expertise required from your side. No client confusion. No overlap with your legal services.
The trustee has no cyber assessment capability. You refer them to BlackFlag Advisory. We deliver a passive assessment within 7 days — risk register, framework mapping, Board-ready summary. The auditor gets the evidence they need. You receive a referral fee and your client relationship is strengthened.
The insurer wants independent evidence before they price the policy. Your client has nothing to show them. You refer them to us. We produce the assessment. The insurer gets what they need, the client gets renewed, and you've added tangible value to the relationship.