Partnerships — Accountants & Advisory

Your Clients Have Regulatory Obligations.
They Need Evidence, Not Assurances.

Your clients — SMEs, listed companies, AFSL holders — face Privacy Act obligations, APRA requirements, and Board-level cyber governance questions they cannot answer internally. You refer. We assess. You receive a referral fee and your client gets Board-ready evidence.

Referral
Fixed fee per engagement
You refer the client. We conduct the assessment. You receive a fixed referral fee. No involvement required beyond the introduction.
Co-Advisory
Joint delivery
You advise on the legal and regulatory dimensions. We deliver the technical GRC assessment. The client receives one coordinated output.
White-Label
Your brand, our methodology
We produce the assessment. You deliver it under your firm's brand. The client sees one provider. No confusion, no conflict.
See an assessment example ↓

What the Assessment Found

Drawn from a combined GRC and passive OSINT engagement, anonymised. Your practice leads the client and the advice — we supply the technical assessment that sits underneath it. No systems are ever accessed.

Two abbreviated extracts from real 2026 engagements, anonymised — a commercial lender and a mortgage broker. Each is a selection of findings, not the full report, drawn through a combined GRC and passive OSINT lens. You keep the client and the advice; these are the findings your advice stands on. No systems are ever accessed.

2 Critical 7 High 1 Medium
Engagement A

Commercial Lender

A lender writing in the billions — where a single credential, left in an old build of the website, sat publicly retrievable alongside offshore borrower data and an unowned recovery plan.

Critical F1 · Credential ExposureA principal’s credentials, left in an archived build of the website APP 11Essential Eight

What we found

A passive review of the organisation’s historical web footprint surfaced valid credentials belonging to a principal of the business, left behind in an archived build of the public website. They were publicly retrievable. No systems were accessed to find them.

Why it matters

Credentials belonging to a principal are the highest-value key in the building — they typically reach approvals, funds movement, and everything beneath. That they sat publicly retrievable, in code no one had looked at in years, means anyone could have found them the same way we did.

Left unaddressed

In the Latitude Financial breach (2023), a stolen employee login was the entry point — leading to roughly 14 million records taken, including 7.9 million driver licence numbers, and $76 million in pre-tax costs. A credential does not need to be phished if it is already sitting in public.

Where this gets owned

One to raise immediately with IT and whoever holds identity. The direction is to treat those credentials as compromised, and to stop relying on a password alone as the barrier to anything that moves money. Maps to Essential Eight (MFA) and APP 11.

High F2 · Unpatched Public SystemsA public-facing WordPress site behind on updates Essential EightASD

What we found

The organisation’s public website ran on a WordPress installation months behind on core and plugin updates, with published CVEs against the versions in use. It was observable from the outside, without touching it.

Why it matters

A known CVE is a documented attack path with exploit code often freely available. Essential Eight asks for extreme-risk vulnerabilities to be patched within 48 hours. A marketing site is still a foothold on the same brand, and often the same infrastructure.

Left unaddressed

The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to. In one Australian case, an unpatched Microsoft Exchange server took attackers four days to reach full encryption. Essential Eight at Maturity Level One is assessed to cut compromise risk by up to 85% — most of that is patching.

Where this gets owned

Sits with IT, or whoever maintains the website. The direction is a patching rhythm someone owns, rather than updates applied when somebody remembers. Maps to Essential Eight (patch applications).

High F3 · Data SovereigntyBorrower financial data held offshore, jurisdiction unclear APP 8APP 11

What we found

Sensitive borrower financial information — the material behind lending decisions — was held on platforms hosted or controlled offshore. For at least one, the hosting jurisdiction could not be confirmed, and no cross-border accountability arrangement was evident.

Why it matters

Under APP 8 the organisation remains accountable for what an overseas recipient does with the data. Offshore hosting can also place that data under foreign jurisdiction and government-access laws it does not control — a question a lender cannot answer with “we assumed it was fine.”

Left unaddressed

In the 2Apply / IRE determination (OAIC, 2026), a third-party platform’s handling of personal data drew a landmark ruling, remedied by a mandated independent review. In Latitude, the stolen data sat with service providers, not the lender itself — and the lender still wore it.

Where this gets owned

Sits with procurement and the privacy function. The direction is to map where the data actually lives, confirm accountability for each recipient, and revisit anything whose location cannot be established. Maps to APP 8 and APP 11.

High F4 · Integration TrustPlatform connections wired once, trust never reviewed Essential Eight

What we found

The lending stack was a chain of connected platforms. Trust between them was largely unmanaged: long-lived credentials, broadly scoped API connections, and no schedule for reviewing who could reach what.

Why it matters

Every integration is a doorway. When systems trust one another automatically and no one revisits that trust, a compromise of one platform moves quietly into the rest — and each new integration widens a surface nobody is watching.

Left unaddressed

ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest risks to detect, precisely because the access looks legitimate. An over-trusted integration is an open door no alarm treats as suspicious.

Where this gets owned

A conversation for IT and whoever manages the platform relationships. The direction is to know every integration that exists, keep each to only the access it needs, and review them rather than set-and-forget. Maps to Essential Eight (application hardening).

High F5 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.

Why it matters

This was the finding both engagements shared — a commercial lender and a mortgage broker, different in size and structure, with the identical governance blind spot. Either would be recovering with no one accountable for how. That is a GRC failure, not a technical one.

Left unaddressed

After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.

Where this gets owned

The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.

The Lender risk profile

A public credential and an unpatched public system put exposure in the top-right. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
35
12
Medium
impact
4
Low
impact
Low
Medium
High
Plausibility of exposure →
F1 Principal’s credentials publicly retrievable
F2 Unpatched public WordPress site
F3 Borrower data held offshore
F4 Integration trust never reviewed
F5 DR ownership — no owner
Engagement B

Mortgage Broker

A small firm that grew quickly, and outpaced the software it was built on — with the borrower application portal, and everything in it, reachable from the public internet.

Critical F6 · Exposed Application PortalThe borrower application portal, reachable from the public internet APP 11Essential Eight

What we found

The client application portal — the intake path for borrower identity documents, payslips, bank statements and credit information — was reachable directly from the public internet. It sat outside any firewall restriction and did not enforce multi-factor authentication, on a business transacting significant sums.

Why it matters

This is the single richest target the firm holds: verified identity documents and financial records, in one place, behind a login. A portal handling that material should be restricted at the network edge and protected by MFA at minimum. Neither was true.

Left unaddressed

In Optus (2022), a public-facing endpoint that should never have been reachable exposed roughly 9.5 million customers. In Latitude (2023), the material taken was precisely this class of document — 7.9 million driver licence numbers. Identity documents are what attackers want, and an exposed portal is where they are.

Where this gets owned

One to raise immediately with IT. The direction is to restrict who can reach the portal at all, and to require more than a password of anyone who does. Maps to Essential Eight (MFA) and APP 11.

High F7 · Legacy PlatformsSystems carried along as the business scaled Essential Eight

What we found

The firm ran on platforms chosen when it was much smaller, kept in service as volumes grew. Several were past the point where they were being actively maintained, and the security assumptions built into them no longer matched the value of what they now held.

Why it matters

Software chosen for a small firm rarely carries the controls a large one needs. As transaction volume rises, the same platform holds more, and matters more — but the protections around it usually do not move with it.

Left unaddressed

The ASD’s ACSC repeatedly warns that legacy and unsupported systems provide a direct pathway for compromise: once updates stop, vulnerabilities quickly become public knowledge and heavily targeted.

Where this gets owned

Sits with IT, but the call is the partners’. The direction is to plan for replacing or retiring what has been outgrown — and, until then, to make sure someone owns it as a known risk. Maps to Essential Eight (patching).

High F8 · Integration TrustAggregator, lender-panel and CRM connections, never reviewed Essential Eight

What we found

Connections to aggregator platforms, lender panels and the CRM had been established as the business grew and then left alone. Access was broad, credentials were long-lived, and no one had revisited what each connection could reach.

Why it matters

A broker sits at the centre of a web of other people’s systems. Each connection carries client data outward and trust inward. Where that trust is never reviewed, a compromise anywhere in the chain has a clear path in.

Left unaddressed

ASD’s ACSC lists supply-chain and trusted-relationship compromise among the hardest attacks to detect — the access looks legitimate. In Latitude, the data was taken through service providers connected to the business, not the business itself.

Where this gets owned

A conversation for IT and whoever owns the aggregator and lender relationships. The direction is to know every connection, keep each to what it actually needs, and review them on a rhythm. Maps to Essential Eight (application hardening).

Medium F9 · Reactive ConfigurationSecurity settings added as needs arose, never designed APP 11Essential Eight

What we found

Security configuration had been assembled reactively — each control added when a specific need or incident prompted it, rather than designed as a whole. There was no documented baseline, so no way to tell what was deliberate and what was left over.

Why it matters

A configuration nobody designed is a configuration nobody can verify. Without a documented baseline there is no way to demonstrate what protections exist, which is exactly what a regulator, an insurer, or an acquirer will ask to see.

Left unaddressed

The OAIC assesses whether an organisation took reasonable steps to protect personal information, judged against its size, resources, and the sensitivity of what it holds. “We added things as we went” is not evidence of reasonable steps.

Where this gets owned

Sits with IT, with the partners setting the expectation. The direction is a documented baseline — a written statement of what good looks like here — so the firm can show what it does, not just say it. Maps to APP 11.

High F10 · Resilience — DR OwnershipNo one owned the recovery plan or the patchwork Essential EightASD

What we found

Governance for disaster recovery had no clear owner. A plan and a patchwork of backups existed, but no single role was accountable, no recovery-time objective was set, and it had never been tested end to end.

Why it matters

This was the finding both engagements shared — a commercial lender and a mortgage broker, different in size and structure, with the identical governance blind spot. Either would be recovering with no one accountable for how. That is a GRC failure, not a technical one.

Left unaddressed

After the HWL Ebsworth breach (2023), review and notification ran for months — some individuals were not told for up to six months. Untested, unowned recovery turns a contained incident into a prolonged crisis, and boards are held to account for resilience they cannot demonstrate.

Where this gets owned

The first fix is ownership itself: someone — operations or business continuity, with the board watching — needs to own the plan, set a recovery target, and confirm it actually works. The direction matters more than the tooling. Maps to Essential Eight (backups) and ASD resilience guidance.

The Broker risk profile

An exposed portal holding identity documents dominates the profile. Indicative only: each point is a plausible path to compromise, not a prediction.

High
impact
710
6
Medium
impact
8
Low
impact
9
Low
Medium
High
Plausibility of exposure →
F6 Application portal publicly reachable
F7 Legacy platforms outgrown
F8 Aggregator / CRM integration trust
F9 Security configured reactively
F10 DR ownership — no owner

Governance, risk and compliance is the scaffolding that forces an organisation to know what it owns, who owns each risk, and whether its controls can be demonstrated. A documented policy does not stop an intrusion — knowing what is externally exposed, before an attacker does, is what turns an assessment into a defence.

The precedents, on the record

Every consequence cited above is drawn from public regulatory, court, or government records. The findings themselves are anonymised and illustrative of real 2026 engagements.

Risk ratings are indicative assessments of plausible exposure, not predictions of a certain outcome. No client is named or identifiable.

Accountants & Advisory That Guide, Not Audit

Your advisory practice covers strategy, compliance planning, and regulatory guidance — but not the technical assessment that proves posture. That's where we come in.

Privacy & Data Protection

AFSL holders and super funds carry specific APRA CPS 234 and Privacy Act obligations. When your client asks about cyber governance, you have an answer. We handle the assessment.

Corporate & M&A

Business advisory clients increasingly face cyber questions from insurers, procurement teams, and regulators. A GRC assessment gives them documented evidence without requiring technical expertise from your practice.

Board Advisory

Directors need to demonstrate they've exercised due care on cyber risk. A Board-ready GRC assessment gives them documented evidence of the organisation's external posture.

Regulatory Response

When APRA, the OAIC, or a sector regulator asks questions, your client needs evidence — not assurances. Our assessments provide sourced, framework-mapped findings.

Procurement & Tenders

Government and enterprise procurement increasingly requires GRC evidence. A structured assessment with framework mapping satisfies the requirements your client can't produce internally.

Incident Response Support

After a breach, your client needs to understand what was visible before the incident. A passive assessment reconstructs the external picture without interfering with forensics.

You Refer. We Deliver.

No technical expertise required from your side. No client confusion. No overlap with your legal services.

  • You identify the client need — privacy inquiry, Board request, procurement question
  • You introduce us or we engage directly under your instruction
  • We conduct the passive OSINT assessment — no systems accessed, no client disruption
  • We deliver the report — risk register, framework mapping, Board-level summary
  • You receive a fixed referral fee per engagement
  • Your client gets a result they can take to their Board, their regulator, or their insurer
Scenario

Your SMSF client's auditor flags cyber governance as a material risk

The trustee has no cyber assessment capability. You refer them to BlackFlag Advisory. We deliver a passive assessment within 7 days — risk register, framework mapping, Board-ready summary. The auditor gets the evidence they need. You receive a referral fee and your client relationship is strengthened.

Scenario

A client's insurance renewal requires evidence of cyber posture

The insurer wants independent evidence before they price the policy. Your client has nothing to show them. You refer them to us. We produce the assessment. The insurer gets what they need, the client gets renewed, and you've added tangible value to the relationship.

Work with us. Not around us.

No lock-in. No minimum commitment. Structured to complement your practice, not compete with it.

Discuss a Partnership →