Earlier this week the PEXA security team briefed the NSW Registrar General, interim ICT Director, Department of Finance, Services and Innovation, and the NSW Government Chief Information Security Officer, on this incident. This included outlining the steps they have taken and will take to avoid this happening again.

I want to reassure you of several important things.

• These were isolated incidents. They involved unknown persons gaining unauthorised access to a practitioner’s email accounts.
• There have been no other incidents elsewhere.
• We are satisfied that the steps PEXA is taking now will help prevent such incidents from happening again. These steps include:          
  • increased monitoring of PEXA workspaces, including alert on changes in passwords, user identification and bank details
  • stronger controls over creating new users
  • introduction of time stamps to show date, time and specific user so practitioners can see who, when and what has been changed prior to settlement, and
  • introducing multi-factor verification for subscribers logging into the system.

These two incidents are stressful for everyone involved. We are pleased that one of the affected parties is now able to go ahead and settle on their new home.

Independent review

With any security incidents we must always look at what we can learn to avoid a repeat offence and to add further safeguards where necessary.

The NSW Government will be working with our colleagues in other jurisdictions to conduct an independent review of PEXA’s security to further identify any more steps it can take to strengthen its system. This review will commence shortly.

This is in addition to PEXA’s existing requirements to complete annual security assessments, penetration testing, and to comply with sound industry security practice standards.

This is an isolated incident

eConveyancing is a safer more secure system than paper conveyancing.

Since the introduction of eConveyancing in NSW in 2013, there have been no incidents of fraud resulting from electronic lodgment in NSW.

In comparison, NSW has paid out millions via our Torrens Assurance Fund for fraudulent paper dealings since 2013. Indeed, a significant part of my Office continues to be dedicated to managing the Torrens Assurance Fund (TAF) related litigation work covering this fraud in paper.

Insurance

Since these two incidents, you have asked the Office of the Registrar General (ORG), and our NSW industry peak bodies, about insurance requirements.

With eConveyancing, a requirement under the NSW Participation Rules is that all participants involved in an eConveyancing transaction must maintain appropriate insurances.

Further, should users of PEXA’s system suffer from fraud or error in PEXA’s system, PEXA has insurance cover to enable customers to recover their costs in particular instances. This will also be a requirement of future operators.

PEXA has also announced it will provide a consumer guarantee to protect vendors whose properties are settled through the PEXA platform. This guarantee will pay out any lost funds to the vendor in the circumstances that occurred in Victoria. PEXA will then seek to recover them from other liable parties.

NSW is assessing the regulations so we can insist on this safeguard for all electronic network operators going forward. We intend for this include to include requiring operators to provide details of such policies annually and make them publicly accessible.

Additional training with our partners to further strengthen cyber security in NSW

Managing cyber risk is an integral part of all legal and conveyancing practices. This is something the Law Society of NSW and Australian Institute of Conveyancers (NSW) have  raised as a priority to all members.

In discussions with the Law Society of NSW earlier this week, we agreed to add further information on cyber security in our eConveyancing workshop module. This will help raise awareness and also address cyber insurance cover provided by Lawcover.

In similar discussions with NSW AIC CEO, I am advised they will be updating their material to ensure you have further information on cyber security more generally.

Important things you can do to further strengthen the system.

Here are what we think are some fundamentals. Please let us know if you have any other tips, and we will share these with all practitioners.

• Make sure you have a strong and unique password. The recent incident occurred because a fraudster hacked a practitioner’s email.
• Please use email providers with strong security such as business email accounts.
• Where possible, use an email provider that supports second/multi factor authentication (2FA or MFA).
• Make sure any of your ex-employees access to, and user profile, are removed from PEXA promptly.
• Make sure any of your ex-employees no longer have access to your firm’s email system.
• Before a transaction proceeds, always:
  • confirm that the information is correct;
  • double check the details you have entered to ensure they match the instructions that were provided by your client; and
  • triple check the bank account details for the destination of funds going to the vendor and to other payees from a settlement prior to signing or resigning a settlement statement.

Our timeframes for rolling out eConveyancing in NSW

The NSW Government will continue implementing the eConveyancing reforms as planned.

eConveyancing is a more efficient and secure way of registering the transaction of documents, with quicker transmission of settlement funds. Even before the mandates have begun, today more than 42 per cent of possible lodgements are electronic.

From 1 July 2018, standalone transfers, standalone caveats, and all standalone mortgages and discharge of mortgages, including refinances, must be lodged electronically in NSW.

Ongoing support with eConveyancing  

The ORG will continue to invest in workshops in collaboration with the Australian Institute of Conveyancers and the Law Society of NSW. Please visit www.registrargeneral.nsw.gov.au/events to see more.

Please make sure to go to our website regularly for updates and information in the coming year: www.registrargeneral.nsw.gov.au.

Kind regards

Jeremy Cox
NSW Registrar General

Email: