on 13-04-2021 03:23 PM - last edited on 05-07-2021 10:48 AM by Aoife
In today’s digital climate, cyber-security has rapidly become a key priority within the property sector. We all need to take steps to protect our accounts, devices, data and network from threats – ensuring your business and clients’ information remains safe.
New MOR and MPR
ARNECC’s Model Operating Requirement (MOR) regulate Electronic Lodgement Networks (ELNs), such as PEXA, while the Model Participation Rules (MPR) regulate its Subscribers (our members).
You’ll notice that changes to both came into effect on Monday 12 April 2021. These changes include newly introduced obligations related to cyber-security.
And to assist you with navigating these updates, I’ve gathered a range of content produced by our expert security team, covering vital topics to support you and your firm.
Under the MOR, PEXA has an obligation to make resources available to members – and we hope these materials assist you.
Supporting your ongoing security endeavours is important to us – our team has been producing help-guides and content for many years now and we’re pleased to see ARNECC recognise the role we can play in educating subscribers.
We recommend you review the MPR and seek additional resources if required.
As ever, your PEXA representative or our friendly Security team are here to help. Feel free to reach out.
Don’t forget, you can subscribe to updates from our PEXA security page by clicking the “options” button. I also encourage you to ask questions and raise any concerns you may have.
Chief Information Security Officer - PEXA
on 13-04-2021 04:57 PM
Hi David, thanks for these resources.
My understanding is that the new MOR and MPR also place obligations on Subscribers regarding due diligence on Subscriber Users who are not legal practitioners licensed conveyancers. Are you aware of any information or resources regarding these additional requirements?
on 13-04-2021 05:18 PM
You’re right, there are some new provisions in the MPR regarding Users – if you checked the marked-up version of the latest MPR on ARNECC’s website here, these should become apparent (see MPR 7.2.3 in particular, but note there are other applicable rules). Broadly speaking, the character requirements for users have been deepened, and will need to be actively considered by all Subscribers although, as you say, there are some deeming provisions for legal practitioners and licensed conveyancers.
We won’t be providing any material on these, as the updates are fairly straightforward, but we are working on a resource that our members can refer to to assist with checking off all of their obligations regarding users (including considerations about verification of identity, character, training, and monitoring). We’ll keep you posted on this – it’s not far away!
on 06-07-2021 09:29 AM
I’ve received some questions from our members and industry about the recent MPR updates. I’ve added them here to support anyone else who has similar queries.
Who needs to receive cyber security awareness training?
The MPR guidance notes say:
“A Subscriber must also take reasonable steps to ensure that each of its Users has received training appropriate to their use of the ELN, including cyber security awareness training covering, as a minimum, secure use of the ELN, secure use of the Subscriber’s Systems and secure use of email and other electronic communication. Best practice would be to ensure the User completes the training before the User is given access to the ELN. A Subscriber must also ensure that each of its other principals, Officers, employees, agents and contractors who access the Subscriber’s Systems receive cyber security awareness training covering, as a minimum, secure use of the Subscriber’s Systems and secure use of email and other electronic communication. “
How is a user defined?
User is defined in the MPR as follows:
“…an Individual who:
(a) is a principal, Officer, employee, agent or contractor of the Subscriber and is authorised by a Subscriber to access and use the ELN on behalf of the Subscriber; or
(b) has been appointed as the manager (however described) of the business of a Subscriber that is an Australian Legal Practitioner, Law Practice or Licensed Conveyancer, under any State or Territory law.”
How frequently should cyber security awareness training be completed?
It is up to you and your business to decide how frequently cyber security awareness training is completed. Please refer to PEXA’s Subscriber Security Policy (section 4.4.4 Training Obligation) for guidance on making this decision.
General Manager, Members Success - Majors
on 07-07-2021 08:02 AM
Just to add to this, for NSW subscribers, see https://www.registrargeneral.nsw.gov.au/__data/assets/pdf_file/0004/989671/NSW-Participation-Rules-W...
regarding participation rules partial waiver. Kind regards, Michelle