ASIC: High Alert on Cyber Resilience
The Australian Securities and Investments Commission (ASIC) recently released REP 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd (‘Report 468’)^^, which comments on the outcome of the regulator’s assessments of the cyber resilience of Australia’s major financial market providers. The report coincides with the 12-month anniversary of ASIC’s document REP 429 Cyber resilience: Health check, which provided initial guidance on cyber resilience.
Report 468 is noteworthy for many Australian organisations
ASIC’s most recent report illustrates how the compliance obligations of the Corporations Act (2001) may be regarded by ASIC within a cyber resilience context. Sections 792A(d) and 821A(d) of the Act require a market licensee and a clearing and settlement (CS) facility licensee respectively to have sufficient resources to operate respectively the market properly and the CS facility properly. These requirements may also include having appropriate resources to effectively manage cyber resilience.
Report 468 serves multiple purposes and is relevant for many Australian organisations. Section B provides an assessment of ASX Group and Chi-X Australia’s cyber resilience. ASIC has stated, “The report concludes that ASX and Chi-X have, up to this point in time, met their statutory obligations to have sufficient resources for the management of cyber resilience.”* ASIC has also confirmed that it will “continue to engage with financial market infrastructure providers on this issue.”^^
Section C of the report is devoted to examples of good cyber resilience practices ASIC has observed in the wider Australian financial services industry as well as findings from overseas regulatory counterparts. Some of the practices that can help businesses to build resistance to cyber threats include:
- Board engagement
- Cyber risk management
- Third party risk management
- Collaboration and information sharing
- Asset management
- Cyber awareness and training, including continuous development
- Proactive measures and controls
- Detection systems and processes
- Response planning
- Recovery planning
In its latest report, ASIC also raises awareness of cyber resilience protocols and encourages collaboration between organisations on intelligence sharing on cyber threats and prevention methods.
The report heralds proposed cyber resilience guidelines for financial market infrastructure providers, Guidance on cyber resilience for financial market infrastructures^ on which the publisher, The Bank for International Settlements has sought consultation. The aim of the paper is to help enhance cyber resilience capabilities. The paper is expected to be finalised in the second half of 2016. It highlights that:
- The board and senior management is critical to a robust cyber resilience strategy.
- The ability to resume operations quickly and safely after malicious cyber activities is paramount.
- Businesses should make use of good quality threat intelligence and rigorous testing.
- Cyber resilience requires continuous improvement processes.
- Cyber resilience in financial markets cannot be achieved by a financial market provider alone. It requires the entire ecosystem’s collective effort.
These five concepts can be applied to organisations in any industry, as part of robust cyber resilience fortification processes.
Focus on boards
ASIC’s latest cyber resilience report concludes with a series of questions for board of directors to consider as part of their oversight of cyber risk and resilience. The message is that this topic must be on the boardroom agenda.
^^ Australian Securities and Investments Commission, Cyber Resilience Assessment Report: ASX Group and Chi-X Australia Pty Ltd, Report 468 (March 2016).
* Australian Securities and Investments Commission, media release, 7/3/16.
^ Bank for International Settlements and International Organization of Securities Commission, Guidance on Cyber Resilience for Financial Market Infrastructures, Consultative Report (November 2015).