The corporate regulator has announced its priorities for the coming year, with a key focus on cybersecurity issues. ASIC’s priorities for the supervision of market intermediaries in 2022–23 are based on their broader Corporate Plan 2022–26, announced a month earlier. In this latest announcement, ASIC has outlined eight core strategic projects, and topping the list of priorities is Cyber, technology and operational resilience.
This shouldn’t be a surprising outcome following the recent landmark case of ASIC vs RI Advice, where the regulator fined an Australian Company $750,000 for failing to adequately manage cyber risk.
These new ASIC measures apply to financial services providers defined as market intermediaries (including market participants and retail over-the-counter derivatives providers). The announcement earlier this month, which has also been sent to organisations effected, states:
“Cyber and operational resilience among market intermediaries minimises the risk of disruption from cyber attacks and operational failures and promotes confidence in markets.
We are implementing a cross-industry self-assessment to benchmark market intermediaries’ cyber resilience and develop sectoral insights.
We will conduct risk-based reviews of cyber and operational resilience among market intermediaries, including reviews of supervisory controls for remote working arrangements, and compliance with new market integrity rules on technological and operational resilience that apply from March 2023.
We will monitor market participants’ and market operators’ implementation of the recommendations set out in Report 708 ASIC’s expectations for industry in responding to a market outage.
We will engage with market intermediaries on their preparedness for and implementation of exchange trading platform upgrades.
We are closely supervising ASX’s Clearing House Electronic Subregister System (CHESS) replacement project so that it will continue to provide reliable clearing and settlement services for the Australian cash equity market. For market intermediaries, we will oversee their preparation for the new CHESS system, focusing on testing arrangements to limit downstream issues and any implications for clients.”
The most relevant of these points being the first three which have broader implications for market intermediaries who will need to conduct cyber self-assessments, be subject to ASIC reviews from March 2023 and follow the guidelines for responding to an outage.
We’ve seen other cybersecurity measures being put in place for financial service providers recently, with the SWIFT payment network introducing their Customer Security Controls Framework (CSCF)
following multiple attacks on their network resulting in millions of dollars in losses, with a view to strengthen the cyber security posture of the SWIFT payment network.
These steps further reinforce the message that organisations need to get their house in order when it comes to cybersecurity. However, it can be hard to know where to start or what is the best next step.
Getting a clear understanding of your current security posture is a key step to working towards a more secure and compliant future for your business. Red Piranha offers a Cyber Security Review (CSR) service, as an entry-level assessment of your business to identify any gaps that needs to be addressed. This is an early step to taking a proactive, risk-based approach to securing your business and gives you the assurance you need to grow your business with confidence.