The latest from ASIC on cyber resilience

30 June 2016

We have previously published articles about ASIC’s growing interest in the question of ‘cyber resilience’ and the role ASIC is playing in providing regulatory scrutiny of cyber risks (see our articles here, here and here). ASIC’s strongest early indication of its interest in the area was its Report 429: ‘Cyber resilience: health check’ released in March last year.

Now, one year on from that report, ASIC has released Report 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd. The purpose of this report was both to provide an assessment of the cyber resilience of two organisations providing important financial markets infrastructure and to provide some examples of what ASIC sees as emerging good practices implemented by a sample of organisations operating in the Australian financial sector.

As to its assessment of ASX Group and Chi-X, ASIC reports that they have both sufficiently met their obligations under the Corporations Act 2001 (Cth) in relation to ensuring they have adequate resources to manage cyber resilience. In determining the adequacy of ASX Group’s and Chi-X’s resources, ASIC had regard to each organisation’s cybersecurity practices. Examples of the practices utilised that ASIC determined to be most effective include ensuring that:

  • Established information security policies are periodically reviewed and updated;
  • Cybersecurity roles are defined, communicated and understood at the senior management level;
  • Legal and compliance obligations are understood and managed;
  • Response and recovery plans are managed, communicated and tested on a periodic basis; and
  • Cyber events are communicated within the organisation to ensure ongoing awareness of threats.

ASIC commented that they will continue to work closely with the ASX and Chi-X to monitor future developments in relation to cyber related threats and, in particular, the ongoing evolution of international and domestic regulatory settings and expectations. ASIC emphasized that a comprehensive and long-term commitment to cyber resilience is essential to help all organisations deal with cyber threats when they arise.

ASIC also report general guidelines for good practices in relation to cybersecurity for organisations. Those guidelines broadly cover:

  • Cybersecurity strategy and governance: board ‘ownership’ of cyber strategy and responsive and agile governance models;
  • Cyber risk management and threat assessment: gathering intelligence through the use of third-party experts and driven by routine threat assessments, including of relevant third parties;
  • Collaboration and information sharing: confidential information-sharing arrangements with other financial institutions, security agencies and law enforcement;
  • Asset management: centralised management systems for critical internal and external assets (e.g. software and data), and configuration management that ensures visibility of critical assets;
  • Cyber awareness and training: organisation-wide programs for staff awareness, education and random testing, including of third parties;
  • Proactive measures and control: the implementation of the Australian Signals Directorate’s Strategies to mitigate targeted cyber intrusions (or equivalent), as well as a range of additional controls (such as encryption for ‘data in transit’ based on a risk assessment of the asset in question);
  • Detection systems and processes: organisation-wide continuous monitoring systems and the use of data analytics to integrate sources of threats in real time; and
  • Response and recovery planning: routine and detailed scenario planning, war gaming, proactive reporting to the board and well-developed communication plans.

ASIC has encouraged all financial services providers to consider the report in light of the unprecedented rate of technological innovation within the financial sector. ASIC also encouraged all organisations to consider the general guidelines for good practice as they develop or enhance their cyber resilience frameworks.

This article was written by Andrew Miers, Partner, Matthew Hunter, Senior Associate and Patrick Byrne, Trainee Solicitor.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us