INSIGHT

ASIC Corporate Plan puts cyber resilience high on the agenda

By Gavin Smith, Valeska Bloch
Cybersecurity & Privacy Data Financial Services Media, Advertising & Marketing Technology

In brief

Cyber security is fast becoming a key feature of the domestic and global regulatory landscape, and in keeping with that trend, ASIC has again reiterated its concerns about the risk that cyber attacks pose for businesses. In its recent four year Corporate Plan, ASIC has emphasised that cyber resilience is both a long-term challenge and that cyber threats are a key risk to its strategic vision.1

In this year's Corporate Plan, ASIC highlights:

  • the inadequate risk management of technological change, including cyber threats; and
  • the risks to trust and confidence and market integrity from digital disruption.

Technology and cyber resilience

Cyber threats are identified as one of the main risks facing financial services and the economy more broadly.2 The ASX's recent Cyber Health Check survey on Australia's top 100 listed companies found that 62 per cent of directors witnessed growth in attempted malicious cyber activity and 80 per cent expect an increase in cyber risk over the next year.3

Cyber resilience is an organisation’s ability to prepare for and quickly respond to a cyber attack and it is squarely in the focus of regulators. At a recent conference on cyber insurance, ASIC Commissioner John Price commented that 'never before has this issue been more important for the boards of companies' and that ASIC expects 'boards to understand what it takes to improve an organisation's overall cyber resilience so it can survive and recover from an attack as quickly as possible'.4

To combat the risks from inadequate risk management of cyber threats, ASIC has outlined an action plan to enhance business' systems and controls by:

  • reviewing a business's arrangements for managing technological and operational risk, including cyber preparedness and governance and business continuity practices;
  • incorporating cyber threats into ASIC's real-time monitoring of Australia's financial markets;
  • monitoring how market infrastructure operators, market intermediaries and responsible entities of managed investment schemes manage technological change;
  • sharing information on emerging cyber threats and ways to mitigate risk with domestic and international industry regulators and other bodies; and
  • raising awareness about cyber attacks and the importance of cyber resilient practices across the sectors ASIC regulates.

Digital disruption

ASIC is also concerned with the impact of digital disruption on financial services and markets. Over the next four years, through facilitating innovation, ASIC plans to enable investors and consumers to take advantage of the benefits of fintech, while managing the risks it poses to consumer confidence and market integrity.

Some of the fintech risks that ASIC is concerned with include:

  • consumer confusion as to what they are buying, caused by streamlining consumer engagement processes;
  • increased market fragmentation and complexity;
  • new products and services testing regulatory boundaries; and
  • cyber threats.5

Through its Innovation Hub, ASIC plans to assist fintech businesses to navigate the regulatory framework and will team up with the local and international fintech community, regulators and other bodies to stay up to date with developments in the sector.

ASIC and the NIST Framework

ASIC has previously used a cyber risk self-assessment tool based on the US National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) in assessing the cyber resilience of ASX Group and Chi-X Australia Pty Ltd.6 On a number of occasions ASIC has recommended this as a standard for businesses in the financial services sector.7

The NIST Framework is designed to help organisations manage and reduce their cyber security risk and it sets out several 'core functions' to help achieve this purpose. The framework was developed by NIST with consultation from industry, academia and government organisations across the United States and is generally well-regarded. There has been commentary in the United States that, although voluntary, in the event of data breach litigation involving the banking sector, the framework could be used as a benchmark for what is reasonable commercial practice.8 NIST is currently working with stakeholders to update the framework so watch this space.9

For more on ASIC's focus on cyber resilience and the NIST Framework see our Client Update: ASIC highlights importance of cyber resilience.

Footnotes

  1. Australian Securities and Investment Commission, ASIC Corporate Plan: 2017-18 to 2020-21, August 2017.
  2. World Economic Forum, The global risks report 2017, 12th edition, Wednesday, 11 January 2017.
  3. ASX Limited, ASX 100 cyber health check report, April 2017.
  4. Stuart Kennedy, 'ASIC fires cyber warning shots', InnovationAus.com, 22 September 2017.

  5. Australian Securities and Investment Commission, ASIC Corporate Plan: 2017-18 to 2020-21, August 2017.
  6. Australian Securities and Investment Commission, 'Cyber resilience assessment report: ASX Group and Chi-X Australia' (March 2016).
  7. See, for example, Greg Medcraft 'Building resilience: The challenge of cyber risk', speech by Greg Medcraft, ASIC Chairman to Australian Chamber of Commerce and Industry business reception event (15 December 2016) and Cathie Armour 'Cyber security and directors: How cyber resilient is your organisation? Responsibilities of directors in assessing material business risk' (April 2015).

  8. Homeland Security News Wire, NIST's voluntary cybersecurity framework may be regarded as de facto mandatory (3 March 2014).

  9. NIST Cybersecurity Framework.