ASIC's proposed market integrity rules for technological and operational resilience could impose far-reaching obligations

In brief 11 min read

ASIC has released Consultation Paper 314 - Market integrity rules for technological and operational resilience (Consultation Paper). If introduced, these rules will require that market participants and operators take steps to improve the resilience of their critical systems, operations and data. In particular, boards and senior management should be made aware of their specific obligations and attestation requirements. This development, which follows hot on the heels of APRA's prudential standard CPS 234 – Information Security, reflects the increasing focus on information security and resilience by a range of regulators in Australia and globally.

How does this affect you?

• The proposed market integrity rules (Rules) will apply to securities and futures market operators (ie the ASX, ASX24, Chi-X, NSX and SSX) and participants (being entities that directly access clearing and settlement facilities and financial markets under those respective operating rules) (Regulated Entities). However, once in effect, the Rules could also create an informal market benchmark for what technical and operational resilience measures are considered appropriate for non-Regulated Entities.
• Despite ASIC's insistence that the Rules largely clarify and formalise existing expectations regarding organisational resilience in current laws and guidance, the Rules introduce far more prescriptive requirements to address the reliability and resilience of critical systems, outsourcing risks, data and cyber risk, incident management and business continuity, and notification of information security vulnerabilities and breaches.
• Regulated Entities will need to contend with yet another mandatory notification regime for information security vulnerabilities and breaches. Incorporating these requirements into incident response plans and processes, and testing these through war gaming scenarios, will be critical.
• A failure to comply with market integrity rules can carry penalties of up to $1 million per breach. ASIC has emphasised that clarifying its expectations and having the ability to impose penalties for breach of these expectations will expand both its regulatory and enforcement toolkit in this area.
• Market operators, market participants and other interested parties can make a submission on the Consultation Paper before 9 August 2019. ASIC has specifically asked for submissions to address (amongst other things) alignment between the Rules and other regulatory obligations, and expected costs of compliance.
• ASIC intends to release the market integrity rules in their final form in November or December 2019. They are likely to take effect from approximately July 2020.¹

Who else in your organisation needs to know about this?

• Board members and senior management – will be ultimately responsible for compliance with the Rules. They will also need to attest to the Regulated Entity's compliance with the outsourcing rules and to oversee incident management and business continuity arrangements. Although ASIC has not issued guidance on the specific steps that the board and senior management must take to comply with their obligations, we expect that (in light of CPS 234) management will be required to challenge the business on relevant issues, rather than simply relying on reporting by others.
• Legal and procurement functions should conduct a gap analysis between the Regulated Entity's existing processes, policies and practices and the requirements in the Rules. In particular, legal and procurement teams should consider what due diligence processes can be carried out before entering into an outsourcing arrangement or providing access to market-sensitive, confidential or personal data, and what processes are in place to ensure the Regulated Entity is able to meet its notification obligations in the event of a security incident.
• Risk and compliance functions will need to ensure the Regulated Entity's plans, policies and reporting processes, including incident response plans, align with the Rules.
• Audit functions of Regulated Entities will need to ensure they have appropriate oversight over any outsourced functions.

What would the Rules require of Regulated Entities?

The Rules address 5 key areas:

• Resilience of critical systems;
• Outsourcing arrangements;
• Data and cyber risk;
• Incident management and business continuity; and
• Notification obligations.

Resilience of critical systems

Regulated Entities must maintain adequate arrangements to 'ensure the resilience, reliability, integrity and security of their critical systems'. Critical systems are functions, infrastructure, processes or systems which, if they failed to operate effectively, would (or would be likely to) cause significant disruption to the Regulated Entity's market-related operations and services.²

Key requirements for Regulated Entities include:

• identifying critical systems and risks to the resilience, reliability, integrity and security of those systems;
• implementing appropriate policies, procedures, and ensuring sufficient resources are available, to manage those risks;
• managing new critical systems and changes to existing critical systems, including by:
  • testing (via a systematic testing program) the function and reliability of such systems; and
  • ensuring that persons materially affected by any change (which could include ASIC, other Regulated Entities or operators of clearing and settlement facilities) are appropriately informed of, and prepared for, the change; and
• maintaining records (for at least 7 years) of such arrangements (including any changes to those arrangements) and the scope and results of any testing.

Outsourcing arrangements

Much like CPS 231 – Outsourcing for APRA-regulated entities, the Rules will:

• regulate outsourcing arrangements for the provision, support or operation of critical systems; and
• require that Regulated Entities implement controls which are commensurate with the nature, complexity, risks and materiality of the outsourcing arrangement.

Key requirements for Regulated Entities include:

• notifying ASIC before entering into any outsourcing arrangement in respect of critical systems;
• conducting appropriate due diligence on third parties that provide services for critical systems;
• ensuring that there is a legally binding written contract in place that requires (amongst other things) approval for any sub-contracting;
• monitoring the performance and capacity of the outsourced service provider;
• retaining audit rights; and
• ensuring that ASIC has the same access to information relating to the outsourced critical system that it would have if the critical system was not outsourced.

Data and cyber risk

ASIC has identified the failure of existing market integrity rules to impose any specific obligations on Regulated Entities to protect the confidentiality, security and integrity of data, as being out of step with regulators' and consumers' increasing focus on cybersecurity.

Key requirements for Regulated Entities include:

• implementing policies and procedures to protect the confidentiality, integrity and security of data, including via preventative and detective controls;
• implementing policies and procedures (including appropriate backup and recovery processes) to ensure the continued availability of access to data in relation to their operations or services; and
• maintaining records of any unauthorised access to, or use of, their critical systems, or market-sensitive, confidential or personal data for at least seven years following the relevant event.

Incident management and business continuity

ASIC has stressed the importance of codifying existing obligations and guidance on incident management and business continuity (in ASIC guidance, market rules and the Corporations Act 2001 (Cth) (Corporations Act)), to provide Regulated Entities with clear and consistent rules.

Key requirements for Regulated Entities include that they must:

• implement:
  • an incident management plan, to deal with unexpected interruptions to the usual operation of their critical systems (incident); and
  • a business continuity plan, to deal with emergencies or other events that cause significant disruption to their operations, activities or conduct in connection with the market or materially impacts their market services (major events)
    
    each to enable the continued operation (or timely and orderly restoration) of critical systems, having regard to the nature, scale and complexity of the critical systems, operations, services and their structure and location;
• ensure that their incident management and business continuity plans include:
  • the types of incidents and major events, and the potential impacts they may have on the Regulated Entity's critical systems, operations and services;
  • escalation procedures; and
  • the arrangements required to achieve continuation or restoration of the usual operation of critical systems, operations and services, including specific timeframes to achieve this outcome; and
• regularly review and test their incident management and business continuity plans, where the frequency of this testing will depend on the nature, scale and complexity of the critical systems. At a minimum:
  • market operators must review these plans every 3 months; and
  • market participants must review these plans every 12 months,

and otherwise whenever there is a material change to the critical systems, the Regulated Entity's operations, services, structure or location.

Mandatory notification obligations

The Rules introduce additional information security notification obligations on both market participants and market operators.

One question in the Consultation Paper which ASIC is seeking express feedback on, is whether this incident notification obligation should be extended to market participants.

Key requirements include that:

• market operators must notify ASIC as soon as practicable on becoming aware of any unauthorised access to, or use of, any:
  • critical systems, where the unauthorised access impacts the functioning of those systems; and
  • market-sensitive, confidential or personal data.

One question in the Consultation Paper which ASIC is seeking express feedback on, is whether this incident notification obligation should be extended to market participants;

• market operators must notify ASIC immediately upon becoming aware of an incident that may interfere with the fair, orderly or transparent operation of any market or a major event. Market operators must also provide ASIC with a report within seven days that provides details of the circumstances of the incident or major event, and the steps taken to manage it; and
• market participants must notify ASIC immediately upon becoming aware of an incident or major event and provide a report to ASIC within seven days outlining the circumstances of the incident or major event, and thesteps taken to manage it.

Importantly, the ASX Listing Rules require that listed entities immediately notify the ASX of market sensitive information. In the last couple of years, it has become clear that major security incidents could have a material effect on the price of its securities, and therefore that a data breach may need to be notified to the market.

In light of the potential overlap between this notification obligation and the obligation to notify ASIC of incidents or major events, there may be increased scrutiny over whether an incident that a listed market participant notifies to ASIC is also required to be disclosed to ASX under the continuous disclosure rules. In essence, an incident that is sufficiently material to be disclosed to ASIC may also warrant disclosure to the market.

Actions you can take now

Aside from making a submission on the Consultation Paper, Regulated Entities should start to:

• Identify and classify systems as critical or not, having regard to the likely consequences of that system failing to operate effectively.
• Uplift outsourcing arrangements. Where the provision, support or operation of any critical systems has been outsourced to a third-party service provider, existing and future contractual arrangements should be reviewed to confirm they meet the requirements in the Rules.
• Create or uplift incident management and business continuity plans and processes to reflect the new notification requirements for incidents and major events, and to ensure they address the requirements of the Rules.
• Roll out awareness and training programs in connection with the obligations under the Rules. In particular, boards and senior management should be made aware of their specific obligations and attestation requirements under the Rules.

How did we get here?

Existing requirements

ASIC has emphasised that the Rules would largely formalise a number of expectations which already exist under current law and guidance, including:

• s769B of the Corporations Act, under which market participants remain responsible for complying with its licensee obligations in relation to its outsourced services;
• s792A of the Corporations Act, which requires market operators to have sufficient resources to operate the market;
• s912A of Corporations Act, which requires financial services licensees to have adequate resources (including technological resources) to provide financial services and adequate risk management systems;
• ASIC regulatory guides (including Regulatory Guide 104), which outline ASIC's existing expectations in relation to appropriate resources and capabilities; and
• directors' duties, including the duty to act with reasonable care and diligence in overseeing the management of the Regulated Entity.

Increasing focus on resilience by regulators globally

The impetus for supplementing these existing requirements with new market integrity rules reflects a broader trend of regulatory scrutiny of the information security and operational resilience of entities (particularly by securities and prudential regulators). Recent examples include:

• On 17 July 2019, the APRA Capability Review report was released, which (amongst other things) recommended APRA 'augment its internal capacity and to collaborate on ways to strengthen the cyber resilience of APRA's regulated sectors' through collaboration with public and private sector entities. APRA's action plan indicates its support for this recommendation, having identified cyber and technology as priority areas across all APRA-regulated industries.
• Information released by the UK Financial Conduct Authority (FCA) in response to a freedom of information request showed a majority of declared security incidents in 2018 were the result of third-party outsourcing failures, failures in underlying hardware and software and failures to effectively manage changes to IT environments.
• APRA's Prudential Standard CPS 234 (Information Security) took effect on 1 July 2019. For more information on this standard and corresponding guidance, please see New APRA prudential standard raises bar for information security obligations and incident notification requirements and Final APRA Guidance on Information Security released – are you prepared?
• On 30 May 2019, the UK FCA and the Prudential Regulation Authority (PRA) imposed fines totalling almost £2 million on Raphaels Bank for its failure to manage the business continuity and disaster recovery arrangements of its outsourced service providers, which had resulted in an eight-hour outage preventing it from processing card transactions.
• In November 2018, after financial services firms reported a 187% increase in technology outages, Megan Butler of the UK FCA expressed concerns in a Speech delivered at Bloomberg, London about the number of incidents, especially as many outages were 'caused by relatively small changes', stating that 'a third of firms do not perform regular cyber-assessments' and 'nearly half of firms do not upgrade or retire old IT systems in time'.
• In October 2018 the US Securities and Exchange Commission (SEC) released its investigative report into nine public companies, emphasising the need for public companies to maintain robust internal accounting controls to appropriately address cybersecurity threats.
• In July 2018, the Bank of England, the UK PRA and the UK FCA jointly published a paper on 'Building the UK financial sector's operational resilience'.
• In February 2018, the SEC published Guidance on Public Company Cybersecurity Disclosures, which stated that public companies must 'establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events', including material events related to cybersecurity.