The ASX and rival exchange Chi-X have both received the tick of approval from the Australian Securities and Investments Commission after the financial watchdog conducted its first formal ‘cyber resilience’ assessments since the release in 2015 of ASIC’s security health check framework for regulated organisations.
The assessments employed the risk-based US NIST Cybersecurity Framework, ASIC said in its report.
ASX and Chi-X were required to complete self-evaluations based on the framework, with ASIC following up with in-depth discussions and document reviews.
“We have concluded that, up to this point in time, ASX Group and Chi-X have met their obligations to have adequate resources to manage cyber resilience,” the report stated.
ASIC said that it would use the data gathered during the assessment process to continue working with ASX and Chi-X to monitor future developments relating to cyber resilience.
“Because of the dynamic nature of cyber threats, financial market infrastructure providers’ cyber resilience frameworks need to continuously evolve,” the report stated.
“For that reason, a comprehensive and long-term commitment to cyber resilience is essential to help organisations deal with these challenges as and when they arise. Working closely with the RBA on ASX Group’s CS facilities, we will continue to engage with financial market infrastructure providers on this issue.”
ASIC’s report included examples of emerging good practices that were identified during the assessments that may have broader relevance for the financial sector beyond the two exchanges.
• Board engagement in security strategy;
• Responsive governance;
• Real-time cyber risk management employing automation and tools that can integrate and assess multiple sources of risk;
• Assessing the security posture of suppliers and partners;
• Information sharing with other financial institutions as well as security agencies and law enforcement;
• Centralised asset management;
• Organisation-wide awareness and training;
• Proactive security measures such as the Australian Signals Directorate’s ‘top four’ mitigation strategies (application whitelisting, application patching, OS patching, and restricting administrative privileges);
• Continuous monitoring and data analytics;
• Response planning (including scenario planning and war gaming); and
• Recovery planning.