ASIC ramps up work on cyber activity

Australian Securities and Investments Commission (ASIC) commissioner Cathie Armour told the House of Representatives standing committee on economics that ASIC “actively” monitors market infrastructure and market participants on their cyber resilience as part of its work with the Australian Prudential Regulation Authority (APRA).

Ms Armour added that the two regulators are working together to share information and intelligence on how the larger institutions which they both regulate are dealing with cyber risk.

“We consider cyber risk, the need to address and build the program for cyber resilience to be part of a licensed entity’s obligations to have in place adequate risk management procedures, practices and technologies sufficient to do their job, that is to provide financial services efficiently, honestly and fairly,” Ms Armour said.

As such, Ms Armour said that ASIC has escalated its work in cyber activity amid the rapid digitisation over the COVID-19 crisis period.

She added that ASIC has commenced moving from the education, monitoring and supervision stage into the enforcement stage.

“We’ve brought civil proceedings against a financial firm for what we say we’re alleging is failure to have sufficient practices in place to deal with cyber resilience,” she said.

“We do understand that in this world, it’s likely that firms will face some intrusions into their systems. What we expect is that the firms have in place plans to deal with those intrusions.”

Commissioner Sean Hughes also addressed the committee on the issue of cyber activity, stating that ASIC is conducting conversations not only around the impact of cyber attacks on financial institutions but also their customers, particularly small business and retail customers.

“We’ve been encouraging them to also think about what they can do to support customers who may be at far less sophisticated capability and to assist them to avoid exposure to cyber risks,” Mr Hughes told the committee.

“One of the things that I know all of my colleagues are very keen to do is to ensure that we work collaboratively with all of our brethren across the public sector who have an interest in this, so it’s not discordant voices or ambiguity around what the expectations regulators and policymakers have of the financial institutions.”

In December 2020, the Council of Financial Regulator (CFR) launched a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.

CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate. At the end of the program, a report detailing industry-wide trends around cyber resilience will be presented to the CFR and highlight any systemic weaknesses that may pose a risk to the integrity of financial markets and system.

[Related: Major cyber breach in finance inevitable: APRA]