Increased IT security and resilience standards – ASIC imposes new Australian market integrity rules

Corporate regulator introduces fresh rules in drive to strengthen governance and bolster technological resilience.

Earlier this month, ASIC introduced the ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74 (the Amendment Instrument) which amends the ASIC Market Integrity Rules (Securities Markets) 2017 and the ASIC Market Integrity Rules (Futures Markets) 2017 (together, the Rules). Further background on the amendments may be found in Report 719: Response to submissions on CP 314 Market integrity rules for technological and operational resilience. 

The Rules will commence on 10 March 2023 and:

• introduce additional obligations on market participants and operators in relation to technological and operational resilience;
• reinforce the broader regulatory focus on deterring inadequate systems and operational governance and controls (for example, ASIC’s ongoing litigation against RI Advice Group Pty Ltd – see our legal briefing on that here);
• seek to create greater alignment with international standards and other domestic standards; and
• add to existing requirements on entities in respect of information security and operational resilience, such as APRA’s Prudential Standard CPS 234: Information Security.

What are the key changes under the Rules?

1. Market participants and operators must establish business continuity plans to respond to major events that have the potential to cause significant disruptions to operations or materially impact their services. This includes pandemics, natural disasters, cyber-attacks or power failures. Business continuity plans are to be reviewed and tested annually at a minimum and each time there is a material change.  
2. The Board or senior management must have overall oversight of business continuity plans (a shift following consultation from ASIC’s initial proposal that the Board and senior management have oversight).
3. Market participants and operators must have adequate arrangements to identify, assess, manage and monitor risks to ‘ensure the resilience, reliability, integrity and security of [their] Critical Business Services.’ Critical Business Services is broadly defined -  ‘functions, infrastructure, processes or systems which in the event of failure to operate effectively, would or would be likely to cause significant disruptions to operations or materially impact services.’ A failure of a critical business service does not automatically mean a market participant or operator has failed to have adequate arrangements.
4. Market participants and operators must have adequate arrangements and controls in place to ensure confidentiality, integrity and protection of information. This includes recovery backup systems. Records must be maintained for at least seven years following an event of unauthorised access.
5. Outsourcing arrangements involving a third party provider either providing, operating or supporting Critical Business Services are regulated by the Rules. Due diligence must be conducted to ensure that the third party provider has the ability and capacity to provide the services effectively. The performance of the third party provider must be monitored to ensure that the services covered by the outsourcing arrangement are being provided and that the third party has the ability and capacity to continue to provide effectively the services over the duration of the arrangement. Conflict management systems must also be in place for outsourcing arrangements.  
6. Trading controls (market operators only). A market operator is required under the Rules to have trading controls in place, including automated controls, enabling immediate suspension, limitation or prohibition of the entry by a market participant of trading messages where required for the purposes of ensuring that the market is fair, orderly and transparent. 
7. Notification obligations. There are a range of notification obligations:
   • Major events. Both market participants and operators must notify ASIC immediately upon becoming aware of a major event. This includes natural disasters, cyber-attacks, power failures or the failure of or disruption to a Critical Business Service (including one operated by a third party provider).
     
     Within seven days after the notification of a major event or an unexpected disruption, the notifier must provide a written report to ASIC detailing the circumstances and steps taken to manage the major event or unexpected disruption. 
   • Unauthorised access or use. Market operators must also notify ASIC, in writing as soon as possible, and no later than 72 hours, after becoming aware of unauthorised access or use of their Critical Business Services that impacts their operation, or results in unauthorised access or use of market-sensitive, confidential or personal information.
   • Unexpected disruptions. Market operators must also notify ASIC immediately upon becoming aware of an unexpected disruption to the usual operation of a Critical Business Service that may interfere with the fair, orderly or transparent operation of any market.

Comparison with APRA standards

It may be that market participants need to comply with both the Rules as well as the existing obligations in APRA Prudential Standards CPS 231 (Outsourcing), 232 (Business continuity management) and 234 (Information Security) to the extent they are APRA regulated entities (such as banks and insurers). We have provided a short overview of some of the key differences below.

What is next?

It will be important for market participants and operators to ensure that steps are being taken to implement the new obligations under the Rules in time for their commencement on 10 March 2023.

ASIC has foreshadowed that regulatory guides will be updated to provide guidance on the amendments and expectations on how these apply in practice: specifically Regulatory Guides 265 (Guidance on ASIC market integrity rules for participants of securities markets), 266 (Guidance on ASIC market integrity rules for participants of futures markets) and 172 (Financial markets: Domestic and overseas operators).

During the course of this year, APRA plans to consult on enhanced requirements for operational risk management (including minimum expectations for systems, controls and remediation, business continuity and arrangements with third parties). It is intended that the new Prudential Standard CPS 230 (Operational Risk Management) will update and replace existing requirements in CPS 231 and 232, and the equivalent superannuation standards. APRA expects CPS 230 to come into effect from 2024.